Payment Card Services Policy: Difference between revisions

From Appalachian State University Policy Manual
Line 58: Line 58:
#Compliance Assessment and Reporting
#Compliance Assessment and Reporting


=== Example policy 2 ===
=== Authorized Use of Payment Card Services ===
University units must be authorized to accept payment card receipts by the Office of the Controller.  In order to be authorized, the following requirements must be met:
 
4.2.1 The merchant card services used must be approved by the Office of the Controller.
 
4.2.2 Payment card acceptance methods and solutions used must be approved by the Office of the Controller and the ITS ­ Office of Information Security.
4.2.3 Any third ­party service providers used to collect, transfer, or process payment card information on behalf of the University merchant must be approved by the Office of the Controller and the ITS ­ Office of Information Security.
 
4.2.4 The use of payment card services must conform to all applicable procedures, standards, and regulatory requirements, including, but not limited to, the University Controller’s Payment Card Processing Procedure Manual and the Payment Card Industry Data Security Standard (PCI­DSS).


== Additional References ==
== Additional References ==

Revision as of 18:58, 4 August 2015

Policy 503.8

Introduction

1. Appalachian State University requires that campus units be formally authorized to accept payment cards based on their compliance with this policy and related standards.

Scope

2. This policy is binding and applies to all Appalachian State University employees and service providers who transmit or process payment card transactions.

Definitions

Payment Card

A card that can be used to make a payment for a purchase or in payment of some other obligation.

Customer

An individual or other entity that makes a payment to the University for goods or services.

ITS

Means the University’s Information Technology Services.

Merchant

A campus unit that accepts payment cards as a method of payment.

NCOSC

Means North Carolina Office of State Controller.

Payment Card Services

Services that enable a Merchant to accept a transaction payment by use of a customer's payment card.

Payment Card Industry Data Security Standard (PCI DSS)

A proprietary information security standard developed by the PCI Security Standards Council for organizations that handle cardholder information for the major debit, credit, prepaid, e­purse, ATM, and POS cards.

Merchant ID (MID)

An account established for a campus unit to credit sales amounts and debit processing fees.

Service Providers

Companies that provide services to campus merchants or other services providers that control or could impact the security of cardholder data.

Primary Account Number

Payment card number (credit or debit) that identifies the issuer and the particular cardholder account.

Cardholder Data

Full magnetic stripe from a payment card or the Primary Account Number(PAN) plus any of the following:
Cardholder name
Expiration date
Service Code or other Authentication Data

University

Appalachian State University

Policy and Procedure Statements

Payment Card Oversight Committee

4.1.1 A Payment Card Oversight Committee shall be formed under the authority of Business Affairs with ITS support to provide oversight of all University payment card processing.

4.1.2 Representation on this committee will include but not be limited to: Business Affairs, Internal Audits, and the ITS ­ Office of Information Security. This committee is charged with providing review and advisement concerning:

  1. Payment Card Services and Solutions
  2. Changes To Authorized Payment Card Services and Solutions
  3. Compliance Assessment and Reporting

Authorized Use of Payment Card Services

University units must be authorized to accept payment card receipts by the Office of the Controller. In order to be authorized, the following requirements must be met:

4.2.1 The merchant card services used must be approved by the Office of the Controller.

4.2.2 Payment card acceptance methods and solutions used must be approved by the Office of the Controller and the ITS ­ Office of Information Security.

4.2.3 Any third ­party service providers used to collect, transfer, or process payment card information on behalf of the University merchant must be approved by the Office of the Controller and the ITS ­ Office of Information Security.

4.2.4 The use of payment card services must conform to all applicable procedures, standards, and regulatory requirements, including, but not limited to, the University Controller’s Payment Card Processing Procedure Manual and the Payment Card Industry Data Security Standard (PCI­DSS).

Additional References

Authority

Contact Information

Effective Date

Revision Dates