Personal tools

Payment Card Services Policy

From Appalachian State University Policy Manual

Revision as of 18:58, 4 August 2015 by Deaskc (Talk | contribs) (Example policy 2)

Jump to: navigation, search

Policy 503.8

1 Introduction

1. Appalachian State University requires that campus units be formally authorized to accept payment cards based on their compliance with this policy and related standards.

2 Scope

2. This policy is binding and applies to all Appalachian State University employees and service providers who transmit or process payment card transactions.

3 Definitions

3.1 Payment Card

A card that can be used to make a payment for a purchase or in payment of some other obligation.

3.2 Customer

An individual or other entity that makes a payment to the University for goods or services.

3.3 ITS

Means the University’s Information Technology Services.

3.4 Merchant

A campus unit that accepts payment cards as a method of payment.


Means North Carolina Office of State Controller.

3.6 Payment Card Services

Services that enable a Merchant to accept a transaction payment by use of a customer's payment card.

3.7 Payment Card Industry Data Security Standard (PCI DSS)

A proprietary information security standard developed by the PCI Security Standards Council for organizations that handle cardholder information for the major debit, credit, prepaid, e­purse, ATM, and POS cards.

3.8 Merchant ID (MID)

An account established for a campus unit to credit sales amounts and debit processing fees.

3.9 Service Providers

Companies that provide services to campus merchants or other services providers that control or could impact the security of cardholder data.

3.10 Primary Account Number

Payment card number (credit or debit) that identifies the issuer and the particular cardholder account.

3.11 Cardholder Data

Full magnetic stripe from a payment card or the Primary Account Number(PAN) plus any of the following:
Cardholder name
Expiration date
Service Code or other Authentication Data

3.12 University

Appalachian State University

4 Policy and Procedure Statements

4.1 Payment Card Oversight Committee

4.1.1 A Payment Card Oversight Committee shall be formed under the authority of Business Affairs with ITS support to provide oversight of all University payment card processing.

4.1.2 Representation on this committee will include but not be limited to: Business Affairs, Internal Audits, and the ITS ­ Office of Information Security. This committee is charged with providing review and advisement concerning:

  1. Payment Card Services and Solutions
  2. Changes To Authorized Payment Card Services and Solutions
  3. Compliance Assessment and Reporting

4.2 Authorized Use of Payment Card Services

University units must be authorized to accept payment card receipts by the Office of the Controller. In order to be authorized, the following requirements must be met:

4.2.1 The merchant card services used must be approved by the Office of the Controller.

4.2.2 Payment card acceptance methods and solutions used must be approved by the Office of the Controller and the ITS ­ Office of Information Security.

4.2.3 Any third ­party service providers used to collect, transfer, or process payment card information on behalf of the University merchant must be approved by the Office of the Controller and the ITS ­ Office of Information Security.

4.2.4 The use of payment card services must conform to all applicable procedures, standards, and regulatory requirements, including, but not limited to, the University Controller’s Payment Card Processing Procedure Manual and the Payment Card Industry Data Security Standard (PCI­DSS).

5 Additional References

6 Authority

7 Contact Information

8 Effective Date

9 Revision Dates