Credit Card Processing
Revised November 20, 2013
Table of Contents
.130 Related Policies
All technology implementation associated with the credit card processing must be in accordance with the Payment Card Industry Data Security Standards (PCI DSS), https://www.pcisecuritystandards.org. The cost of equipment or other related measures for compliance to standards will be the responsibility of the department.
The cost of processing credit cards (discount fees, interchange fees, etc.) will be paid from departmental funds and the expenditure document will be prepared by the Division of Financial Services for all campus departments. The University is centrally invoiced by the credit card processor and the Division of Financial Services distributes the cost to departments based on the departmental portion of the service charges.
No employee of the university is to advance any cash to the cardholder in connection with the card transaction. Credit cards payments shall be used for the sole purpose of processing payment transactions for goods and/or services provided by Kansas State University to the cardholder.
Departments must use the credit card payment processors under contract with Kansas State University. This contract provides for the acceptance of Visa, MasterCard, Discover and American Express. The fees for processing credit cards vary according to the type of card and how it is processed. The equipment needed to handle credit cards must be purchased through Kansas State University’s contract vendor. The Division of Financial Services, (785) 532-1834, will provide assistance to the department in contacting the contract vendor to purchase appropriate equipment and configure software.
The University honors without discrimination valid credit cards properly tendered for use. In accordance with the State of Kansas contract, no entity can set a dollar amount above or below which it can refuse to honor otherwise valid cards. Each sale the university makes involving a credit card must be evidenced by a single sales data record completed with the sale date and the sale amount, and the information as required by the Associations or by the credit card processor.
In the case of when the payment is received by mail, telephone, or pre-authorized transaction, it is the responsibility of the University to have reasonable procedures in place to ensure that each card sale is made to a purchaser who actually is the cardholder or is the authorized user of the card. Each department is responsible for keeping payment transaction records as without them the University, in accordance with the State of Kansas contract, cannot refute a chargeback if the cardholder disputes making a purchase.
Other Third Parties
In limited applications departments may use other third parties to assist with accepting credit cards for the sale of services and products. For example, a third party may host an e-commerce web site for the department or provide support for a special-purpose application like a point-of-sale system. The Division of Financial Services maintains a list of service providers. The department that contracts with the third party must manage the relationship with the third party to ensure that Kansas State University’s data is properly protected. This includes the following:
- Before entering into a contract with a third party to process, store, or transmit credit card information on behalf of Kansas State University, the third party must be approved by the Division of Financial Services and their PCI DSS compliance reviewed by the Office of Information Security and Compliance in IT Services.
- The contract must include the language in section .120 below, “Contract Language for Third Parties.”
- The department must verify the third party’s PCI DSS compliance status annually and submit the compliance documents to the Division of Financial Services. Departments should also keep a copy. Examples of appropriate compliance documentation include a reference to their entry in the PCI Security Standards Council’s list of Validated Payment Applications (https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php), or a copy of the official notification received by the third party from the PCI Security Standards Council stating their payment application was certified and the date the payment application was last validated.
In accordance with PPM Chapter 3415, credit card information is protected and considered under the Information Security Plan. All credit card information is to be treated as Confidential data and is to be handled appropriately. In accordance with PCI DSS, all employees involved in processing credit card transactions and the support of the cardholder data environment (CCNet) must be trained annually on the appropriate procedures.
All new employees, including students, are to undergo a background check before they can process credit card transactions. The Division of Financial Services and the Office of Information Security & Compliance are responsible for conducting training sessions for all personnel who work with credit card transactions. Please contact the Division of Financial Services (785) 532-6211 or the Office of Information Security & Compliance (785) 532-2540, if you have questions regarding these sessions.
All credit card information is to be kept to a minimum. The storage and retention of any credit card information must be limited to what is required for business, legal and/or regulatory purposes, as documented in the data retention policy. No credit card information is to be retained unless protected in accordance with PCI DSS (https://www.pcisecuritystandards.org).
The receipt printed by the credit card terminal or any other printer is to truncate all the digits of the credit card number except for the first six and last four digits of the primary account number (PAN). The expiration date is not to appear on the customer’s copy. If the complete number is listed or the expiration date appears on any of the credit cards receipts, the equipment is to be re-programmed or the equipment is to be replaced with equipment that complies with these requirements.
Access to credit card information must be strictly limited to those who have a business reason to access it. For those individuals, access should be limited to the least privileges needed to perform their job responsibilities, based on their job classification and function. Access rights must be approved either in writing or electronically by an appropriate authority, such as the department’s business manager or the employee’s supervisor, specifying the required privileges. This can be included in one’s initial employment letter or an in email sent to the employee. Provide the following information in the authorization documentation:
- Employee name
- Position title
- Description of their interaction with credit card information (i.e., the access privileges granted)
- Credit card technologies to be used (e.g., card swipe terminal, point of sale register, CASHnet via the web, etc.)
- Name of person authorizing access
- Position title of person authorizing access
- Date of access authorization
User accounts that have access to credit card information must be managed to ensure appropriate security and access controls are enforced. This includes managing authentication, account creation and deletion, and assigning and removing privileges as roles change. Administration of accounts that use K-State's eID is the responsibility of Information Technology Services. Accounts in CASHNet are managed by the Division of Financial Services. Responsibility for managing any other accounts, such as departmental systems and applications, must be assigned by the appropriate authority within that department (e.g., the unit’s business manager or department head).
If a credit card number is provided over the telephone or through the mail, only authorized and trained employees are to have access to this information. As soon as the transaction is entered into the credit card terminal the form containing credit card information should be shredded in a cross-cut shredder. If a “to-be-shredded” container is used to dispose of cardholder data, it must have a lock to prevent unauthorized access. If cardholder data is stored electronically, the data must be securely deleted when it is no longer needed for business or legal reasons.
If the documentation that contains credit card information is required to be retained, the documentation is to be accessible only to employees who are authorized and trained. The documentation is to be secured at all times, marked “Confidential” and stored in a locked area or cabinet with access permitted to only authorized and trained employees. Inventory logs of documentation that contains credit card information must be maintained and an audit of the logs must be completed annually. Management must approve the removal of documentation containing credit card information from a secured area.
If credit card information must be provided on paper to another department, the paper containing credit card information must be enclosed in a sealed envelope, marked confidential, and transported by a personal courier. The document(s) must be checked out by the sending department and checked in by the receiving department to provide a paper trail on how the document(s) was exchanged. These check-out/check-in logs are to be retained by the department with retention periodically verified via audit. Departments are prohibited from using campus mail to send credit card data.
No credit card information is to be requested to be sent through email. Also, credit numbers must never be sent by end-user messaging technologies (for example, instant messaging, chat, etc…). The Office of Information Security & Compliance strictly prohibits the collection of credit card data by email or end-user messaging.
Most credit card terminals provide for a deposit report and a detailed transaction report at the end of each day from the credit card terminal. The terminal should be programmed so these reports provide at most: the last four digits of the credit card number, the number of transactions, and the transaction amounts necessary for recording and depositing the funds received. One copy of the deposit report is to be retained by the department with a signed copy of each credit card transaction receipt.
If payment was received from the customer by use of a credit card, any refund is to be made to the same credit card originally used. Cash or refund checks are not acceptable reimbursement methods for credit card sales as they are not accepted as proof of a refund by the merchant bank should the cardholder also request a chargeback from the merchant.
Access from off campus to any systems on campus in the cardholder data environment (i.e., in CCNet), must be restricted to those with a business need for remote access, such as a system administrator or vendor providing remote support. Other requirements include:
- Two-factor authentication must be used to verify their identity.
- Remote access sessions must disconnect automatically after 15 minutes of inactivity.
- Remote access by a vendor or other business partner must only be enabled when needed and deactivated as soon as their work is completed.
- Copying, moving, or storing cardholder data onto a local drive or removable electronic media (like a USB flash drive) is prohibited during a remote access session unless explicitly authorized for a defined business need.
All credit card processing involves technology in some manner, whether a web server accepting online orders, a card swipe terminal connected to a phone line or the campus data network, or an office workstation used to manually enter phone or mail-in orders. All technologies involved in processing credit cards must be secured according to the requirements of the Payment Card Industry Data Security Standard (PCI DSS) and used in accordance with all K-State policies and procedures. In addition, the below requirements must be followed.
- All technologies used in credit card processing must be approved by the Division of Financial Services and installed by a qualified technician.
- All such technologies that use K-State’s data network, including but not limited to servers, kiosks, card swipe payment stations, point-of-sale registers, etc., must connect to and use the secure Credit Card Network (CCNet).
- All such technologies may only be used for purposes related to the business function for which credit card payments are accepted. For example, you cannot do general email and web browsing on an office workstation that is used to enter credit card information into a payment application. That workstation must be used solely for the functions related to the payment application.
- All devices in the secure Credit Card Network (CCNet) must have the latest anti-virus software installed, running, and receiving current anti-virus signatures.
- The Division of Financial Services and the Office of Information Security and Compliance will maintain an inventory of all technologies used to process credit cards. This inventory includes contact information for the device, its purpose, and the department responsible for it. The contact person for each device is responsible for maintaining a list of all personnel approved to use the device. The device must be labeled with an identifier that will allow the physical device to be associated with its inventory record, such as its serial number (i.e., a “logical label” that allows one to identify its owner, purpose, and contact information).
- Only card swipe terminals and mobile payment solutions approved by or provided by K-State’s acquiring bank, Bank of America may be used. Exceptions must be approved by the Division of Financial services and certified by PCI as approved PIN transaction security devices.
- Payment applications used to process credit cards must be certified to be compliant with PCI’s Payment Application Data Security Standard (PA-DSS). This includes payment applications hosted off campus by third parties as well as those hosted on campus.
- Authentication with a unique username and strong password that meets K-State’s password requirements must be used on all technologies that support authentication.
- Passwords for the following types of accounts must be changed at least every 90 days: Accounts with administrative privileges on the systems involved in the processing, storage, or transmission of credit card information (e.g., system administrators of workstations and servers in CCNet, or application administrators with privileged access to a point-of-sale application.) OR Accounts that can access more than one full credit card number at the same time (cashiers who process a single credit card at a time are NOT subject to this requirement.)
- K-State’s Credit Card Policy contains additional requirements. See section “.050 Credit Card Policy” of PPM 6110 for more information.
The companies of all credit cards which are accepted by the University require all merchants and credit card processors store, transmit or process credit card holder information in compliance with Payment Card Industry requirements. The PCI DSS consist of 12 requirements:
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software and programs.
6. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel.
Before any department can accept credit cards, these 12 requirements must be in place. Non-compliance to these standards can result in significant fines assessed to the University. Kansas State University may pass some or all fines to the department involved with any security breach.
In order to ensure compliance with PCI DSS, departments that accept credit card payments must complete an annual PCI Self-Assessment Questionnaire. K-State must conduct a formal risk assessment annually to identify threats and vulnerabilities to the secure Credit Card Network (CCNet). This policy must be reviewed annually and updated when the credit processing environment changes. The Office of Information Security and Compliance is responsible for developing daily operational security procedures for the secure Credit Card Network (CCNet).
As each department with physical credit card terminals closes their batches at day end a data file is created with our credit card processor. This data file is sent electronically to Kansas State University’s Division of Financial Services and the funds in that batch are deposited directly into each Department’s default project account. The department is responsible for reconciling their transactions against FIS reports and, when necessary, using CashNet to move funds between projects and revenue codes. Training on this settlement process can be found on the Financial Services Website under Cashiers/Training. http://www.k-state.edu/finsvcs/cashiers/training/index.html
The University may receive a chargeback from a Cardholder or card issuer if: they fail to issue a refund to a cardholder upon the return or non-delivery of goods or services, an authorization code was required and not obtained, the sales data was prepared fraudulently, or the cardholder disputes the card sale.
Employees shall exercise reasonable care to prevent disclosure of credit card information, other than to authorized entities for the purpose of assisting the University in completing a card transaction. The University and its credit card processor will store all media containing card numbers in an area limited to personnel with a need to know and any material containing credit card information will be destroyed in a manner rendering the primary account number unreadable. If at any time account number information has been compromised, notification is to be made immediately. K-State has an incident response plan in place so the university can respond effectively in the event of a breach of cardholder data. The Office of Information Security and Compliance is responsible for testing the incident response plan and providing training to appropriate staff on an annual basis. The incident security management plan can be found at http://www.k-state.edu/its/security/procedures/incidentmgt.html
Any questions regarding the processing of credit cards may to be referred to the Division of Financial Services (785) 532-6210.
The following language must be included in all contracts with third parties that handle credit card information on behalf of Kansas State University.
Whereas, Kansas State University is a merchant that conducts transactions that include credit card payments and <vendor> is a service provider that is provided cardholder data or access to cardholder data, both parties must protect cardholder data in accordance to the Payment Card Industry Data Security Standard (PCI DSS).
- “Applications” includes, but is not limited to, all purchased and custom external (web) applications.
- “Cardholder Data” shall mean any personally identifiable data associated with a cardholder, including, by way of example and without limitation, a cardholder’s account number, expiration date, name, or address.
<Vendor> acknowledges that when it is provided cardholder data or access to cardholder data, it shall protect that data in accordance with requirements specified in the PCI DSS. <Vendor> is responsible to provide protection for all cardholder data that it collects, processes, stores, or transmits.
<Vendor> agrees to comply with the following requirements:
- Maintain an information security program to protect cardholder data and validate compliance with the PCI DSS on an annual basis.
- <Vendor> agrees to hold all data and information received from or created on behalf of Kansas State University in strict confidence.
- Contract specifies <vendor’s> permitted uses, if any, of Kansas State University’s data and information.
- Must be listed on the PCI Security Standards Council’s list of Validated Payment Applications (https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php) or provide a copy of the official notification received from the PCI Security Standards Council stating <vendor’s> payment application was certified and the date the payment application was last validated.
- If Kansas State University cardholder data is compromised or suspected to have been compromised while in the possession of <vendor>, provide notice to Kansas State University of actual or potential data breach within forty eight (48) hours.
- If an investigation of the data breach is requested by Kansas State University, <vendor> shall provide access to systems and staff to conduct the investigation and will support both Kansas State University staff and contractors as well as law enforcement to conduct the investigation.
- <Vendor> agrees that, upon Kansas State University's request in the event of a data breach, <vendor> will provide a representative or a PCI approved third party designated by Kansas State University with full cooperation and access to conduct a thorough security review, the review shall include, at a minimum, validation of <vendor's> compliance with the PCI DSS for protecting cardholder data.
- In the event <vendor> fails to adhere to any of data security provisions set forth and as a result, cardholder data is obtained by unauthorized persons, <vendor> agrees to pay, upon written demand by Kansas State University, all documented costs associated with any notification to affected individuals required by law or deemed appropriate by Kansas State University. All notifications must be coordinated with and approved by Kansas State University prior to sending.
- In the event that the contract is terminated for any reason, <vendor> shall return the cardholder data to Kansas State University and provide confirmation that all remnants of cardholder data stored by <vendor> are destroyed in a manner that renders the data unrecoverable.
- PPM 3433 Data Classification and Security Policy (http://www.k-state.edu/policies/ppm/3400/3433.html)
- PPM 3430 Security for Information, Computing and Network Resources (http://www.k-state.edu/policies/ppm/3400/3430.html)
- PPM 3415 Information Security Plan (http://www.k-state.edu/policies/ppm/3400/3415.html)