Credit Card Processing
Revised August 5, 2010
Table of Contents
This chapter provides guidance concerning the acceptance of credit cards in payment for fees, products and services at Kansas State University. In accordance with Kansas Statutes Annotated 75-30,100(a), Any state agency which imposes or collects fees, tuition or other charges shall accept payment thereof in the form of a personal, certified or cashier's check or money order. Kansas State University, a state agency, may accept payment by credit card or other method designated by the agency. Kansas State University has adopted the following policies and procedures to assist departments which accept credit card payments.
The Division of Financial Services will facilitate the acquisition of credit card equipment and assess credit card processing fees to the departments. The department will be responsible for installing any telephone line for the credit card reader, if needed. At the time the credit card equipment is installed the latest version of the contract vendor's Merchant Operating Guide will be provided to the department on how to use the specific equipment. The acceptance of credit cards does not alter the need of an official receipt or other approved method of issuing a receipt and the depositing of receipts. The department is to submit to the Cashiers and Student Accounts daily a CASHNET batch for the credit card transactions and the summary credit card totals unless a process is used which does this automatically. See PPM chapter 6110 for instructions on issuance of official receipts and the depositing of daily receipts.
All technology implementation associated with the credit card processing must be in accordance with the Payment Card Industry Data Security Standards (PCI DSS), https://www.pcisecuritystandards.org, for more information. The cost of equipment or other related measures for compliance to standards will be the responsibility of the department.
The cost of processing credit cards (Discount Fee) will be paid from departmental funds and the expenditure document will be prepared by the Division of Financial Services for all campus departments. The University is centrally invoiced by the credit card processor and the Division of Financial Services distributes the cost to the department based on the usage of the service.
No employee of the University is to advance any cash to the Cardholder in connection with the card transaction. There should not be any element of credit for any purpose other than payment for a current transaction.
Bank of America has the State contract as the credit card payment processor for all state agencies. No other credit card payment processor can be used for processing credit card payments. This contract provides for the acceptance of Visa, MasterCard, Discover and American Express. The fees for processing credit cards vary according to the type of card and how it is processed. The equipment needed to handle credit cards may be provided by any approved vendor for a fee. The Division of Financial Services will provide assistance to the department in contacting the contract vendor and getting the appropriate equipment and software set up.
The University honors without discrimination valid credit cards properly tendered for use. Each sale the University makes involving a credit card must be evidenced by a single sales data record completed with the sale date and the sale amount, and the information as required by the Associations or by the credit card processor. The University in accordance with the State of Kansas Contract cannot set a dollar amount above or below which it can refuse to honor otherwise valid cards. In the case of whether the payment is received either by mail, telephone or pre-authorized transaction, it is the responsibility of the University to have reasonable procedures in place to ensure that each card sale is made to a purchaser who actually is the Cardholder or is the authorized user of the Card. The University in accordance with the State of Kansas Contract cannot rebut a Chargeback where the card holder disputes making a purchase without an electronic record of the Card.
For all credit card transactions, authorization/approval codes at the point of sale for all card transactions must be obtained.
In accordance with PPM Chapter 3415, credit card information is protected and considered under the Information Security Plan. References of employees working in areas that regularly work with covered data (credit cards) and information are to be checked. All credit card information is to be treated as Highly Sensitive data and is to be handled appropriately. Each employee is to be properly trained on the importance of confidentiality of these records and information. Each employee is to also be trained in the proper use of computer information and passwords, if needed for handling credit card transactions.
Any employee involved with handling credit card information is to sign an Employee Certification on Handling Confidential Information form at the time of employment and as of January 1 each year thereafter. The Division of Financial Services is responsible for conducting training sessions for all personnel who work with credit card payments. Please contact the Division of Financial Services, (785)532-6210, if you have questions regarding these training sessions.
All credit card information is to be kept to a minimum. The storage and retention of any credit card information is to be limited to which is required for business, legal and/or regulatory purposes, as documented in the data retention policy. No credit card information is to be retained unless protected in accordance with PCI DSS (https://www.pcisecuritystandards.org).
The receipt printed by the credit card reader/terminal or any other printer is to truncate all the digits of the credit card number except for the last four digits and the expiration date is not to appear on the customer's copy. If the complete number is listed or the expiration date appears on any of the credit cards receipts, the equipment is to be re-programmed or the equipment is to be replaced with equipment that complies with these requirements.
If a credit card number is provided over the telephone or through the mail, only authorized and trained employees on confidential material are to have access to this information and as soon as the transaction is entered into the credit card reader the document that has the credit card number is to be shredded. If the documentation that has the credit card number is required to be retained, the documentation is to be accessible only to employees who are authorized and trained on handling confidential and sensitive information. The documentation is to be secured at all times and stored in a locked and secured area or cabinet with access permitted to only authorized and trained employees.
The use of the three digit security code (CVV2, CVC2) is to be requested on telephone orders to ensure valid card information. The use of Credit Card Terminals which request additional information such as, zip code, security codes and etc. will also save on processing fees.
No credit card information is to be requested to be sent through the email process. Email is not secure in any format and is not to be used.
Most credit card terminals provide for a deposit report and a detailed transaction report at the end of each day from the credit card equipment. The deposit report only provides the number of transactions and the amount necessary for recording and depositing the funds received. The white copy of the deposit report is to be forwarded to the Cashiers and Student Accounts, and the yellow copy is to be retained with the departmental receipt information and the signed copy of each credit card transaction receipt.
If payment was received from the customer by use of a credit card, any refund is to be made only to the customer's credit card. This will ensure the customer does not cancel the original transactions and get a refund through the credit card company and you receive a chargeback for the refund. Refund checks are not an acceptable reimbursement method for credit card sales and will not be accepted as proof of a refund
The detailed report usually provides the complete credit card number and the amount. If it is necessary for balancing purposes to obtain this detail transaction report which lists each transaction at the end of each day, it is to be shredded when the balancing is completed or have the equipment programmed to print only the last four digits of the credit card number. If the complete number is listed, the list is to be made only available to employees authorized and trained on the handling of confidential and sensitive information and properly secured until destroyed. The use of the Point of Sale Information Report from Bank of America's My Merchant View website for the day may be used in reconciling transactions, if needed for balancing the deposit. This report provides detailed transactions for each department. The use of and any printouts made of My Merchant View is to be handled the same as indicated above for the detailed report
The companies of all credit cards which are accepted by the University require all merchants and credit card processors store, transmit or process credit card holder information in compliance with Payment Card Industry requirements. The PCI DSS consist of 12 requirements in pursuit of six goals as listed below:
Build and Maintaining a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security
Before any department can accept credit cards, these 12 requirements must be in place. Most of these requirements consist of safeguarding information in computer environments. However, some of these requirements are for processing and securing non computerized applications. Non-compliance to these standards can result in significant fines.
In order to ensure compliance with PCI DSS, departmental fiscal managers must attend a mandatory training session and complete an annual PCI Self-Assessment Questionnaire and submit it to the Division of Financial Services by January 1 of each year. There are two questionnaires: one for all credit card handling through any type of computer environment, the other is for non-computerized environments such as terminal connected to the credit card payment processor by telephone.
Any department handling credit cards through a computer environment is also required to have a quarterly Network Scan completed by the University approved scanning vendor (to be determined at a later date).
The University may receive a chargeback from a Cardholder or card issuer for a failure to issue a refund to a Cardholder upon the return or non-delivery of goods or services, if an authorization codes was required and not obtained, the Sales Data was prepared fraudulently or the cardholder disputes the Card sale.
Employees shall exercise reasonable care to prevent disclosure of card information, other than to authorized entities for the purpose of assisting the University in completing a card transaction. The University and its credit card processor will store all media containing card numbers in an area limited to selected personnel and any material containing Cardholder information will be destroyed in a manner rendering the account number unreadable. If at any time account number information has been compromised, notification is to be made immediately to the Assistant Vice President for Division of Financial Services and Director of Internal Audit.
All questions regarding the processing of credit cards are to be referred to the Division of Financial Services, (785)532-6210.