Procedure Guideline for Payment Card Acceptance, Processing and Security

System Procedures
Chapter 7 - General Finance Provisions
Click here for a PDF copy of this guideline.

for Board Policy 7.3

Part 1. Purpose. The system's investment in building and maintaining a safe and secure environment for sensitive data (whether electronic or other form) is a continuous effort. Any given piece of data may be subject to federal, state and contractual requirements having differing standards due to differing concerns and objectives. Sensitive payment card data, primarily cardholder data involved in a transaction between a cardholder and a merchant, are subject to Payment Card Industry Data Security Standards (PCI DSS) through contractual provisions included in the agreement between a college or university as "merchant" and an acquiring bank ultimately processing the payment card transactions.

This guideline outlines the general requirements for colleges and universities related to establishing and maintaining procedures and controls for payment card processing compliant with PCI DSS. Specifics will vary across the colleges and universities as applicable to the payment card environment (for example,, number and types of merchants on campus, payment card transaction types, number of acquiring banks, physical and electronic security measures, etc.) that exists on each campus.

System Guideline Payment Card Industry Technical Requirements describes the technology-related compliance responsibilities of System institutions. This guideline addresses the issues which campus finance and business offices oversee.

Part 2. Definitions. A comprehensive glossary of terms and related definitions may be found at: The definitions below are those most likely to be useful to the reader of this guideline.

Payment Card Industry Data Security Standards (PCI DSS). A set of global data security standards designed to protect payment card account numbers. Any payment card (credit, debit, prepaid, stored value, gift or chip) bearing the logo of one of five payment brands is required to be protected as prescribed by the standards. The brands are: American Express, Discover, JCB, MasterCard and Visa. Specifically, PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. Storage includes any type of recording (paper or electronic.)

Acquiring bank (or "acquirer"). A member of a bankcard association and in turn a vendor that seeks and maintains a contractual relationship for payment card processing with merchants accepting or seeking to accept payment cards such as Visa, MasterCard, Discover Card and other payment cards. For example, the state of Minnesota has a contractual relationship with an acquiring bank and the System uses this contract for processing students' on-line tuition and fee payments.

Cardholder. A non-consumer or consumer customer to whom a payment card is issued or any individual authorized to use the payment card.

Cardholder Data. The card's primary account number (PAN), a service code consisting of a three- or four-digit number in the magnetic strip on the rear of the card, the cardholder's name, and the expiration date of the card.

E-Commerce. Payment card transactions requiring use of a merchant Web site. Actual cardholder data entry generally occurs on a third-party payment card processing Web site, but the cardholder transfer from the merchant site to the processing site is seamless. Contrast with point-of-sale transactions where the cardholder is typically present with the payment card.

Merchant. An individual or organization, whether private or public, which provides goods or services, including non-profit solicitation of donations, where payment options include customer use of a payment card. As used within this guideline, each college or university may have multiple merchants. For example, two auxiliary locations on campus that accept payment cards but through different merchant agreements with different acquiring banks will qualify as two separate merchants for purposes of applying these guidelines.

Point-of-Sale. A common form of payment card transaction where the cardholder and payment card are generally present at a merchant site (the "point-of-sale"); card data is generally processed via keypad or through swipe of the card such that cardholder data is read electronically.

Transactions. Transactions to which PCI standards may be applicable include, for example, over-the-counter transactions, mail-in, fax and phone orders, internet (e-commerce) orders, sales draft requests (acquiring bank request for transaction or "sale" support in response to a potential transaction dispute), chargebacks (transactions disputed by cardholders where the acquiring bank will pull back a prior payment) and refunds.

Part 3. Campus Responsibilities. It is the responsibility of each college and university to establish and maintain written payment card procedures applicable to payment card processes wherever and however payment cards are accepted on each campus. Procedures must be compliant with PCI security standards and consistent with these guidelines.

Subpart A. PCI Standards. PCI DSS define requirements into six broad groupings or principles:

  1. Build and Maintain a Secure Network
  2. Protect Cardholder Data
  3. Maintain a Vulnerability Management Program
  4. Implement Strong Access Control Measures
  5. Regularly Monitor and Test Networks
  6. Maintain an Information Security Policy (Board Policy 5.23 Security and Privacy of Information Resources and supporting guidelines and procedures represent the primary source of system information security policy.)

Full text documentation may be found at:

The following link is to a specific document titled Navigating PCI DSS Understanding the Intent of the Requirements

System IT Guideline Payment Card Industry Technical Requirements

Subpart B. System standards. In developing its policy/process, each college and university will need to address the following issues.

  1. Define campus management for all payment card acceptance.
  2. Include PCI compliance language in all relevant contracts.
  3. Establish general procedures for on-going operations.
  4. Adopt data security measures.
  5. Meet documentation requirements.
  6. Develop an incident response plan.

Each of these areas is set out in greater detail, below.

Part 4. Define campus management for all payment card acceptance. If the college or university allows the addition of new merchants, it must establish requirements for becoming a merchant that include, at a minimum:

Subpart A. A procedure addressing the review and approval process controlling new merchant payment card acceptance set-up. The procedure must include:

  1. the formal merchant set-up requirements including an application and approval process;
  2. the name and title of the campus-designated merchant approval officer with delegated authority to make an approval or disapproval decision;
  3. a schedule of estimated start-up and on-going maintenance and processing costs;
  4. a description of the minimum data processing and handling control requirements the merchant must be able to meet, including adequate segregation of duties (for example, transaction processing, cash receipt and refunds), daily and other periodic reconciliations, oversight and review, and physical security including data safeguards from transaction initiation through secure storage and disposal or erasure of retained data.

Subpart B. The procedure must define merchant (or department) versus central campus management responsibilities and delineate how costs associated with both the establishment of the new merchant account and the associated compliance obligations are funded.

Subpart C. The procedure must define the merchant's role for self-assessment, compliance documentation requirements, responsibilities for scanning if required, changes in PCI DSS requirements and/or remediation responsibilities in the event issues surface through self-assessment efforts, etc.

Subpart D. Other requirements as may be necessary for a compliant merchant application and processing environment at the college or university such as unique merchant applications, unusual physical or other security considerations, etc.

Part 5. Include PCI compliance language relevant to all contracts. System institutions must include PCI compliance language in all relevant contracts. If the services sought under an RFP or procured under a contract involve the storage, processing or transmittal of payment card account numbers, the RFP and subsequent contract must address PCI responsibilities.

PCI Guidance for drafting contracts

PCI Amendment Template (see item 31)

Part 6. Establish general procedures for on-going operations. College and universities must establish compliant procedures for on-going operations. Procedures may vary by payment card transaction to comply with relevant data needs, documentation and compliance requirements.

Subpart A. Procedures common to all transaction types

  1. Establish and follow merchant procedures covering segregation of duties, reconciliations, physical security and disposal of cardholder data, as applicable.
  2. Establish and follow basic cardholder data security steps regarding data acquisition, cardholder consent, physical and electronic security, limiting employee access, etc.
  3. Adhere to training requirements, both initial and refresher.

Subpart B. Over-the-counter (card present) transactions

  1. Establish cardholder requirements related to signature, transaction copy, ID check, etc.
  2. Effectively safeguard data by printing last four digits of card number only and establishing procedures to secure data at every step: short-term storage and disposal (for example, until after reconciliation is complete), batching and reconciliation, etc.
  3. Plan a secure back-up processing method, in the event processing terminal is not functioning, including additional or different security measures to be taken.

Subpart C. Card not present other than E-commerce (for example, mailed-in, faxed and phoned-in)

  1. Ensure internal payment listing supporting accounting / balancing needs does not contain cardholder data (last four digits of card number may be included).
  2. Ensure adequate physical security (for example, restricted access to fax machine, mail processing, phone conversations, etc.).
  3. Promptly process transactions and ensure secure storage of documents containing necessary cardholder data.
  4. Ensure secure document disposal and destruction in accordance with campus document retention and destruction policy (for example, applicable term plus one month but not to exceed six months subject to differing requirements imposed by law, regulation or contract on a transaction or group of transactions).
  5. Use adequate batch processing procedures.

Subpart D. E-commerce transactions
  1. Limit processing to PCI DSS compliant third-party providers.
  2. Ensure payment card data is not stored on campus servers or networks without approval by the chief information officer.
  3. Comply with System and campus User ID and Password requirements.
  4. Use only systems and technologies meeting all required security protocols.
  5. Conduct quarterly vulnerability scans as may be required and implement remediation efforts on a timely basis.

Subpart E. Acquiring bank chargebacks and sales draft transactions

  1. Identify responsible office on campus for control of timely and accurate response to requests for information in support of a questioned or disputed transaction
  2. Responsible office will coordinate timely and complete response.
  3. Maintain duplicate support material, including clear documentation of submission data.
  4. Ensure secure storage of support material (if cardholder data is included), followed by secure destruction upon resolution of sales draft / chargeback transaction.
Part 7. Adopt Data Security measures. Each college and university must adapt physical and IT security measures sufficient to satisfy payment card processing requirement contained within PCI DSS. Board Policy 5.23 Security and Privacy of Information Resources and supporting guidelines and procedures represent the primary source of system information security policy. Each college and university will need to implement local policies and procedures as necessary to address additional security needs that are unique to the campus environment.

Part 8. Meet Documentation Requirements. PCI DSS imposes a self assessment compliance approach using one of several self assessment questionnaires (SAQ). The specific questionnaire is determined by the processing environment and related level of risk. System institutions are classified as [Level 2, 3 or 4] merchants by acquiring banks. Each college and university must establish a self assessment process using the appropriate SAQ. It is up to each college and university to determine the degree to which each campus merchant is responsible for this self assessment. At a minimum, each campus must document:

a) ongoing self assessment using the appropriate SAQ;
b) annual campus merchant compliance status (tied to year-end financial statement review) including accurate documentation of any compensating controls and, if applicable, a plan to achieve full compliance if current status is noncompliant;
c) campus merchant change request and update reporting (requirement to report any proposed changes in processing and proposed steps necessary to address any changes in compliance requirements - this should be approved by the campus merchant approval officer); and
d) quarterly network scans (report results and remediation steps/timeline if applicable).

Part 9. Develop an Incident Response plan. Each college and university must designate a process for reporting a breach in security to the campus merchant approval officer and the chief financial officer.

Related Documents:

Procedure History:

Date of Implementation: 08/30/10,
Date of Adoption: 08/30/10,

Date & Subject of Revisions:

There is no additional HISTORY for at this time.