Versions Compared

Version Old Version 1 New Version 2
Changes made by

LeAnna Pitts

LeAnna Pitts

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

These procedures establish business processes for accepting and handling payment cards in accordance with the UO Payment Card Acceptance Policy and the Payment Card Industry Data Security Standards (PCI DSS).  It is essential that employees engaged in payment card processing adhere to these procedures in order to protect and secure customer card data.  The university can incur fines, penalties, and reputational damage in the event of a card data breach.  These procedures are reviewed and communicated on an annual basis to ensure they are current and relevant and understood.

...

STEP-BY-STEP GUIDE

...

GUIDANCE FOR CPFM CREDIT CARD TERMINAL USERS

...

Last Reviewed:  March 27, 2022

Procedures

https://ba.uoregon.edu/payment-card-acceptance

Assigned Roles and Responsibilities.

...

    1. Payment Card Terminal - Detailed steps for evaluating the customer card and signature, processing a typical transaction using a specific make and model of payment card terminal or cash register.  Return, refund, and cancellation policies should be clearly communicated to prevent cardholder disputes/chargebacks.  The departments refund policy is, that the Assistant Director of Work Management approves before a refund is issued.  Refunds must be processed using the same card number as the original sale.  Never by cash or check. Refunds should be only processed by a limited number of trained professional staff who are entrusted with the system password
    2. eCommerce - customer enters card data using their own device, in a web payment form fully hosted by Nelnet Business Solutions QuikPAY or another third party who immediately processes it on behalf of the university. University employees never have access to cardholder data. Refunds are requested by sending an email to the university cashier cashiers@uoregon.edu providing the transaction ID, amount, cardholder name and date.

...

    1. Compare the serial number and model number listed on the terminal to that included on the Terminal Security Review Sheet.
    2. Review the tamper evident stickers on the surface of the terminal and make sure it is intact.
    3. Foreign objects (i.e. skimmers), unexpected attachments or cables plugged into the device, pry marks, broken or stressed seams.
    4. Hidden cameras in the ceiling or vicinity.
    5. The inspection result is documented using the Terminal Inspection Log (https://pages.uoregon.edu/baoforms/web/xlsx/Terminal-Inspection-Log.xlsx).

If the terminal appears to have been tampered with or substituted, contact the University Cashier.

...


Data Breach Response. In the event of a data incident where customer card data may have been exposed to unauthorized individuals, or payment card equipment may have been tampered with by an unauthorized individual, the unit security officer or business manager will report the incident on the Information Security Office website, https://infosec.uoregon.edu/report-incident.

Annual Security Awareness Training: In accordance with PCI DSS Requirement 12.6.1, the Unit Security Officer, Cashiers, Business Manager, and Accountant will complete the annual PCI security awareness training available in the My Track learning library.

...