Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

OVERVIEW


These procedures establish business

processes for

processes for accepting and handling payment

cards in

cards in accordance with

the 

the UO Payment Card Acceptance Policy and the Payment

Card Industry

Card Industry Data Security Standards (PCI DSS).  It is essential that employees engaged in payment card processing adhere to these procedures in order to protect and secure customer card data.  The university can incur fines, penalties, and reputational damage in the event of a card data breach.  These procedures are reviewed and communicated on an annual basis to ensure they are current and relevant and understood.


GUIDANCE FOR CPFM CREDIT CARD TERMINAL USERS

Department Name:  Campus Planning and Facilities Management 

Business Process Owner/Title: Assistant Director of Work Management

Last Reviewed: 

March 27

November 8,

2022

2023

Procedures: 

https://ba.uoregon.edu/payment-card-acceptance

Assigned Roles and Responsibilities

Unit Security Officer is responsible Officer is the Assistant Director of CPFM Work Management and responsible for understanding and enforcing PCI rules, and (in the event of a data breach), for following the university incident response procedure. Must participate in PCI security awareness training annually. Assistant Director of CPFM Work Management

Cashier(s)  are are  Work Control Center Employees and Sustainability Staff working with Surplus Store Sales and are responsible for processing card transactions, securing and confidentially recycling paper records containing cardholder data. They are trained to use payment card equipment.  Cashiers must be familiar with these procedures and participate in PCI security awareness training annually. Work Control Center Employees and Sustainability Staff working with Surplus Store SalesBusiness Manager is responsible

Business Manager is the Assistant Director of CPFM Work Management and responsible for understanding PCI requirements and completing the unit’s annual Self Assessment Questionnaire(s) (SAQs) with assistance from Business Affairs. Also responsible for maintaining a card processing equipment inventory and ensuring that any service providers engaged to assist in card processing are first evaluated by Business Affairs for PCI compliance.  Also must participate in PCI security awareness training annually.   

Finance and Administration Shared Services Accountant is Accountant is responsible for recording deposit of revenue in Banner. Responsible for reconciling all revenue recorded in Banner FIS with revenue reported in payment card transaction system. Finance and Administration Shared Services

Segregation of Duties Departments Duties Departments will segregate the following functions; card processing, processing of refunds, and the reconciliation of payment card transaction reports to the Banner deposit.

Card Acceptance Methods for CPFM Work Control

Phone :

Cisco VOIP Desk Phones will be used to collect customer card data.  If working remotely a university maintained cell phone can be used.  Never collect customer card data using PC software phone systems such as MS Teams Call or Amazon Connect Call Center.  Ideally, the Cashier will process the card while on the phone with customer and no paper record containing the full card details is created.  If a paper record is created, it must be physically secured then confidentially recycled immediately after processing using the UO secure Garten recycling bins.

Fax - Cashier retrieves document from fax machine as soon as it is received, and immediately processes the card transaction using payment card terminal. Immediately after processing, the card number is removed from the document (cut out or remove entire page) and confidentially recycled before filing.

US Mail - When a letter is opened that contains cardholder data it is hand delivered to the Cashier who will immediately processes the card transaction using payment card terminal. Immediately after processing, the card number is removed from the document (cut out or remove entire page) and confidentially recycled before filing.

eCommerce - customer enters card data using their own device, in a web payment form fully hosted by a third party who immediately processes it on behalf of the university. University employees will never process payments online on behalf of a customer.

eMail, - If a customer sends their card number by email the message is deleted without processing, and customer card data is then collected using a secure method such as telephone.

Payment Card Terminals:

Purchase/replacement of payment card terminals is coordinated through the University Cashier.  Terminals are kept in a physically secure location when not in use and monitored when in the public domain.  Only authorized staff with a business reason are granted access to terminals and only after they are properly trained to use them.  Terminals are batch settled at the end of each work day.  The settlement report is included with the deposit provided to the University CashierTerminals will automatically upload system updates.  If the terminal malfunctions, contact Elavon Merchant Services using the phone number on the side of the terminal. You will need to provide the merchant account number and UO tax ID number.

Payment and Refund Step-by-Step.

expand

Payment Card Terminal - Detailed steps for evaluating the customer card and signature, processing a typical transaction using a specific make and model of payment card terminal or cash register.

  

  Return, refund, and cancellation policies should be clearly communicated to prevent cardholder disputes/chargebacks.  The departments refund policy is, that

the 

the Assistant Director of Work Management approves before a refund is issued.  Refunds must be processed using the same card number as the original sale.  Never by cash or check. Refunds should be only processed by a limited number of trained professional staff who are entrusted with the system password

  • eCommerce - customer enters card data using their own device, in a web payment form fully hosted by Nelnet Business Solutions QuikPAY or another third party who immediately processes it on behalf of the university. University employees never have access to cardholder data. Refunds are requested by sending an email to the university cashier cashiers@uoregon.edu providing the transaction ID, amount, cardholder name and date.

  • Disputes and Chargebacks: Business Affairs Cashier will receive and report chargebacks and transaction disputes to the department.  Departments can either accept or reject the chargeback.  If rejected, the department will provide supporting documentation to justify that the transaction is valid.  Failure to respond within the allocated timeframe will result in a loss to the department. Prompt attention to these matters is a priority. It is the department’s responsibility to develop appropriate internal controls to mitigate risks related to chargebacks.

    Equipment Inventory: Assistant Director of Work Management will maintain an inventory of terminals,


    Equipment Type

    DBA

    Unit

    Terminal ID  #

    Merchant ID #

    Serial Number

    Location/Physical Security

    Purpose of Use

    Terminal Cellular Ingenico Move 5000

    CPFM UO Surplus Sales

    Office of Sustainability

    1

    on file

    on file

    on file

    Accept and process credit card transactions for sale of surplus furniture to public

    CPFM Work Control

    Work Control Center

    2

    on file

    Accept and process credit card transactions for work orders created for external customers who do not have a UO banner index but needs support from Facilities Services

     

     


    Skimming Prevention Training: Cashiers are trained to be aware of methods in which devices can be tampered with or replaced.

    Training includes the following:

    • Be aware of suspicious behavior. For example, attempts by unknown persons to distract a Cashier, unplug or overlay or replace payment card devices.

    • Request identification from unknown individuals and contact University Cashier before granting access to a payment card terminal.

    • Daily terminal inspection procedure and log.

    Terminal Inspection:

     At

     At the start of each business day (prior to use), the Cashier or Business Manager will inspect terminal surfaces for the following evidence of tampering or substitution:

    • Compare the serial number and model number listed on the terminal to that included on the Terminal Security Review Sheet.

    • Review the tamper evident stickers on the surface of the terminal and make sure it is intact.

    • Foreign objects (i.e. skimmers), unexpected attachments or cables plugged into the device, pry marks, broken or stressed seams.

    • Hidden cameras in the ceiling or vicinity.

    • The inspection result is documented using the Terminal Inspection Log (https://pages.uoregon.edu/baoforms/web/xlsx/Terminal-Inspection-Log.xlsx).

    If the terminal appears to have been tampered with or substituted, contact the University Cashier.

    Third party compliance

     

    :  The unit business manager will obtain approval from Business Affairs before contracting with any third party service provider for card processing services. Purchasing and Contracting Services will ensure that the contract contains required PCI language. Unit business manager will verify the service provider remains PCI DSS compliant annually by requesting an Attestation of Compliance (AOC).  Unit business manager will obtain a document that identifies which PCI requirements the merchant and service provider are each responsible for.

    Data Breach Response

    .

    :  In the event of a data incident where customer card data may have been exposed to unauthorized individuals, or payment card equipment may have been tampered with by an unauthorized individual, the unit security officer or business manager will report the incident on the Information Security Office website, https://infosec.uoregon.edu/report-incident

    .

    Annual Security Awareness Training: In accordance with PCI DSS Requirement 12.6.1, the Unit Security Officer, Cashiers, Business Manager, and Accountant will complete the annual PCI security awareness training available in the My Track learning library.

    Annual PCI Self Assessment:

     Each

     Each year in May Business Affairs asks campus merchants to attest their compliance status with PCI DSS by completing the appropriate Self Assessment Questionnaire(s) (SAQs). Business Managers use the Campus Guard portal to complete their SAQs.  Any areas of non-compliance must be addressed in a remediation plan.  Campus compliance status is reported to the university’s acquiring bank(s) US Bank/Elavon, and for Athletics, FISERV and Chase Paymentech.

    Related articles

    Filter by label (Content by label)
    showLabelsfalse
    max5
    spacesWCC
    showSpacefalse
    sortmodified
    reversetrue
    typepage
    cqllabel = "creditcards" and type = "page" and space = "WCC"
    labelscreditcards
    Page Properties
    hiddentrue


    Related issues