1. Unit Security Officer is responsible for understanding and enforcing PCI rules, and (in the event of a data breach), for following the university incident response procedure. Must participate in PCI security awareness training annually. Assistant Director of CPFM Work Management
2. Cashier(s)  are responsible for processing card transactions, securing and confidentially recycling paper records containing cardholder data. They are trained to use payment card equipment.  Cashiers must be familiar with these procedures and participate in PCI security awareness training annually. Work Control Center Employees and Sustainability Staff working with Surplus Store Sales
3. Business Manager is responsible for understanding PCI requirements and completing the unit’s annual Self Assessment Questionnaire(s) (SAQs) with assistance from Business Affairs. Also responsible for maintaining a card processing equipment inventory and ensuring that any service providers engaged to assist in card processing are first evaluated by Business Affairs for PCI compliance.  Also must participate in PCI security awareness training annually. Finance and Administration Shared Services
4. Accountant is responsible for recording deposit of revenue in Banner. Responsible for reconciling all revenue recorded in Banner FIS with revenue reported in payment card transaction system. Finance and Administration Shared Services
5. Segregation of Duties Departments will segregate the following functions; card processing, processing of refunds, and the reconciliation of payment card transaction reports to the Banner deposit.

1. Phone – Cisco VOIP Desk Phones will be used to collect customer card data.  If working remotely a university maintained cell phone can be used.  Never collect customer card data using PC software phone systems such as MS Teams Call or Amazon Connect Call Center.  Ideally, the Cashier will process the card while on the phone with customer and no paper record containing the full card details is created.  If a paper record is created, it must be physically secured then confidentially recycled immediately after processing using the UO secure Garten recycling bins.
2. Fax - Cashier retrieves document from fax machine as soon as it is received, and immediately processes the card transaction using payment card terminal. Immediately after processing, the card number is removed from the document (cut out or remove entire page) and confidentially recycled before filing.
3. US Mail - When a letter is opened that contains cardholder data it is hand delivered to the Cashier who will immediately processes the card transaction using payment card terminal. Immediately after processing, the card number is removed from the document (cut out or remove entire page) and confidentially recycled before filing.
4. eCommerce - customer enters card data using their own device, in a web payment form fully hosted by a third party who immediately processes it on behalf of the university. University employees will never process payments online on behalf of a customer.
5. eMail, - If a customer sends their card number by email the message is deleted without processing, and customer card data is then collected using a secure method such as telephone.

1. Purchase/replacement of payment card terminals is coordinated through the University Cashier.
2. Terminals are kept in a physically secure location when not in use and monitored when in the public domain.
3. Only authorized staff with a business reason are granted access to terminals and only after they are properly trained to use them.
4. Terminals are batch settled at the end of each work day.
5. The settlement report is included with the deposit provided to the University Cashier.
6. Terminals will automatically upload system updates.
7. If the terminal malfunctions, contact Elavon Merchant Services using the phone number on the side of the terminal. You will need to provide the merchant account number and UO tax ID number.

1. 1. Payment Card Terminal - Detailed steps for evaluating the customer card and signature, processing a typical transaction using a specific make and model of payment card terminal or cash register.  Return, refund, and cancellation policies should be clearly communicated to prevent cardholder disputes/chargebacks.  The departments refund policy is, that the Assistant Director of Work Management approves before a refund is issued.  Refunds must be processed using the same card number as the original sale.  Never by cash or check. Refunds should be only processed by a limited number of trained professional staff who are entrusted with the system password
   2. eCommerce - customer enters card data using their own device, in a web payment form fully hosted by Nelnet Business Solutions QuikPAY or another third party who immediately processes it on behalf of the university. University employees never have access to cardholder data. Refunds are requested by sending an email to the university cashier cashiers@uoregon.edu providing the transaction ID, amount, cardholder name and date.

Disputes and Chargebacks: Business Affairs Cashier will receive and report chargebacks and transaction disputes to the department.  Departments can either accept or reject the chargeback.  If rejected, the department will provide supporting documentation to justify that the transaction is valid.  Failure to respond within the allocated timeframe will result in a loss to the department. Prompt attention to these matters is a priority. It is the department’s responsibility to develop appropriate internal controls to mitigate risks related to chargebacks.