Departmental Payment Card Procedures (CPFM)
OVERVIEW
These procedures establish business processes for accepting and handling payment cards in accordance with the UO Payment Card Acceptance Policy and the Payment Card Industry Data Security Standards (PCI DSS). It is essential that employees engaged in payment card processing adhere to these procedures in order to protect and secure customer card data. The university can incur fines, penalties, and reputational damage in the event of a card data breach. These procedures are reviewed and communicated on an annual basis to ensure they are current and relevant and understood.
GUIDANCE FOR CPFM CREDIT CARD TERMINAL USERS
Department Name: Campus Planning and Facilities Management
Business Process Owner/Title: Assistant Director of Work Management
Last Reviewed: November 8, 2023
Procedures:
Assigned Roles and Responsibilities
Unit Security Officer is the Assistant Director of CPFM Work Management and responsible for understanding and enforcing PCI rules, and (in the event of a data breach), for following the university incident response procedure. Must participate in PCI security awareness training annually.
Cashier(s) are Work Control Center Employees and Sustainability Staff working with Surplus Store Sales and are responsible for processing card transactions, securing and confidentially recycling paper records containing cardholder data. They are trained to use payment card equipment. Cashiers must be familiar with these procedures and participate in PCI security awareness training annually.
Business Manager is the Assistant Director of CPFM Work Management and responsible for understanding PCI requirements and completing the unit’s annual Self Assessment Questionnaire(s) (SAQs) with assistance from Business Affairs. Also responsible for maintaining a card processing equipment inventory and ensuring that any service providers engaged to assist in card processing are first evaluated by Business Affairs for PCI compliance. Also must participate in PCI security awareness training annually.
Finance and Administration Shared Services Accountant is responsible for recording deposit of revenue in Banner. Responsible for reconciling all revenue recorded in Banner FIS with revenue reported in payment card transaction system.
Segregation of Duties Departments will segregate the following functions; card processing, processing of refunds, and the reconciliation of payment card transaction reports to the Banner deposit.
Card Acceptance Methods for CPFM Work Control
Phone:
Cisco VOIP Desk Phones will be used to collect customer card data. If working remotely a university maintained cell phone can be used. Never collect customer card data using PC software phone systems such as MS Teams Call or Amazon Connect Call Center. Ideally, the Cashier will process the card while on the phone with customer and no paper record containing the full card details is created. If a paper record is created, it must be physically secured then confidentially recycled immediately after processing using the UO secure Garten recycling bins.
Payment Card Terminals:
Purchase/replacement of payment card terminals is coordinated through the University Cashier. Terminals are kept in a physically secure location when not in use and monitored when in the public domain. Only authorized staff with a business reason are granted access to terminals and only after they are properly trained to use them. Terminals are batch settled at the end of each work day. The settlement report is included with the deposit provided to the University Cashier. Terminals will automatically upload system updates. If the terminal malfunctions, contact Elavon Merchant Services using the phone number on the side of the terminal. You will need to provide the merchant account number and UO tax ID number.
Payment and Refund Step-by-Step.
Payment Card Terminal - Detailed steps for evaluating the customer card and signature, processing a typical transaction using a specific make and model of payment card terminal or cash register. Return, refund, and cancellation policies should be clearly communicated to prevent cardholder disputes/chargebacks. The departments refund policy is, that the Assistant Director of Work Management approves before a refund is issued. Refunds must be processed using the same card number as the original sale. Never by cash or check. Refunds should be only processed by a limited number of trained professional staff who are entrusted with the system password
Disputes and Chargebacks: Business Affairs Cashier will receive and report chargebacks and transaction disputes to the department. Departments can either accept or reject the chargeback. If rejected, the department will provide supporting documentation to justify that the transaction is valid. Failure to respond within the allocated timeframe will result in a loss to the department. Prompt attention to these matters is a priority. It is the department’s responsibility to develop appropriate internal controls to mitigate risks related to chargebacks.
Equipment Inventory: Assistant Director of Work Management will maintain an inventory of terminals, |
Skimming Prevention Training: Cashiers are trained to be aware of methods in which devices can be tampered with or replaced.
Training includes the following:
Be aware of suspicious behavior. For example, attempts by unknown persons to distract a Cashier, unplug or overlay or replace payment card devices.
Request identification from unknown individuals and contact University Cashier before granting access to a payment card terminal.
Daily terminal inspection procedure and log.
Terminal Inspection: At the start of each business day (prior to use), the Cashier or Business Manager will inspect terminal surfaces for the following evidence of tampering or substitution:
Compare the serial number and model number listed on the terminal to that included on the Terminal Security Review Sheet.
Review the tamper evident stickers on the surface of the terminal and make sure it is intact.
Foreign objects (i.e. skimmers), unexpected attachments or cables plugged into the device, pry marks, broken or stressed seams.
Hidden cameras in the ceiling or vicinity.
The inspection result is documented using the Terminal Inspection Log (https://pages.uoregon.edu/baoforms/web/xlsx/Terminal-Inspection-Log.xlsx).
If the terminal appears to have been tampered with or substituted, contact the University Cashier.
Third party compliance: The unit business manager will obtain approval from Business Affairs before contracting with any third party service provider for card processing services. Purchasing and Contracting Services will ensure that the contract contains required PCI language. Unit business manager will verify the service provider remains PCI DSS compliant annually by requesting an Attestation of Compliance (AOC). Unit business manager will obtain a document that identifies which PCI requirements the merchant and service provider are each responsible for.
Data Breach Response: In the event of a data incident where customer card data may have been exposed to unauthorized individuals, or payment card equipment may have been tampered with by an unauthorized individual, the unit security officer or business manager will report the incident on the Information Security Office website, https://infosec.uoregon.edu/report-incident
Annual Security Awareness Training: In accordance with PCI DSS Requirement 12.6.1, the Unit Security Officer, Cashiers, Business Manager, and Accountant will complete the annual PCI security awareness training available in the My Track learning library.
Annual PCI Self Assessment: Each year in May Business Affairs asks campus merchants to attest their compliance status with PCI DSS by completing the appropriate Self Assessment Questionnaire(s) (SAQs). Business Managers use the Campus Guard portal to complete their SAQs. Any areas of non-compliance must be addressed in a remediation plan. Campus compliance status is reported to the university’s acquiring bank(s) US Bank/Elavon, and for Athletics, FISERV and Chase Paymentech.
Related articles