{"type":"doc","content":[{"type":"paragraph","content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"excerpt-include","parameters":{"macroParams":{"":{"value":"Reusable Excerpts - Master"},"name":{"value":"Contact - CPFM"},"nopanel":{"value":"true"}},"macroMetadata":{"macroId":{"value":"dea522d6-2a57-47de-a8c0-a729c6882bc4"},"schemaVersion":{"value":"1"},"title":"Insert excerpt"}},"localId":"037932fa-8d26-43d9-adb9-3d0e34494ce3"}}]},{"type":"paragraph","content":[{"text":"These procedures establish business processes for accepting and handling payment cards in accordance with the ","type":"text"},{"text":"UO Payment Card Acceptance Policy","type":"text","marks":[{"type":"link","attrs":{"href":"https://policies.uoregon.edu/vol-4-finance-administration-infrastructure/ch-4-business-affairs/payment-card-acceptance"}}]},{"text":" ","type":"text","marks":[{"type":"strong"}]},{"text":"and the Payment Card Industry Data Security Standards (PCI DSS). It is essential that employees engaged in payment card processing adhere to these procedures in order to protect and secure customer card data. The university can incur fines, penalties, and reputational damage in the event of a card data breach. These procedures are reviewed and communicated on an annual basis to ensure they are current and relevant and understood.","type":"text"},{"type":"hardBreak"}]},{"type":"rule"},{"type":"paragraph","content":[{"text":"GUIDANCE FOR CPFM CREDIT CARD TERMINAL USERS","type":"text","marks":[{"type":"textColor","attrs":{"color":"#339966"}}]}]},{"type":"paragraph","content":[{"text":"Department Name: Campus Planning and Facilities Management ","type":"text"}]},{"type":"paragraph","content":[{"text":"Business Process Owner/Title: Assistant Director of Work Management","type":"text"}]},{"type":"paragraph","content":[{"text":"Last Reviewed: November 8, 2023","type":"text"}]},{"type":"paragraph","content":[{"text":"Procedures: ","type":"text"}]},{"type":"paragraph","content":[{"text":"Assigned Roles and Responsibilities","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"Unit Security Officer","type":"text","marks":[{"type":"strong"}]},{"text":" is the Assistant Director of CPFM Work Management and responsible for understanding and enforcing PCI rules, and (in the event of a data breach), for following the university incident response procedure. Must participate in PCI security awareness training annually. ","type":"text"}]},{"type":"paragraph","content":[{"text":"Cashier(s) ","type":"text","marks":[{"type":"strong"}]},{"text":"are Work Control Center Employees and Sustainability Staff working with Surplus Store Sales and are responsible for processing card transactions, securing and confidentially recycling paper records containing cardholder data. They are trained to use payment card equipment. Cashiers must be familiar with these procedures and participate in PCI security awareness training annually.","type":"text"}]},{"type":"paragraph","content":[{"text":"Business Manager","type":"text","marks":[{"type":"strong"}]},{"text":" is the Assistant Director of CPFM Work Management and responsible for understanding PCI requirements and completing the unit’s annual Self Assessment Questionnaire(s) (SAQs) with assistance from Business Affairs. Also responsible for maintaining a card processing equipment inventory and ensuring that any service providers engaged to assist in card processing are first evaluated by Business Affairs for PCI compliance. Also must participate in PCI security awareness training annually. ","type":"text"}]},{"type":"paragraph","content":[{"text":"Finance and Administration Shared Services Accountant","type":"text","marks":[{"type":"strong"}]},{"text":" is responsible for recording deposit of revenue in Banner. Responsible for reconciling all revenue recorded in Banner FIS with revenue reported in payment card transaction system.","type":"text"}]},{"type":"paragraph","content":[{"text":"Segregation of Duties Departments will segregate the following functions; card processing, processing of refunds, and the reconciliation of payment card transaction reports to the Banner deposit.","type":"text"}]},{"type":"paragraph","content":[{"text":"Card Acceptance Methods for CPFM Work Control","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"Phone:","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"Cisco VOIP Desk Phones will be used to collect customer card data. If working remotely a university maintained cell phone can be used. Never collect customer card data using PC software phone systems such as MS Teams Call or Amazon Connect Call Center. Ideally, the Cashier will process the card while on the phone with customer and no paper record containing the full card details is created. If a paper record is created, it must be physically secured then confidentially recycled immediately after processing using the UO secure Garten recycling bins.","type":"text"}]},{"type":"paragraph","content":[{"text":"Payment Card Terminals:","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"Purchase/replacement of payment card terminals is coordinated through the University Cashier. Terminals are kept in a physically secure location when not in use and monitored when in the public domain. Only authorized staff with a business reason are granted access to terminals and only after they are properly trained to use them. Terminals are batch settled at the end of each work day. The settlement report is included with the deposit provided to the University Cashier. Terminals will automatically upload system updates. If the terminal malfunctions, contact Elavon Merchant Services using the phone number on the side of the terminal. You will need to provide the merchant account number and UO tax ID number.","type":"text"}]},{"type":"paragraph","content":[{"text":"Payment and Refund Step-by-Step.","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"Payment Card Terminal","type":"text","marks":[{"type":"strong"}]},{"text":" - Detailed steps for evaluating the customer card and signature, processing a typical transaction using a specific make and model of payment card terminal or cash register.","type":"text"},{"text":" ","type":"text","marks":[{"type":"strong"}]},{"text":"Return, refund, and cancellation policies should be clearly communicated to prevent cardholder disputes/chargebacks. The departments refund policy is, that the ","type":"text"},{"text":"Assistant Director of Work Management approves before a refund is issued.","type":"text","marks":[{"type":"strong"}]},{"text":" Refunds must be processed using the same card number as the original sale. Never by cash or check. Refunds should be only processed by a limited number of trained professional staff who are entrusted with the system password","type":"text"}]},{"type":"paragraph","content":[{"text":"Disputes and Chargebacks: ","type":"text","marks":[{"type":"strong"}]},{"text":"Business Affairs Cashier will receive and report chargebacks and transaction disputes to the department. Departments can either accept or reject the chargeback. If rejected, the department will provide supporting documentation to justify that the transaction is valid. Failure to respond within the allocated timeframe will result in a loss to the department. Prompt attention to these matters is a priority. It is the department’s responsibility to develop appropriate internal controls to mitigate risks related to chargebacks.","type":"text"}]},{"type":"table","attrs":{"layout":"default","width":760.0,"localId":"33677c71-37a1-4968-b55e-70910dc338de"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Equipment Inventory: Assistant Director of Work Management","type":"text","marks":[{"type":"strong"}]},{"text":" will maintain an inventory of terminals,","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"extension","attrs":{"extensionType":"com.atlassian.confluence.migration","extensionKey":"__confluenceADFMigrationUnsupportedContentInternalExtension__","text":"","parameters":{"cxhtml":"

Equipment Type	DBA	Unit	Terminal ID #	Merchant ID #	Serial Number	Location/Physical Security	Purpose of Use
Terminal Cellular Ingenico Move 5000	CPFM UO Surplus Sales	Office of Sustainability	1	on file	on file	on file	Accept and process credit card transactions for sale of surplus furniture to public
CPFM Work Control	Work Control Center	2	on file	Accept and process credit card transactions for work orders created for external customers who do not have a UO banner index but needs support from Facilities Services

","nestedContent":{"type":"doc","content":[{"type":"table","content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Equipment Type","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"DBA","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Unit","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Terminal ID #","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Merchant ID #","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Serial Number","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Location/Physical Security","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Purpose of Use","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":2},"content":[{"type":"paragraph","content":[{"text":"Terminal Cellular Ingenico Move 5000","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"CPFM UO Surplus Sales","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Office of Sustainability","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"on file","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":2},"content":[{"type":"paragraph","content":[{"text":"on file","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":2},"content":[{"type":"paragraph","content":[{"text":"on file","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Accept and process credit card transactions for sale of surplus furniture to public","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"CPFM Work Control","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Work Control Center","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"2","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"on file","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Accept and process credit card transactions for work orders created for external customers who do not have a UO banner index but needs support from Facilities Services","type":"text"}]}]}]}]}],"version":1},"reason":"A table in a table cell can't be created or edited in the new editor."}}},{"type":"paragraph","content":[{"type":"hardBreak"}]}]}]}]},{"type":"paragraph","content":[{"text":"Skimming Prevention Training","type":"text","marks":[{"type":"strong"}]},{"text":": Cashiers are trained to be aware of methods in which devices can be tampered with or replaced. ","type":"text"}]},{"type":"paragraph","content":[{"text":"Training includes the following:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Be aware of suspicious behavior. For example, attempts by unknown persons to distract a Cashier, unplug or overlay or replace payment card devices.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Request identification from unknown individuals and contact University Cashier before granting access to a payment card terminal.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Daily terminal inspection procedure and log.","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Terminal Inspection:","type":"text","marks":[{"type":"strong"}]},{"text":" At the start of each business day (prior to use), the Cashier or Business Manager will inspect terminal surfaces for the following evidence of tampering or substitution:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Compare the serial number and model number listed on the terminal to that included on the Terminal Security Review Sheet.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Review the tamper evident stickers on the surface of the terminal and make sure it is intact.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Foreign objects (i.e. skimmers), unexpected attachments or cables plugged into the device, pry marks, broken or stressed seams.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Hidden cameras in the ceiling or vicinity.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The inspection result is documented using the Terminal Inspection Log (","type":"text"},{"text":"https://pages.uoregon.edu/baoforms/web/xlsx/Terminal-Inspection-Log.xlsx","type":"text","marks":[{"type":"link","attrs":{"href":"https://pages.uoregon.edu/baoforms/web/xlsx/Terminal-Inspection-Log.xlsx"}}]},{"text":").","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"If the terminal appears to have been tampered with or substituted, contact the University Cashier.","type":"text"}]},{"type":"paragraph","content":[{"text":"Third party compliance: ","type":"text","marks":[{"type":"strong"}]},{"text":"The unit business manager will obtain approval from Business Affairs before contracting with any third party service provider for card processing services. Purchasing and Contracting Services will ensure that the contract contains required PCI language. Unit business manager will verify the service provider remains PCI DSS compliant annually by requesting an Attestation of Compliance (AOC). Unit business manager will obtain a document that identifies which PCI requirements the merchant and service provider are each responsible for.","type":"text"}]},{"type":"paragraph","content":[{"text":"Data Breach Response: ","type":"text","marks":[{"type":"strong"}]},{"text":"In the event of a data incident where customer card data may have been exposed to unauthorized individuals, or payment card equipment may have been tampered with by an unauthorized individual, the unit security officer or business manager will report the incident on the Information Security Office website, ","type":"text"},{"text":"https://infosec.uoregon.edu/report-incident","type":"text","marks":[{"type":"link","attrs":{"href":"https://infosec.uoregon.edu/report-incident"}}]}]},{"type":"paragraph","content":[{"text":"Annual Security Awareness Training: ","type":"text","marks":[{"type":"strong"}]},{"text":"In accordance with PCI DSS Requirement 12.6.1, the Unit Security Officer, Cashiers, Business Manager, and Accountant will complete the annual PCI security awareness training available in the My Track learning library.","type":"text"}]},{"type":"paragraph","content":[{"text":"Annual PCI Self Assessment:","type":"text","marks":[{"type":"strong"}]},{"text":" Each year in May Business Affairs asks campus merchants to attest their compliance status with PCI DSS by completing the appropriate Self Assessment Questionnaire(s) (SAQs). Business Managers use the Campus Guard portal to complete their SAQs. Any areas of non-compliance must be addressed in a remediation plan. Campus compliance status is reported to the university’s acquiring bank(s) US Bank/Elavon, and for Athletics, FISERV and Chase Paymentech.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Related articles","type":"text"}]},{"type":"paragraph","content":[{"type":"placeholder","attrs":{"text":"Related articles appear here based on the labels you select. Click to edit the macro and add or change labels."}}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"contentbylabel","parameters":{"macroParams":{"showLabels":{"value":"false"},"max":{"value":"5"},"spaces":{"value":"WCC"},"showSpace":{"value":"false"},"sort":{"value":"modified"},"reverse":{"value":"true"},"type":{"value":"page"},"cql":{"value":"label = \"creditcards\" and type = \"page\" and space = \"WCC\""},"labels":{"value":"creditcards"}},"macroMetadata":{"macroId":{"value":"45337125-c657-4b41-9666-7b61199f51d9"},"schemaVersion":{"value":"4"},"title":"Filter by label (Content by label)"}},"localId":"4d0c7942-113d-4dc1-a004-50d1545e15f8"}},{"type":"bodiedExtension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"details","parameters":{"macroParams":{"hidden":{"value":"true"}},"macroMetadata":{"macroId":{"value":"335590a9-59e3-4cee-949f-fa465b2c6a10"},"schemaVersion":{"value":"1"},"title":"Page Properties"}},"localId":"939935bf-1507-412b-9860-1f98d296e777"},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"table","attrs":{"layout":"default","localId":"b89fffc0-cf2f-4982-83ef-5fc0248f8111"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Related issues","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]}]}]},{"type":"paragraph","content":[{"type":"hardBreak"}]}]}],"version":1}

Browser not supported