Reed College Payment Card Acceptance Policy
Revised: October 8, 2018
The Reed College Payment Card Acceptance Policy establishes roles, responsibilities, and rules for credit/debit card processing activities at Reed College and is designed to safeguard customer card data, reduce the risk of unauthorized access to card data, and facilitate compliance with the global Payment Card Industry Data Security Standard (PCI-DSS).
This policy applies to all campus departments (i.e., “merchants”) and individuals that accept credit/debit card payments on behalf of Reed College.
Authority and Responsibilities
Any Reed College department wishing to accept credit/debit card payments on behalf of Reed College must have the approval of the Vice President & Treasurer and Chief Information Officer, or their designee(s).
Merchants that accept payment cards are responsible for safeguarding cardholder data in accordance with this policy, Reed College Card Acceptance Best Practices, and Payment Card Industry (PCI) rules. Merchants must:
- use card acceptance systems and services that have been approved by the PCI Coordinator;
- never use personally owned devices for PCI transactions or storage;
- designate a department contact who will ensure compliance with card acceptance policies, best practices, and PCI DSS requirements;
- develop and document payment processing policies and procedures, department information security policies, and appropriate training materials for staff;
- coordinate with the Business Office to ensure appropriate tracking, reconciliation, and revenue deposits;
- participate in the required annual training and confirmation of responsibility acceptance;
- annually complete the assigned Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC);
- notify the PCI Coordinator in the event of significant changes to the department’s card acceptance practices;
- in addition, new merchants must consult with the PCI Coordinator to define needs and develop an implementation plan.
The VP & Treasurer and CIO will designate a PCI Coordinator to oversee debit/credit card processing and PCI compliance for the campus. The PCI Coordinator will:
- lead a PCI Committee representing the Business Office, Computing & Information Services, and campus merchants that accept credit/debit card payments (the PCI Committee will assist in creating and disseminating card acceptance policies, PCI compliance requirements, and best practices);
- maintain a list of all campus merchants and their card acceptance processes, systems, and contracts;
- coordinate review and implementation of new card acceptance systems, services, and processors;
- assist departments that wish to begin accepting credit/debit cards;
- facilitate annual PCI compliance processes.
Data Security Incident Response
Known or suspected breaches of cardholder data should be reported immediately to the CIO, who will implement the Electronic Data Security Incident Response Plan. (reed.edu/cis/policies/incident_response.html)
Reed College Payment Card Acceptance Best Practices
Departments and individuals that accept payment cards are responsible for safeguarding personal cardholder data (CHD), to protect against theft or misuse of the data, and to comply with the Payment Card Industry Data Security Standards (PCI-DSS). Complying with the PCI-DSS may be complex and challenging. The best practices outlined below provide guidance and clarify responsibilities for all Reed College merchants that accept payment cards.
Use secure methods to accept payment cards
Payment cards may be accepted via mail, telephone, or secure online services, as well as in person, so long as processes for mail, telephone, or secure online services acceptance are approved and documented. Never accept payment cards via email or FAX.
Whenever possible, use validated peer to peer encryption (P2PE) to process credit card transactions. Bluefin Payment Systems is the approved, validated P2PE provider for Reed College, though other providers may be approved on an ad hoc basis if necessary.
If you don’t need it, don’t store it!
Only retain cardholder data (CHD) for specific, documented business purposes. Many merchants retain cardholder data “just in case” though that is often unnecessary.
Never store unencrypted cardholder data on any computer, server, or removable electronic media (e.g., thumb drive or external hard drive). If you need assistance with encryption methods please contact Computer User Services.
Physically secure cardholder data and devices
Make sure cardholder data is secure - just like cash. Never leave CHD unattended on your desk, even for a few minutes. At night, lock CHD in a secure cabinet or safe.\
If you use approved desktop or mobile devices to process payment cards, make sure they are physically secure when not in use. Regularly (no less than quarterly) inspect devices for signs of tampering and log the inspection on your department’s approved checklist. Immediately report signs of suspected tampering to the Chief Information Officer and the PCI Coordinator.
Destroy CHD as soon as the transaction has been processed. Printed forms that include CHD may need to be redesigned so the CHD can be easily removed and cross-cut shredded.
All paper with CHD should be shredded in a “cross-cut” type shredder. Ideally the cross-cut shredder is located near your desk and the paper can be shredded immediately.
In some cases, third-party shredding services may be used, as long the bins that they provide are secure and cannot be removed from the area. When the bin is picked up for shredding, monitor the pickup process and receive a certificate of completion when the shredding is done.
Document card acceptance practices
Create and annually review written documentation of the department’s card acceptance and security procedures, including information about which PCI-DSS requirements are handled by the merchant and which are handled by service providers (see Reed’s Departmental Card Acceptance document template, available from the PCI coordinator).
Training and confidentiality
Ensure that all individuals (including employees, students, contractors, and volunteers) who handle cardholder data, receive annual training on PCI compliance and department card acceptance practices.Ensure that all individuals who handle CHD sign annual confidentiality agreements. Confidentiality agreements may be incorporated into training materials or user agreements, or you can use the Reed College Confidentiality Agreement (available from the PCI coordinator).