THE UNIVERSITY OF GEORGIA CREDIT/DEBIT CARD PROCESSING PROCEDURES
The University of Georgia currently accepts four major credit cards (MasterCard, Visa, Discover, and American Express) for payment of services rendered and goods sold. Debit cards with the Visa or MasterCard logo are also accepted. All University departments are required to process card transactions through the merchant services provider selected by the University and/or the State of Georgia. Effective January 1, 2004, the State of Georgia selected First Data and Suntrust Merchant Services as the state-wide provider.
General guidelines
1) Any University unit wishing to accept credit/debit cards for goods and/or services should complete a Credit/Debit Card Processing application (www.bursar.uga.edu). Applications will be reviewed to ensure your request for processing credit card sales is in compliance with current University policies.
2) Upon approval, the Bursar’s Office will request a merchant ID for the University department from the merchant services provider. If the department will be conducting e-Commerce, an e-Commerce merchant ID must be established which is separate from any Point-of-Sale (POS) merchant ID.
3) The Bursar’s Office will work with the department regarding the purchase of all card processing terminals. Effective July 1, 2004, all credit card equipment that prints a receipt is required to truncate the card number on the customer receipt.
4) If specialized software and/or systems are required, the Bursar’s Office, the Chief Information Security Officer, Internal Auditing, and the applicable computer support unit will work with the department to ensure processing standards and safeguarding measures are met.
5) On a daily basis, the department must balance transactions and settle their sales electronically to the merchant services provider.
6) The department will complete and send the credit/debit card transmittal form to the Bursar’s Office so the sales revenue can be recorded in the University Accounting System. Transmittal forms summarizing the settled sales should be sent to the Bursar’s Office electronically no later than noon of the day following settlement. Merchants can access the credit/debit card sales transmittal form at http://www.busfin.uga.edu/forms/credit_card_transmittal.pdf and submit it electronically or email the completed transmittal form to bursar@uga.edu. Faxed forms will be accepted for those merchants who are unable to submit their transmittal online or by email.
7) All departments accepting credit/debit cards for payment must comply with The University of Georgia Credit/Debit Card Processing Policy, Payment Card Industry (PCI) Standards, Board of Regents policy, and the University’s Customer Information Security Program (UGA Gramm Leach Bliley Policy) to protect the private financial information of University customers. The Gramm Leach Bliley policy is available at: http://www.uga.edu/audit/glba/index.html. The Office of Information Security’s website, http://www.infosec.uga.edu, may be referenced for additional information.
8) Individuals with access to cardholder information (should only be applicable to POS receipts) should be limited to only those persons whose job requires such access.
9) Should any merchant become aware that cardholder data has been compromised, the incident response procedures in this document should be followed.
10) Each Merchant will review their PCI questionnaire annually and update responses as needed.
11) Each Merchant is responsible for having at least one person in their department participate in all training sessions offered.
Guidelines for Point-of-Sale Transactions
1) The Bursar’s Office will coordinate all credit/debit card processing for the University. The SVPFA, CIO or delegates(s) (Bursar (Lisa McCleary), Asst. Bursar (Therese Hodges), or Credit Card Coordinator (Elizabeth Quillian) must approve all credit/debit card processing activities at The University of Georgia before a unit enters into any contracts or purchases software and/or equipment.
2) All card transactions will be processed on equipment compatible with the processing platform(s) of the University’s card processor. As of January 1, 2004, the University’s card processor is First Data/Suntrust Merchant Services which is the card processor selected by the State of Georgia.
3) Effective July 1, 2004, all customer receipts must truncate the card number so only the last four digits are printed.
4) Departments requiring customized equipment for point-of-sale (POS) transactions must contact the Bursar’s Office before such equipment is purchased. The Office of Information Security and Internal Auditing will be consulted prior to equipment purchase if the requested equipment is not standard.
5) In order to reduce fraud, credit card companies recommend the following procedures for processing cards when the card is present (i.e., face to face transaction):
· It is recommended you ask for an ID at the point of sale to verify the card holder is using the card.
· Always swipe the card through the terminal/point of sale device, if applicable.
· Obtain authorization for every card sale.
· Ask the customer to sign the sales receipt
· Match the embossed number on the card to the four digits of the account number displayed on the terminal
· Compare name and signature on the card to those on the transaction receipt
· If you believe the card number or card sale is suspicious, make a Code 10 call to the voice authorization center for the card being used.
6) If cardholder information is taken over the phone or via fax (i.e., card is not present), in order to reduce fraud, the following guidelines are recommended:
· Obtain cardholder name, billing address, shipping address (if different from billing address and if applicable), account number, and expiration date.
· Verify the customer’s billing address either electronically (by entering the zip code in the POS device) or by calling the credit card automated phone system (Address Verification System-AVS)
· Request the Security Code (the three digit code on the back of the card in the signature panel) and validate the code at the time of authorization either electronically (through the POS device) or by calling the credit card automated phone system. This code should be destroyed once validated; it should not be stored physically or electronically.
· Get a signature for each delivery that is not the card member
· Maintain credit card receipts and all delivery records for the retention period as specified in #13 below.
7) UGA units should not accept credit/debit card information via email.
8) All phone based point-of-sale terminal transactions must be batched and transmitted to the card processor on a daily basis. Transmission of sensitive cardholder data should be encrypted using 128 bit encryption and purged after settlement.
9) Sales totals (net of refunds) must be reported to the Bursar’s Office on a credit card transmittal form (http://www.busfin.uga.edu/forms/credit_card_transmittal.pdf) no later than noon the day following the day of settlement. These forms should be faxed to 706-542-6839 or e-mailed to bursar@uga.edu.
10) It is important that departments reconcile their point-of-sale transactions and report the sales amounts to the Bursar’s Office. The department’s transmittal should be the origination point; the Bursar’s Office should not report the sales amount per the credit card processor reports to the department in order for the department to prepare the transmittal
11) The Bursar’s Office will compare the sales amount per the transmittal to the records at the card processor and will immediately inform the department of discrepancies. All discrepancies should be resolved within 24 hours so sales can be posted to the departmental account in the UGA Accounting System on a timely basis. All sales amounts will be reconciled to the bank account as well.
12) When the Bursar’s Office receives charge back inquires from the credit card companies, the applicable department will be contacted to provide the necessary information about the sales transaction in question.
13) Departments should maintain adequate records of the sales transactions. Daily sales totals, logs, etc. substantiating revenue should be stored for 5 years in accordance with state record retention policies ( Board of Regents, Records Retention Series A, http://www.usg.edu/usgweb/busserv/series/). Individual receipt slips and other documents with cardholder data should be stored in a locked filing cabinet or safe and only need to be retained for 12 months. In order to dispute a charge, customers must report the item to the credit card company within 12 months of the date of sale. At the time of disposal, all documents containing sensitive cardholder data should be shredded using a cross-cut shredder. Individuals with access to cardholder information should be limited to only those persons whose job requires such access, such as resolving credit card reconciling issues and disputes.
14) Access to the physical location of stored credit card receipts should be in a restricted area where authorized persons can be easily identified and access to the area can be limited and restricted. Any visitors in this authorized area should always be identified, logged in and out and escorted at all times.
15) Cardholder information is not be taken or distributed for unauthorized purposes.
E-Commerce Transactions
1) The Bursar’s Office will coordinate all e-commerce processing for the University. No individual department may enter into a contract with a card processor without approval of the SVPFA, CIO or delegates(s) (Bursar (Lisa McCleary), Asst. Bursar (Therese Hodges), or Credit Card Coordinator (Elizabeth Quillian).
2) Departments should contact the Bursar’s Office prior to purchase of specialized software or equipment so that customized processing applications are reviewed in conjunction with policy and procedure. The Bursar’s Office, the Chief Information Security Officer, Internal Auditing, and the applicable computer support unit will work with the department to ensure processing standards and safeguarding measures are met. Approval must be obtained before submitting a purchase request to procurement for processing.
3) All card transactions will be processed through a payment gateway approved by the SVPFA and the CIO. A list of currently approved vendors may be obtained from the Bursar’s Office. Any vendor chosen by a department must be PCI compliant and remain validated/certified as compliant by the card associations.
4) To the extent possible, card processing transactions should be performed on the website of the payment gateway (i.e., the customer should enter sensitive cardholder data on a payment engine website) and not on University computer or network resources.
5) No department should store or process any sensitive cardholder data on any UGA server or PC. All sensitive cardholder data should be maintained by an approved service provider. All outside service providers must comply with the PCI standards and be validated as PCI compliant by the card associations.
6) All IP based point of sale devices and/or ecommerce transactions must be batched and transmitted to the card processor daily. For IP based point of sale devices, sensitive cardholder data must be encrypted using 128 bit encryption and purged after settlement. Transmissions for IP based point of sale devices should be conducted on a private circuit and not the UGA network.
7) Sales totals (net of refunds) must be reported to the Bursar’s Office on a credit card transmittal form (http://www.busfin.uga.edu/forms/credit_card_transmittal.pdf) no later than noon the day following the day of settlement. These forms should be faxed to 706-542-6839 or e-mailed to bursar@uga.edu.
8) It is important departments reconcile their e-commerce transactions and report the sales amount to the Bursar’s Office. The department’s transmittal should be the origination point; the Bursar’s Office should not report the sales amount per the credit card processor reports to the department in order for the department to prepare the transmittal.
9) The Bursar’s Office will compare the sales amount per the transmittal to the records at the card processor and will immediately inform the department of discrepancies. All discrepancies should be resolved within 24 hours so sales can be posted to the departmental account in the UGA Accounting System on a timely basis. All sales amounts will be reconciled to the bank account as well.
10) When the Bursar’s Office receives charge back inquires from the credit card companies, the applicable department will be contacted to provide the necessary information about the sales transaction in question.
11) Departments should maintain adequate records of the sales transactions. Daily sales totals, logs, etc. substantiating revenue should be stored for 5 years in accordance with state record retention policies (Board of Regents, Records Retention Series A, http://www.usg.edu/usgweb/busserv/series/). Individual receipt slips and other documents with cardholder data should be stored in a locked filing cabinet or safe and only need to be retained for 12 months. In order to dispute a charge, customers must report the item to the credit card company within 12 months of the date of sale. At the time of disposal, all documents containing sensitive cardholder data should be shredded using a cross-cut shredder. Individuals with access to cardholder information should be limited to only those persons whose job requires such access, such as resolving credit card reconciling issues and disputes.
12) Cardholder information is not to be taken or distributed for unauthorized purposes.
13) Each merchant will be responsible for scheduling quarterly scans with the University’s third party assessor.
Technical Specifications
Each University unit processing credit/debit cards will be responsible for adhering to the credit card merchants’ data security program. The Office of Information Security will maintain links to the various merchant’s data security programs at: http://infosec.uga.edu/standards.html.
Any questions with regard to the technical specifications should be directed to the Chief Information Security Officer.
Each merchant ID assigned will have at least one person subscribed to the credit card listserv for updates on credit/debit card policy and procedures. Each merchant will also need to maintain their contact information in the portal of the PCI Evaluator for The University of Georgia.
Exceptions to Policy:
In order to be granted an exception to the policy, please submit a “Request for Exception” located at: www.bursar.uga.edu.
Request should include:
- Reason for requesting exception
- Steps being taken to become compliant with the policy
- Date your division is expected to become compliant
The Bursar’s Office will work with the SVPFA and CIO to determine if an exception to the policy can be granted. Any merchants granted an exception must follow each detail specified in the PCI requirements and be assessed as PCI compliant by an external assessor at their own expense on an annual basis.
Compromise Incident Response Procedures
Should you become aware that any cardholder data was subject to compromise, you should follow the steps outlined below within 24 hours:
1) Alert the following immediately:
· University Office of Information Security
· University'’s Bursar’s Office
2) Immediately work with the Office of Information Security to limit the exposure. Prevent the further loss of data by conducting a thorough investigation of the suspected or confirmed compromise of information.
· Do not access or alter compromised systems
· Do not turn the compromised machine off; isolate compromised systems from the network
· Preserve logs and electronic evidence
· Log all actions taken
· Be on high alert and monitor all systems
3) The Bursar’s Office will assist the merchant in notifying the 3rd party vendor if this is applicable.
4) The Bursar’s Office will contact its Merchant services provider. The Merchant services provider will assist the Bursar’s Office in contacting each Card Association’s Fraud Control Group and the local office of the Secret Service. The Bursar’s Office should also contact the University’s Legal Affairs Office and Internal Audit at this time.
5) Provide all compromised accounts to the merchant services provider and to any other agency/company as instructed by the merchant services provider and/or card associations.
6) Provide an Incident Response Report document to each Card Association within the timeframe they specify.
7) If required by the card associations, undergo an independent forensic investigation
