Date Established: 4/6/2009
Date Last Updated: 5/28/2015
Vice President for Finance and Administration
Be sure to disable the "shrink to fit" feature on your
Internet browser's print dialog box.
Credit/debit card payments must be processed in an efficient, consistent, secure, and controlled manner in compliance with the Payment Card Industry Data Security Standard.
University at Buffalo (UB, university) departments may accept credit/debit cards as an appropriate form of payment for goods, services, and donations. As a credit/debit card merchant, university departments must:
Credit/debit card data is classified as regulated private data. Credit/debit card merchants are responsible for safeguarding the confidentiality of regulated private data in accordance with the following university policies:
The safeguarding and storage of cardholder information is subject to:
Departments not complying with approved safeguarding, storage, and processing procedures may lose the privilege to serve as a credit/debit card merchant.
The university recognizes that accepting credit/debit cards as payment for goods, services, and donations has become a common practice that improves customer service, brings efficiency to the cash collection process, and is essential when business is conducted electronically. Departments may accept credit/debit card payments in electronic format, via point of sale terminals, or through the mail to be processed by the appropriate business office (i.e., Financial Management, UBF, or CDS). The business office will determine the most appropriate method to utilize based on customer service and convenience, cost (dollars and time), volume of expected activity, and impact on revenue distribution.
Situations may occur that require the ability to accept credit/debit cards on a one-time basis. Contact Financial Management for suggestions on how to handle these situations.
The Payment Card Industry (including American Express, Discover, Master Card, VISA, and other major card issuers) has established important and stringent security requirements to protect credit/debit card data. These requirements are called the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS provides a single approach to safeguarding credit/debit card data for all card brands and details the security requirements for transmitting, storing, accessing, and processing cardholder data. Compliance is the responsibility of the entire institution with duties and accountability assigned at every level of the payment process.
Penalties for non-compliance include significant fines and withdrawal of payment card services by the payment card industry.
This policy applies to any official or administrator with responsibilities for managing university credit/debit card transactions and those employees entrusted with handling credit/debit cards and credit/debit card information.
Any personally identifiable data associated with a cardholder including but not limited to account number, expiration date, name, address, social security number, and card validation code (three or four-digit value printed on the front or back of a credit/debit card).
Credit/Debit Card Merchant
A unit that accepts credit/debit card payments.
Payment Card Industry Data Security Standard (PCI DSS)
A set of comprehensive requirements for enhancing payment account data security. The PCI DSS was developed by the founding payment brands of the PCI Security Standards Council including American Express, Discover Financial Services, MasterCard Worldwide, and VISA International to facilitate the broad adoption of consistent data security measures on a global basis.
The PCI DSS is a multi-faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data and offers a single approach to safeguarding sensitive data for all card brands.
Regulated Private Data
Includes bank credit/debit card numbers with or without PINs, social security numbers, state-issued driver license numbers, state-issued non-driver identification numbers, protected health information, passwords, and computer access protection information.
Process used to prioritize the allocation of revenue to departments based on the type of fee collected through the student account billing system.
418 Crofts Hall
Bufffalo, NY 14260
Information Security Office
517 Capen Hall
Buffalo, NY 14260
University at Buffalo Foundation
Center for Tomorrow
Buffalo, NY 14260
Campus Dining & Shops
146 Fargo, Ellicott Complex
Buffalo, NY 14260
|May 2015||Updated terminology to change "swipe card machine" to "point of sale terminal."|
Updated Related Information links to include a new Credit Card Merchant Request form.
|May 2011||Updated to include a requirement to provide Financial Management with a PCI Compliance certificate for the vendor.|