Date Established: 4/6/2009
Date Last Updated: 8/4/2017
Vice President for Finance and Administration
Credit/debit card payments must be processed in an efficient, consistent, secure, and controlled manner in compliance with the Payment Card Industry Data Security Standard.
University at Buffalo (UB, university) departments may accept credit/debit cards as an appropriate form of payment for goods, services, and donations. As a credit/debit card merchant, university departments must:
Departments may accept credit/debit card payments in electronic format or via point of sale terminals to be processed by Financial Management. Financial Management will determine the most appropriate method to accept payment based on customer service, convenience, cost (dollars and time), volume of expected activity, and impact on revenue distribution.
Credit/debit card data is classified as regulated private data. Credit/debit card merchants are responsible for safeguarding the confidentiality of regulated private data in accordance with the following university policies:
The safeguarding and storage of cardholder information is subject to:
Departments not complying with approved safeguarding, storage, and processing procedures may lose the privilege to serve as a credit/debit card merchant. Penalties for non-compliance include significant fines and withdrawal of payment card services by the payment card industry.
The university recognizes that accepting credit/debit cards as payment for goods, services, and donations improves customer service, brings efficiency to the cash collection process, and is essential when business is conducted electronically.
The Payment Card Industry (including American Express, Discover, Master Card, VISA, and other major card issuers) has established important and stringent security requirements to protect credit/debit card data. These requirements are called the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS provides a single approach to safeguarding credit/debit card data for all card brands and details the security requirements for transmitting, storing, accessing, and processing cardholder data. Compliance is the responsibility of the entire institution with duties and accountability assigned at every level of the payment process.
This policy applies to any official or administrator with responsibilities for managing university credit/debit card transactions and those employees entrusted with handling credit/debit cards and credit/debit card information.
Any personally identifiable data associated with a cardholder including but not limited to account number, expiration date, name, address, social security number, and card validation code (three or four-digit value printed on the front or back of a credit/debit card).
Credit/Debit Card Merchant
A unit that accepts credit/debit card payments.
Payment Card Industry Data Security Standard (PCI DSS)
A set of comprehensive requirements for enhancing payment account data security. The PCI DSS was developed by the founding payment brands of the PCI Security Standards Council including American Express, Discover Financial Services, MasterCard Worldwide, and VISA International to facilitate the broad adoption of consistent data security measures on a global basis.
The PCI DSS is a multi-faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data and offers a single approach to safeguarding sensitive data for all card brands.
Regulated Private Data
Includes bank credit/debit card numbers with or without PINs, social security numbers, state-issued driver license numbers, state-issued non-driver identification numbers, protected health information, passwords, and computer access protection information.
Process used to prioritize the allocation of revenue to departments based on the type of fee collected through the student account billing system.
|August 2017||Updated the policy to: |
• Discontinue the acceptance of credit/debit card payments through the mail
• Identify Financial Management as the only business office to process credit/debit card payments; UBF and CDS no longer process credit/debit card payments
|May 2015||Updated terminology to change "swipe card machine" to "point of sale terminal."|
|July 2014|| |
Updated Related Information links to include a new Credit Card Merchant Request form.
|May 2011||Updated to include a requirement to provide Financial Management with a PCI Compliance certificate for the vendor.|