Policy 5:20 - Credit Card Payments

Policy Contact: Division of Budget and Finance

  1. Purpose

    This policy outlines the University guidelines on the acceptance of electronic payments, specifically credit cards, as a form of payment by University areas or departments.

  2. Definitions
     
    1. Attestation of Compliance ("AOC"): a formal declaration provided by an organization to affirm its compliance with the Payment Card Industry Data Security Standard (PCI DSS). This document serves as evidence that the organization's security practices effectively protect cardholder data against threats.
    2. Card Holder Data (“CHD”): refers to a cardholder’s card number, expiration date, PIN, and the 3 or 4 digit CAV2/CVC2/CVV2/CID number on the back of the credit card.
    3. Merchant: a department, business area, or other University organization that collects revenue.
    4. Merchant ID ("MID"): a merchant identification code assigned by the credit card processor and that is used to identify the owner of merchant card transactions.
    5. Payment Card Industry Data Security Standard ("PCI DSS"): a globally recognized standard which contains a set of security requirements for organizations that store, process, or transmit cardholder data (credit and debit card information) with the purpose of protecting sensitive financial data and reducing fraud.
    6. Qualified Security Assessor ("QSA"): an organization that has been qualified by the PCI Security Standards Council to validate an entity's adherence to PCI DSS. QSA Employees are individuals who are employed by a QSA Company and have satisfied and continue to satisfy all QSA Requirements.
    7. Service Provider: a business entity that is not a payment brand but is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This includes companies that provide services that control or could impact the security of cardholder data. Examples include service providers that provide managed firewalls, intrusion detection systems, and other services.
       
  3. Policy
     
    1. University employees are required to comply with all applicable laws, rules, regulations and policies pertaining to the acceptance of credit card payments for goods or services at the University, including those standards set by the Payment Card Industry Data Security Standard (“PCI DSS”).
       
    2. All University employees involved in the collection, processing, storage, or transmission of CHD are required to participate annually in PCI Awareness Training as provided by the University prior to their handling of CHD.
       
    3. Only University departments that have established Merchant accounts, approved through the Office of Finance and Budget, are permitted to accept credit cards as payment. Additionally, payment processing must be managed through the State of South Dakota's eCommerce solutions.
       
    4. In no case may credit card payments, even through third party vendors, be accepted for any commercial enterprise that results in personal gain to the individual involved.
       
    5. Special charges or discounts resulting in a price differential between a credit card transaction and a transaction paid by cash or check are not permitted. Merchants must incorporate all costs related to credit card processing into fees charged for goods and services. The only exceptions are for a convenience fee for student account payments through the SDBOR SDePay payment portal.
       
    6. All University departments that process CHD must comply with the University's Departmental Inter-Office Credit Card Procedures and must document specific departmental procedures for the collection and processing of CHD. These procedures must include, not exclusively, the following:
      1. Steps to process CHD received in person, or by mail in adherence with this policy;
      2. A 'start of day' process including instructions that all credit card terminals should be checked to ensure the tamper resistant seal on the bottom of the terminal is intact, documented as being so;
      3. An 'end of day' process including an instruction that credit card terminals shall be batched out each day;
      4. A process to notify the Division of Technology and Security of any suspected breaches.
         
    7. Service providers and other entities that have access to CHD through relationships with the University are responsible for adhering to PCI standards to ensure the protection of CHD. All University departments shall verify the compliance of those entities with the current PCI standards continuously by reviewing and obtaining relevant compliance documentation (Attestations of Compliance) from Service Providers or third-party entities. The Attestation of Compliance (AOC) must be completed by a Qualified Security Assessor (QSA) or the Merchant if the Merchant’s internal audit performs validation.
       
    8. The physical location of all credit card terminals at the University must be approved by the University's PCI Compliance Officer, successor, or designee.
       
    9. No agreement or contract associated with the collection, storage, processing, or transmission of CHD shall be entered into without the review and approval of the University's PCI Compliance Officer, successor, or designee. This includes the handling of credit card processing through third parties. An AOC signed by a QSA shall be obtained from any Service Provider or third party vendor prior to any business agreement.
       
    10. Access to credit card information at the University shall be limited to departmental employees on a "need-to-know" basis. Unauthorized personnel shall not be permitted access to CHD.
       
    11. The University has a responsibility to its customers to protect CHD and the storage of CHD, as well as to comply with the PCI DSS.
      1. The only CHD that may be retained, on paper or electronically, is the last 4 digits of the card number, the expiration date, and the card type. Other data may not be stored post authorization.
      2. Temporary physical storage of CHD is permitted at the University, provided that any document containing CHD is stored in a locked cabinet/file for a maximum of two (2) business days. If it is necessary to store documents with CHD for more than two (2) business days, individuals must receive approval from the University’s PCI Compliance Officer, successor, or designee.
      3. Permanent physical storage of CHD is not permitted. CHD on documents or forms must be destroyed using a cross-cut or micro shredder. Destroying the information with a strip shredder is not sufficient.
      4. This applies to all University systems, any University servers used or hosted by a third party, as well as locally maintained systems, including databases, spreadsheets, email, imaging systems, and paper files.
         
    12. Collection of CHD
      1. Collection of CHD using an electronic fax machine is not permitted.
      2. Collection of CHD over the telephone is not permitted. If an individual wishes to pay over the telephone, please direct them to an online payment form when applicable. If an online payment form is not available, please contact the University's PCI Compliance Officer, successor, or designee.
      3. Collection of CHD through electronic mail (e-mail) is not permitted at the University.
        1. In the event that CHD is delivered via e-mail, individuals must immediately notify the University’s PCI Compliance Officer, successor, or designee, with the circumstances of the email: date, time, from address, to address, and subject line. In the body, include the last 4 digits of the credit card number involved (i.e., XXXXXXXXXXXX1234). The email containing the CHD must not be forwarded during this notification process. Following notification, delete the email and empty your deleted folder. Never process a payment from an email. Contact the donor/customer via telephone and indicate the University cannot accept CHD via e-mail.
           
    13. The transportation of CHD from one place to another for any reason shall be limited to employes who have regular access to the CHD. The transportation must occur in a secure, locked device.
       
    14. All in-person and mail credit card payments at the University shall use the approved Merchant devices on file with the University’s PCI Compliance Officer, successor, or designee.
       
    15. All online/e-commerce credit card payments at the University shall be processed using the approved Merchant applications. A list of approved providers is available from the University's PCI Compliance Officer, successor, or designee.

  4. Responsible Administrator

    The Vice President for Finance and Budget, or designee, is responsible for the annual and ad hoc review of this policy and its procedures. The University President is responsible for approval of this policy.

Approved by President on 09/29/2015. Revised; Approved by President on 05/05/2025.

Sources: ;