Credit Card Handling and Acceptance Policy: CI.28.2
The purpose of the Credit Card Handling and Acceptance Policy is to clearly communicate the rules for appropriate handling of credit and debit card transactions and personally identifiable information associated with credit card transactions, including the responsibilities of SPC employees that process credit card transactions or maintain cardholder information.
It will define standards for managing and enforcing security on any information stored or passed through SPC information technology resources or any personally owned or third-party device that may be connected to a state-owned resource. Information technology resources provided by SPC are owned by SPC and subject to state and SPC oversight. The use of SPC information technology resources may be monitored to manage performance, perform routine maintenance and operations, protect the integrity of SPC information technology resources, perform security reviews, and fulfill complaint or investigation requirements.
The Credit Card Handling Statements apply equally to all individuals who use SPC information technology resources to process credit card transactions.
SPC may collect personally identifiable information when a customer visits our card processing site. SPC will also automatically receive and record information on our server logs from your browser including your IP address, cookie information and the page(s) you visited. SPC will not sell your personally identifiable information to anyone.
Credit card companies are requiring merchants who accept credit/debit cards as a means of payment to reduce the risks of exposure to credit card fraud by adhering to specific security requirements, called the PCI Data Security Standards.
- SPC personnel who receive/process credit card information must properly safeguard the credit card information. This policy applies to all SPC personnel who receive Personal Identifiable Information (PII) while processing, retaining/storing and disposing credit card data. Only SPC personnel are permitted to handle PII data. Student workers are permitted to handle PII, at the discretion of the department and with additional training and certification of knowledge of the policy. Student workers should not be given access to PII data that is stored.
- SPC uses only third party vendors to process credit/debit card transactions. Any third party vendor software/systems used to process credit/debit card transactions must be compliant with the Payment Card Industry (PCI) Data Security Standards.
- Departments on campus wanting to accept credit card payments must contact Financial Services to determine the best way to allow for their acceptance.
- Credit/Debit Card and/or PII information obtained to facilitate processing transactions must be destroyed immediately after the transaction is processed. Credit Card information must not be retained after the transaction is processed.
- Any suspected loss or theft of materials containing PII data must be reported. Employees may notify their immediate supervisor if they suspect a violation, or a violation can be reported anonymously by calling Financial Services.
- As required by PCI, Credit Card Processing terminals are installed on an isolated VLAN that protects information sent on the SPC local area network.
- Data transmitted over the internet to and from the Credit Card Processing terminals is encrypted.
Approved by: Executive Council
Approval Date: February 12, 2018