Close menu Resources for... William & Mary
W&M menu close William & Mary

Departmental Payment Card Handling Guidelines

Purpose 

Collection and processing of card payments must be conducted in compliance with standards established by the Payment Card Industry Security Standards Council (PCI SSC), W&M Payment Card Policy & Procedures, and the guidelines outlined in this document.  Departments are responsible for ensuring all processes, procedures, and technologies follow the security standards dictated by the PCI DSS and as approved by Financial Operations, Information Technology, and the PCI Committee.  

This document provides the required business guidelines departments must follow.  As such, these guidelines may either be used as a template to create departmental procedures or incorporated into existing procedures.  All departments must have procedures documented and available for staff reference/training.  In addition, the PCI Committee, Internal Audit or external auditors may ask to review these procedures.   Departments are responsible for reviewing their procedures annually and/or updating as requirements change.

The entire document may be downloaded as a Word Doc file here.

For TouchNet only merchants, refer to this Word Doc file here.

Business Process - Accepting and Handling Card Payments
User Access and Physical Security

Access to cardholder data (CHD) and equipment used to collect CHD is limited to only those individuals whose job requires such access.  Access to Point of Sale (POS) systems and any associated payment card devices is restricted based on job responsibilities and must be tracked using the PCI DSS Security Awareness Program Roster.  If using an online system, must be able to view list of employees, their access and roles.

Devices that capture payment card data via direct physical interaction with the card should be physically secured and protected from tampering and substitution.  This includes daily inspections of the device surface to detect tampering and training personnel to be aware of suspicious activity.  Departments must keep a log of all equipment inspections by documenting each inspection on the W&M PCI Quality Control Checklist.  User access to sensitive areas that store, process, or transmit cardholder data is restricted based on individual job function.  Devices should be secured at all times whether locked in an office or a drawer when not in use to prevent tampering.

Annual Training

In accordance with PCI DSS Requirement 12.6.1, all users within the department authorized to handle card payments will complete the annual W&M Payment Card Industry DSS training. Employees will access this training through Cornerstone; students and volunteers will access it through Blackboard.  This annual PCI DSS training is intended to promote employee awareness of technical and operational requirements to protect cardholder data.  Upon hire, the department’s business process owner will notify Financial Operations of any new staff required to complete training.  In addition, any new staff member is required to complete W&M Payment Card Security & Confidentiality Agreement, W&M Security Education and Awareness Training and the W&M Payment Card Industry training.  Departments are responsible for tracking the initial completion as well as the annual completion of the agreement and training for each member using the W&M PCI Awareness Roster.

Payment Card Terminals or Other Approved Devices

Purchase or rental of payment card terminals, including mobile applications, must be coordinated through Financial Operations – Cashier’s Office.  The Cashier’s Office will order the payment card terminals, track and distribute to each merchant.  Any other device used to accept payment cards must be approved and configured by Information Technology and the PCI Committee. Only approved and tracked devices and locations may be used in any way associated with payment card processing. All devices must meet PCI DSS standards. 

  • The department is responsible for ensuring that only authorized staff have access to the terminal device and are properly trained.
  • Terminals must be inventoried with Financial Operations – Cashier’s Office and must be maintained in a secure location.
  • Other approved devices must be inventoried by the department and must be maintained in a secure location.
  • Sharing or transfer of wireless terminals between departments is not allowed without proper approval from Financial Operations.
  • Hardwired devices may not be moved and plugged into a different network jack without approval and coordination from IT.
  • It is the department’s responsibility to coordinate efforts with Financial Operations or Information Technology to ensure that terminals/devices are updated with the most recent software version to reduce processing errors, etc.  (For example, all approved single-use ipads must be taken to Information Technology for software updates, yearly.)

Departments may use rented wireless terminals on a temporary basis to accept in-person card payments at specified times as agreed upon on the rental agreement.  All rentals must be coordinated through Financial Operations – Cashier’s Office.  Rented terminals are kept in a secured location/locked when not in use.  Use of rented terminals follows the same processing procedures for in-person payments as outlined within this document.  Rented terminals are checked for tampering and the W&M PCI Quality Control Checklist is completed.

Online Card Services

Usage of online card services must be coordinated through Financial Operations.  Only approved vendors may be used.  All vendors must meet PCI DSS standards.  Each department is responsible for ensuring that only authorized staff have access to the online card service and are properly trained.

  • Merchants using an online card service (TouchNet uStore/uPay, Authorize.net or BlackBaud Merchant Services or other approved vendor) must only handle payment card transactions that have been processed through the vendor. Merchants may not process face-to-face transactions where they enter information into a website for a customer as this is not compliant with PCI DSS and violates W&M compliance.  If exceptions are needed, please contact the PCI Committee for an authorized solution.
  • Do not use group, shared, or generic IDs, passwords, or other authentication methods. Use unique IDs for each user, with unique passwords for each.  The longer the password, the better.  Default or generic IDs on all systems that store, process, or transmit CHD must be removed or disabled.
  • Never direct a payer to a specific computer or offer to enter payment card data into a website on their behalf.  Advise the individual to use “any internet enabled device” to complete the transaction on their own.
Batch Settlement

Payment Card Terminals must be settled no less frequently than daily. It may be prudent, given the level of activity, to settle batches on a more frequent basis.  The department must maintain all signed receipts and card swipe terminal Batch Total Settlement Reports for the designated timeframe as established by the Library of Virginia.  Refer to the W&M Deposit and Cash Receipting Procedures for additional guidance.

Banner Cashiering

Banner cashiering sessions are closed daily, settled and processed each night. At 8:00 AM EST, a batch for each merchant is closed for the previous day’s activity and sent to the credit card processor.  Funds are posted to Banner based on the departments’ merchant account ID and index provided to Financial Operations on the W&M Payment Card Application. Departments will establish and maintain appropriate segregation of duties between card processing, processing of refunds, and the reconciliation of payment card transactions. Each department is responsible to reconcile sales transactions to their general ledger no less than monthly.

Disputes and Chargebacks

Financial Operations – Cashiering will receive and report chargebacks and transaction disputes to the department.  (If departments receive any dispute or chargeback directly please notify the Cashier’s Office immediately upon receipt.) Departments can either accept or reject the chargeback.  If rejected, the department will provide supporting documentation to justify that the transaction is valid.  Failure to respond within the allocated timeframe will result in a loss to the department. Prompt attention to these matters is a priority. It is the department’s responsibility to develop appropriate internal controls to mitigate risks related to chargebacks.

Equipment and Use Overview

An inventory of physical equipment, if applicable, must be kept detailing the following information:

  • Equipment Type
  • Equipment Name
  • Terminal ID
  • Serial Number
  • Location/Physical Security
  • Purpose of Use
Physical Security Procedures
  1. Upon hire, staff are trained to comply with standards established by the PCI DSS, W&M Mary Payment Card Policy, and the operational procedures of the department. In addition, staff are also trained to be aware of methods in which devices can be tampered with or replaced.  Training includes the following:
    • Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
    • Be aware of suspicious behavior. For example, attempts by unknown persons to unplug or open devices. 
    • Do not alter or attempt to troubleshoot terminals. Troubleshooting support is provided by Financial Operations/vendor.
  1. At the start of each day (prior to use), the device/terminal surfaces are checked to detect tampering or substitution.   Using the W&M PCI Quality Control Checklist, verify that the device has not been swapped with a fraudulent device by performing the following steps:
    • Compare the serial number and model number listed on the terminal to that included on the physical equipment inventory list.
    • Inspect the terminal and review for foreign objects (i.e. skimmers), unexpected attachments or cables plugged into the device, pry marks, broken or stressed seams.
    • If you notice anything unusual or suspect that the device/terminal has been tampered with or substituted, contact Financial Operations at pci@wm.edu.
    • When mobile device/terminals are changing hands between department users, an additional tamper check must be performed by the responsible party upon return.
Payment Card Processing Procedures

Departments must document how orders/transactions are received.  If a method is not applicable, state that the department does not accept cards in this manner.

  1. IF: Mail Order – The department receives mail orders and credit card information is returned on the form.
    • Process mail orders via swipe terminal/approved devices.
    • Shred mailed in form containing CHD with a cross-cut.
  1. IF: Fax Order – The department receives orders via fax at xxx-xxx-xxxx which is located xxxx. This fax machine is secured (how). NOTE:  Fax machine must be a stand-alone.  It cannot be part of the all-in-one copiers.
    • Process faxed order via swipe terminal/approved devices.
    • Shred faxed order in form containing CHD with cross cut shredder.
  1. IF: Phone Order – The department will accept credit card orders via phone.
    • Credit card information will be taken and entered directly into credit card swipe terminal/approved devices. No numbers or information will be written down. 
    • Confirmation Number will be given to customer once card is accepted.
    • Phone orders MUST NOT be entered into an online form/website. Contact the PCI Committee (pci@wm.edu) for any exceptions.
  1. IF: Email Order - N/A – W&M does not accept credit card numbers sent in via email.
    • The credit card payment will NOT be processed. If numbers are received via email a response will be sent to the customer. 
    • The response will be a separate email – not a response to the original email, indicating the policy and procedure for sending credit card information.
    • The email will be permanently deleted from email inbox and trash.
  1. IF: In Person – The department accepts credit card payment in person.
    • Request card from cardholder for processing. Ensure card is signed, if not, request ID.
    • Process transaction via swipe terminal ONLY. Online forms/website CANNOT be used unless using an approved device.
    • Have customer sign merchant copy/receipt.
    • Verify signature matches back of card. Ask for photo ID from any customer without a signature on back of card.   
    • Give card and receipt to customer.
  1. IF: Online Orders
    • Online orders are received via the approved system (for example, TouchNet).
    • Department individuals CANNOT submit orders on behalf of the customer using an approved device.
    • Department individuals with authorized access to system will fulfill orders on a daily basis.
Refund Procedures

Clear disclosure of return, refund, and cancellation policies can help to prevent potential cardholder disputes/chargebacks.  Visa/MasterCard will support refund policies provided they are clearly disclosed to cardholders.  Departments using an online system must communicate refund/return/cancellation policy either in the sequence of pages before final checkout with a click to accept button or checkbox on the checkout screen / location with electronic signature.

  1. The department’s refund policy is xxxxxx
  2. Procedures to refund a credit card transaction are included in the user manual for the POS devices and SYSTEM.
Incident Response Procedures 

An incident is defined as a suspected or confirmed data compromise in which there is a potential to impact the confidentiality or integrity of payment card data.  A data compromise is any situation where there has been unauthorized access to a system or network where prohibited, confidential or restricted payment card data is collected, processed, stored, or transmitted.  In the event of a suspected or confirmed incident:

  1. Call the Chief Information Security Officer at 221-1822 or email abuse@wm.edu with a description of the incident.
  2. Do NOT turn off the PC.
  3. Disconnect the network cable connecting the PC to the network jack. If the cable is secured and you do not have the key to the network jack, simply cut the network cable.
  4. Document any steps taken until the Response Team has arrived. Include the date, time, person/persons involved and action taken for each step.
  5. Assist the Response Team as they investigate the incident.