Collection and processing of card payments must be conducted in compliance with standards established by the Payment Card Industry Security Standards Council (PCI SSC), W&M Payment Card Policy & Procedures, and the guidelines outlined in this document. Departments are responsible for ensuring all processes, procedures, and technologies follow the security standards dictated by the PCI DSS and as approved by Financial Operations, Information Technology, and the PCI Committee.
This document provides the required business guidelines departments must follow. As such, these guidelines may either be used as a template to create departmental procedures or incorporated into existing procedures. All departments must have procedures documented and available for staff reference/training. In addition, the PCI Committee, Internal Audit or external auditors may ask to review these procedures. Departments are responsible for reviewing their procedures annually and/or updating as requirements change.
The entire document may be downloaded as a Word Doc file here.
For TouchNet only merchants, refer to this Word Doc file here.
Business Process - Accepting and Handling Card Payments
User Access and Physical Security
Access to cardholder data (CHD) and equipment used to collect CHD is limited to only those individuals whose job requires such access. Access to Point of Sale (POS) systems and any associated payment card devices is restricted based on job responsibilities and must be tracked using the PCI DSS Security Awareness Program Roster. If using an online system, must be able to view list of employees, their access and roles.
Devices that capture payment card data via direct physical interaction with the card should be physically secured and protected from tampering and substitution. This includes daily inspections of the device surface to detect tampering and training personnel to be aware of suspicious activity. Departments must keep a log of all equipment inspections by documenting each inspection on the W&M PCI Quality Control Checklist. User access to sensitive areas that store, process, or transmit cardholder data is restricted based on individual job function. Devices should be secured at all times whether locked in an office or a drawer when not in use to prevent tampering.
In accordance with PCI DSS Requirement 12.6.1, all users within the department authorized to handle card payments will complete the annual W&M Payment Card Industry DSS training. Employees will access this training through Cornerstone; students and volunteers will access it through Blackboard. This annual PCI DSS training is intended to promote employee awareness of technical and operational requirements to protect cardholder data. Upon hire, the department’s business process owner will notify Financial Operations of any new staff required to complete training. In addition, any new staff member is required to complete W&M Payment Card Security & Confidentiality Agreement, W&M Security Education and Awareness Training and the W&M Payment Card Industry training. Departments are responsible for tracking the initial completion as well as the annual completion of the agreement and training for each member using the W&M PCI Awareness Roster.
Payment Card Terminals or Other Approved Devices
Purchase or rental of payment card terminals, including mobile applications, must be coordinated through Financial Operations – Cashier’s Office. The Cashier’s Office will order the payment card terminals, track and distribute to each merchant. Any other device used to accept payment cards must be approved and configured by Information Technology and the PCI Committee. Only approved and tracked devices and locations may be used in any way associated with payment card processing. All devices must meet PCI DSS standards.
Departments may use rented wireless terminals on a temporary basis to accept in-person card payments at specified times as agreed upon on the rental agreement. All rentals must be coordinated through Financial Operations – Cashier’s Office. Rented terminals are kept in a secured location/locked when not in use. Use of rented terminals follows the same processing procedures for in-person payments as outlined within this document. Rented terminals are checked for tampering and the W&M PCI Quality Control Checklist is completed.
Online Card Services
Usage of online card services must be coordinated through Financial Operations. Only approved vendors may be used. All vendors must meet PCI DSS standards. Each department is responsible for ensuring that only authorized staff have access to the online card service and are properly trained.
Payment Card Terminals must be settled no less frequently than daily. It may be prudent, given the level of activity, to settle batches on a more frequent basis. The department must maintain all signed receipts and card swipe terminal Batch Total Settlement Reports for the designated timeframe as established by the Library of Virginia. Refer to the W&M Deposit and Cash Receipting Procedures for additional guidance.
Banner cashiering sessions are closed daily, settled and processed each night. At 8:00 AM EST, a batch for each merchant is closed for the previous day’s activity and sent to the credit card processor. Funds are posted to Banner based on the departments’ merchant account ID and index provided to Financial Operations on the W&M Payment Card Application. Departments will establish and maintain appropriate segregation of duties between card processing, processing of refunds, and the reconciliation of payment card transactions. Each department is responsible to reconcile sales transactions to their general ledger no less than monthly.
Disputes and Chargebacks
Financial Operations – Cashiering will receive and report chargebacks and transaction disputes to the department. (If departments receive any dispute or chargeback directly please notify the Cashier’s Office immediately upon receipt.) Departments can either accept or reject the chargeback. If rejected, the department will provide supporting documentation to justify that the transaction is valid. Failure to respond within the allocated timeframe will result in a loss to the department. Prompt attention to these matters is a priority. It is the department’s responsibility to develop appropriate internal controls to mitigate risks related to chargebacks.
Equipment and Use Overview
An inventory of physical equipment, if applicable, must be kept detailing the following information:
Physical Security Procedures
Payment Card Processing Procedures
Departments must document how orders/transactions are received. If a method is not applicable, state that the department does not accept cards in this manner.
Clear disclosure of return, refund, and cancellation policies can help to prevent potential cardholder disputes/chargebacks. Visa/MasterCard will support refund policies provided they are clearly disclosed to cardholders. Departments using an online system must communicate refund/return/cancellation policy either in the sequence of pages before final checkout with a click to accept button or checkbox on the checkout screen / location with electronic signature.
Incident Response Procedures
An incident is defined as a suspected or confirmed data compromise in which there is a potential to impact the confidentiality or integrity of payment card data. A data compromise is any situation where there has been unauthorized access to a system or network where prohibited, confidential or restricted payment card data is collected, processed, stored, or transmitted. In the event of a suspected or confirmed incident: