PCI DSS: Payment Card Processing Guidelines

Payment Card Industry Compliance
PCI DSS: Payment Card Processing Guidelines
The purpose of this document is to describe the responsibilities associated with the collection, processing, storage, or dissemination of payment card data (credit and debit card transactions) at RIT. Adherence to the following is mandatory for all RIT departments and employees involved in processing payment card data. A glossary of common PCI terms is located here https://www.rit.edu/fa/controller/payment-card-compliance-0.

1.    What Is Required for My Department to Accept Payment Cards?
  • All payment card processing is subject to review and approval by the Payment Card Steering Committee (PCSC).  This includes payments received via University e-commerce sites; in-person at point-of sale (POS) systems across the campus (primarily Dining locations); Telefund activities, and off-site events.
  • Departments wishing to accept payment by credit or debit card for the sale of merchandise or services should contact Cash Management who will help determine what form of card processing best suits the department’s needs and provide the forms required to establish a new bank merchant account.
  • All requests for new POS or card swipe terminals must be approved in advance by the PCSC. The application is located here: [Insert Link]
    • Note: it typically takes one or two weeks to establish a new merchant account, subsequent to approval by the PCSC. 
  • Upon approval, Cash Management will provide the bank merchant ID to the department and coordinate delivery of the equipment from the University’s payment card processing merchant. Student Financial Services (SFS) staff will provide training to your employees on how to process transactions using the equipment. 
2.    What Equipment Can I Use to Accept Payments Via Payment Card?
  • If your department is selling products and/or accepting payments via an authorized University web site, credit and debit card transactions will be processed via the University’s third party service provider. Contact SFS for more information. 
  • POS and card swipe terminals must be used only with dial-out connections or locked-down internet terminals. 
  • All workstations used for entering cardholder information into online web forms must be locked-down according to University policy.

3.    Who in My Department Can Accept Payments Via Payment Card?
  • Access to cardholder information must be limited to those individuals whose specific job responsibilities require access and have completed the required training and certification (see section 4 below). 
4.    What Are the Responsibilities of Department Personnel Who Process Payment Card Transactions?
  • Cardholder information may not be stored electronically on any device (e.g. computer hard drives, CDs, disks, and other external storage media). This includes reports from hosted credit card processing vendors. 
  • Cardholder information must not be accepted through e-mail. The receiver of an email with credit card information should reply to the sender with instructions on the proper procedures for submitting the information; however, do not include the cardholder information in the reply. Contact the Information Technology Services (ITS) Help Desk for assistance in deleting the original e-mail. 
  • Never store the PIN and CVV2 or card verification code (found on the back of the card).  
  • Hand deliver manual credit card payment slips that include credit card processing data to the SFS Office on a daily basis using a secure envelope.
  • Treat any media, including paper copies that contain cardholder information, as confidential.
  • Secure paper copies of cardholder information in a locked location when not in use.
  • Do not publicly display cardholder information, leave it unattended or disclose cardholder information to others.
  • Shred paper copies of cardholder information when no longer needed. 
  • Delete all pre-existing cardholder information from electronic databases, including computer hard drives, CDs, disks, and other external storage media. 
5.    How Do I Keep Current with PCI DSS Rules?
  • Visit the Controller’s Office online for the most up to date PCI DSS information. 
  • Employees and students handling cardholder information must acknowledge understanding of these RIT Payment Card Processing Guidelines. 
  • All employees involved in payment card processing are required to complete Payment Card Security Training annually. Department supervisors are responsible for ensuring employees have completed the training and for providing certifications to the Controller’s Organization.

Contact Mary Beth Nally, Executive Director of Student Financial Services (585-475-5305) or Ken Buckley, Director Endowment Accounting & Cash Management (585-475-2374), if you have questions about this information.