PCI DSS: Payment Card Processing Guidelines

Payment Card Industry Compliance
PCI DSS: Payment Card Processing Guidelines
 
The purpose of this document is to describe the responsibilities associated with the collection, processing, storage, or dissemination of payment card data (credit and debit card transactions) at RIT. Adherence to the following is mandatory for all RIT departments and employees involved in processing payment card data. A glossary of common PCI terms is located here https://www.rit.edu/fa/controller/payment-card-compliance-0.

1.    What Is Required for My Department to Accept Payment Cards?
  • All payment card processing is subject to review and approval by the Payment Card Steering Committee (PCSC).  This includes payments received via University e-commerce sites; in-person at point-of sale (POS) systems across the campus (primarily Dining locations); Telefund activities, and off-site events.
    • Note: it typically takes one or two weeks to establish a new merchant account, subsequent to approval by the PCSC.
  • Departments wishing to accept payment by credit or debit card for the sale of merchandise or services should contact Cash Management who will help determine what form of card processing best suits the department’s needs and provide the forms required to establish a new bank merchant account.
  • Upon approval, Cash Management will provide the bank merchant ID to the department and coordinate delivery of the equipment from the University’s payment card processing merchant. Student Financial Services (SFS) staff will provide training to your employees on how to process transactions using the equipment. 
 
2.    How Can My Department  Accept Payments Via Payment Card?
  • Online – payments can be accepted via an authorized University web site. University web sites can redirect to a payment page hosted by third party, Nelnet to accept credit and debit payments online.  RIT Staff are prohibited from entering payment card numbers using a computer keyboard or mobile device on behalf of a customer- only customers should use the Nelnet payment webpage. To connect your website to RIT’s Nelnet payment page, submit the RIT eCommerce Payment Application to SFS.
  • Analog Point-of-Sale – payments can be accepted using chip reader/card swipe devices that are connected to the analog phone line
  • Point-to-Point Encrypted – payments can be accepted using network-connected chip reader/card swipe devices approved by PCI-SSC for use with a point-to-point encrypted solution, e.g. Bluefin, FreedomPay, Vantiv.

3.    Who in My Department Can Accept Payments Via Payment Card?
 
4.    What Are the Responsibilities of Department Personnel Who Process Payment Card Transactions?
  • Cardholder information may not be stored electronically on any device (e.g. computer hard drives, CDs, disks, and other external storage media). This includes reports from hosted credit card processing vendors. 
  • Cardholder information must not be accepted through e-mail. The receiver of an email with credit card information should reply to the sender with instructions on the proper procedures for submitting the information; however, do not include the cardholder information in the reply. Contact the Information Technology Services (ITS) Help Desk for assistance in deleting the original e-mail. 
  • Never store the PIN and CVV2 or card verification code (found on the back of the card).  
  • Never share cardholder data electronically, and never email or scan copies of payment slips. Hand deliver manual credit card payment slips that include credit card processing data to the SFS Office on a daily basis using a secure envelope.
  • Treat any media, including paper copies that contain cardholder information, as confidential.
  • Secure paper copies of cardholder information in a locked location when not in use.
  • Do not publicly display cardholder information, leave it unattended or disclose cardholder information to others.
  • Shred paper copies of cardholder information when no longer needed. 

 

5.    How Do I Keep Current with PCI DSS Rules?
  • Visit the Controller’s Office online for the most up to date PCI DSS information. 
  • All employees involved in payment card processing are required to complete Payment Card Security Training annually. Department supervisors are responsible for ensuring employees have completed the training and for providing certifications to the Controller’s Organization
  • Employees and students handling cardholder information must acknowledge understanding of these RIT Payment Card Processing Guidelines by completing the PCI Training

 

6.    How Do I Ensure My Department is PCI Compliant?
  • Departments accepting payment cards will be reviewed annually by the PCI Application Administrator prior to RIT submitting the annual PCI compliance questionnaires to M&T Bank.
  • Ensure your staff are trained annually and at the time of hire and you are keeping printed copies of the signed training quiz for up to one year (or maintaining a training log if using the online training within Dining Services). See PCI Training
  • Departments using point-to-point encrypted systems (e.g. Bluefin, FreedomPay, Vantiv) are required to conduct quarterly inspections of their payment devices, and log those inspections in the RIT Payment Device and Inspection Log template.
  • Departments using analog POS chip reader/swipe devices are required to inspect the device before each use to look for signs of tampering (see Skimming Prevention). Analog devices will be inspected annually by the PCI Application Administrator.
  • Report suspected breaches or anything unusual to ITS or SAS Tech.
  • Follow these guidelines and use only RIT-approved methods to accept payment cards.
 
 
Contact Mary Beth Nally, Executive Director of Student Financial Services (585-475-5305), Ken Buckley, Director Endowment Accounting & Cash Management (585-475-2374), or Terence Costello, Sr. PCI Application Administrator, if you have questions about this information.