Boise State University BSU Policy #6120
Effective Date: June 2015
To create a consistent, cost-effective and secure environment for the University to accept revenue via Payment Cards that provides compliance with University policies, state and federal laws, and Payment Card Industry Data Security Standards (PCI DSS).
This policy applies to all Boise State University faculty, staff, students, organizations, and individuals.
Vice President for Finance and Administration, 426-1200
Treasury and Real Estate Services, 426-2079
Bank: An institution that provides Merchant accounts to enable a Unit to accept credit/debit or cash card payments. Funds are deposited into an account established at this institution.
Cards Accepted: Visa, MasterCard and Discover. American Express by approval only.
Card Verification Code or Value (CVV): A data element on a card’s Magnetic Stripe that uses secure cryptographic process to protect data integrity on the stripe, and reveals any alteration or counterfeiting.
Chargeback: The deduction of a disputed sale previously credited to a Unit’s account when the unit fails to prove that the Customer authorized the credit card transaction or when the Merchant services company renders such a decision against the institution.
E-Commerce: The process of conducting transactions, including payments, over a computer network, usually the Internet.
Customer: An individual or other entity that makes a payment to the University for goods or services.
Magnetic Stripe (also known as full track, track 1, or track 2): The information contained in a credit card’s Magnetic Stripe, including the PAN, expiration date, Customer’s name, service code, and other discretionary data, such as a PIN, CVV, etc.
Merchant: A Unit that accepts credit cards as a method of payment.
Merchant Discount: A percent or per-transaction fee that is deducted from the unit’s gross credit card receipts and paid to the Bank.
MID or Merchant ID: An account established for a Unit by a Bank to credit sale amounts and debit processing fees.
Payment Card: A cash, debit or credit card used by a Customer as a payment method.
PAN or Primary account number: The 16-digit account number on the front of a credit, debit or cash card.
Payment Card Acceptance Information and Procedure Guide: A guide produced by the University’s Treasury Services Department that provides details and guidance on how to stay in compliance with this policy.
PCI DSS: Payment Card Industry Data Security Standard — A set of comprehensive requirements for enhancing payment account data security, developed by the PCI Security Standards Council to help facilitate the broad adoption of consistent data security measures on a global basis.
PCI Security Standards Council: An organization for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection in the Payment Card industry, through education and awareness. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.
PIN or Personal identification number: A numeric password known only to the user and a method by which the user is authenticated to the system.
ROC or Report on Compliance: An annual certification report issued by the PCI Security Standards Council to a third-party provider that has been validated as PCI-compliant.
Self-Assessment Questionnaire: One of several forms used as self-validation tools to assist Merchants and service providers in evaluating their compliance with PCI DSS. For more information, contact Cash Management.
Terminal and Printer Processing: A method of processing credit cards at the University
Unit: A college, department, program, center, club, business service center, office or any other operating unit which is governed by the policies of the University.
- I. Policy Statement
- Boise State University requires all Units that accept Payment Cards to do so only in compliance with credit card industry standards and in accordance with the procedures outlined in this document and the Information and Procedure Guide. The University is committed to the protection of its Customers’ private data and must support Unit compliance with industry standards governing Payment Card transaction processing, specifically Payment Card Industry Data Security Standards (PCI DSS).
- II. Standards for Business Processes, Paper and Electronic Processing
- All Units must comply with the PCI DSS regardless of what method is used for processing credit cards. Read the details in the Treasury Department’s Payment Card Acceptance Information and Procedure Guide.
- III. Campus Units are responsible to:
- A. Obtain written approval from Treasury before entering any contract or purchase of software and/or equipment for processing of Payment Card transactions regardless of the transaction technology used (e.g. E-Commerce, third party vendor, or payment terminals).
- B. Allow only Treasury to negotiate contracts with credit card companies including on-line payment processors such as PayPal.
- C. Deposit all Payment Card revenue into designated University Bank accounts.
- IV. Prohibited Credit Card Activities
- Certain credit card activities are prohibited by credit card companies or University policy. Prohibited activities include, but are not limited to the following:
- A. The disbursement of cash from the University, including cash advances and amounts over a sale amount.
- B. Adjustment of the price of goods or services based upon the method of payment (e.g., giving a discount to a Customer for paying with cash)
- C. Credit cards must not be charged until the good or service is delivered with the exception of student accounts which must be paid in full prior to course completion whether or not the student completes the course.
- V. Establishing a Merchant Account
- To establish a Merchant account, complete the “Application for Credit Card Merchant Accounts.” See Treasury Service’s Payment Card Acceptance Information and Procedure Guide for details.
- VI. Methods of Processing Transactions
- There are four accepted methods for processing transactions: Personal Computer (PC) processing, Terminal and Printer Processing, secure Web site (E-Commerce), and cellular/wireless card readers. For details on each of the methods, see “Table 1, Methods of Processing Transactions,” in the Payment Card Acceptance Information and Procedure Guide.
- VII. Decommissioning of Computer Systems and Electronic Media Devices
- When a computer system or media device that was used for credit card processing is taken out of production, it must be sanitized of all sensitive data. Contact the Office of Information Technology (OIT) for details.
- VIII. Protecting Sensitive Information
- Any individual who regularly handles credit card information must protect that information in compliance with University policy.
- IX. Training and Certification
- Employees who are given access to cardholder data shall be required to complete upon hire, and at least annually thereafter, security awareness training focused on cardholder data security. Supervisors must ensure their employees sign the Payment Card Security and Ethics Certification Form annually (link to form in final policy, but for the purposes of the policy revision process see page 10 on this document).
- X. Activities required to stay in compliance with this policy can be found in the Information and Procedure Guide.
- XI. Related Links
- A. Payment Card Industry Data Security Standard (PCI DSS): https://www.pcisecuritystandards.org/