Tufts University Policy for Accepting Credit Card and eCommerce Payments
Effective Date: January 1, 2007 Last Revision: July 1, 2020
Introduction
Definitions
Authorized Vendor: a PCIDSS-compliant vendor designated by Treasury Operations.
Cardholder Data: payment card components that are required to be protected, including primary account number, cardholder name, expiration date, service code, card verification code, full magnetic strip data and PIN.
E-commerce: buying and selling of products or services over the Internet.
Merchant: an entity that accepts payment cards for goods and services.
Merchant ID: a unique number that identifies the merchant for processing and tracking card transactions.
Payment Card: includes both credit cards and debit cards.
PCIDSS: The Payment Card Industry Data Security Standards are policies and procedures mandated by the major card companies (MasterCard, Visa, American Express, Discover and JCB) and intended to optimize the security of card transactions and protect cardholders against misuse of their personal information.
Self-Assessment Questionnaire (SAQ): A questionnaire merchants are required by PCIDSS to complete annually to validate their compliance with PCIDSS.
Third Party Processor: an entity to which credit card transactions are outsourced by the University for processing. Third parties are contractually required to adhere to PCIDSS requirement and acknowledge they are responsible for security of cardholder data.
Background and Purpose
Cardholder data is high-risk confidential information that is protected by state and federal law and the University has a legal obligation to protect it. The major payment card companies (MasterCard, Visa, Discover, American Express and JCB) require all merchants to follow Payment Card Industry Data Security Standards (“PCIDSS”) designed to prevent cardholder fraud and identity theft. The risks of non-compliance by the University include substantial fines and penalties imposed by the card associations, liability for financial losses incurred as a result of a security failure, and damage to the University’s reputation.
Applicability
This policy applies to any Tufts University school, department, organization, employee, contractor or agent who, in the course of doing business on behalf of the University, is involved in the acceptance of payment card and ecommerce payments. Contracts with third parties that accept payment cards on behalf of the University must contain terms consistent with this policy and must be approved in advance by Purchasing and Treasury Operations.
Policy & Processes
Policy Statement
All acceptance of payments via payment cards, including ecommerce, on behalf of the University requires the prior approval of Treasury Operations and must comply with current PCIDSS, as well as with all applicable legal, regulatory and University policy requirements, in order to protect cardholder data and to protect the University from risk. No school, department, organization, employee, contractor or agent is authorized to process Internet-based payment transactions, credit or debit card payments or electronic funds transfers without prior approval from Treasury Operations.
The University’s policy is to outsource all processing of payment card transactions to a University-approved PCI-compliant Third Party Processor. The University does not capture, store or transmit cardholder data electronically on any network-connected computer or device. Departments may store only the last 4 digits of a card number.
Any department accepting payment card, electronic or ecommerce payments on behalf of Tufts University (“Merchant Department”) must designate a Merchant Department Responsible Person or “MDRP” who will have primary authority and responsibility for ecommerce and payment card transaction processing within that department.
All MDRPs must:
- Complete on behalf of the relevant Merchant Department the Process to Implement Acceptance of Payment Cards for Payment detailed below.
- Ensure that all employees (including the MDRP), contractors and agents with access to payment card data within the relevant Merchant Department acknowledge on an annual basis and in writing that they have read and understood this Policy for Accepting Payment Card and Ecommerce Payments and submit these acknowledgments to the Associate Director, Treasury Services in Treasury Operations on an annual basis.
- Ensure that all cardholder data collected by the relevant Merchant Department in the course of performing Tufts University business are secured. Data is considered to be secured only if the following criteria are met:
- The processing, storage or transmission of cardholder data on network-connected University computers and servers is strictly prohibited. Exceptions can only be made if the processing and storage methods are compliant with this policy, Tufts Technology Services security policy and PCI Data Security Standards. These standards detail strict encryption protocols. Links to these policies and standards are provided at the end of this document.
- Only those with a need-to-know are granted access to cardholder data and electronic payment data.
- Email must not be used to transmit cardholder data. If it should be necessary to email card information, only the last four digits of the payment card number can be displayed. If an email containing cardholder data is received, the MDRP must ensure that it is securely deleted, including deleting it from the deleted files folder and from the backup recovery folder. The MDRP must also instruct the sender of the email as to the proper method for securely providing cardholder data.
- If using Tufts approved efax solution, ensure it is set to email notification with the date, time, and sender’s fax number, but no attached PDF. Accessing the PDF must be done on a Tufts owned and TTS managed device (determined by having a blue Tufts asset tag, further questions can be directed to TTS Help Desk). Storing and saving that PDF containing cardholder data is strictly prohibited. If the PDF containing cardholder data is printed in order for payment to be processed, it must be cross cut shredded immediately after being authorized in the point of sale device.
- Fax transmissions (both sending and receiving) of payment card and electronic payment information occurs only on those fax machines whose access is restricted to just those individuals who must have contact with cardholder data in order to do their jobs.
- Only secure communication protocols and/or encrypted connections to the Authorized Vendor are used during the processing of ecommerce transactions. (NOTE: TTS maintains a staff of security professionals who are available, as required, to provide consultative services on appropriate security practices. The TTS Security Group can be contacted to request these services at Information_security@tufts.edu).
- The three-digit card-validation code printed on the signature panel of a credit card is never stored in any form.
- The full contents of any track from the magnetic stripe (on the back of a credit card, in a chip, etc.) are never stored in any form.
- All but the last four digits of any credit card account number are always masked, should it be necessary to display credit card data.
- All media containing credit card and cardholder data that are no longer deemed necessary or appropriate to store are destroyed or rendered unrecoverable.
- Maintain any equipment or device used for cardholder data or ecommerce in a secure location, limit access only to those whose access is authorized and required, and inspect equipment regularly to detect tampering.
- Complete Treasury Operations’ annual survey and assist Treasury Operations in preparing the annual Self-Assessment Questionnaire.
In addition to PCIDSS, credit and debit card account numbers are subject to regulation under M.G.L. 93 H, 93 I and 201 CMR 17.00 (the “Massachusetts Data Privacy Laws and Regulations”) and are considered Sensitive Personal Information (SPI). All Tufts University employees and agents who obtain access to a credit or debit card number must comply with the University’s Security and Privacy Program, Information Stewardship Policy, and guidelines and tips for working with sensitive information. MDPRs should also consult with their Information Steward about their handling of and access to SPI.
No Tufts University employee, contractor or agent who obtains access to cardholder data in the course of conducting business on behalf of Tufts University may assign, sell, purchase, provide, or exchange said information in any form to any third party other than to Tufts University’s acquiring bank, depository bank, Visa, MasterCard or other credit card company, or pursuant to a government request. All requests to provide information to any party outside of your department must be coordinated with the Associate Director, Treasury Services in Treasury Operations. All requests to provide information to a government agency must also be coordinated with the Office of General Counsel.
Merchant Departments must use the services of the Authorized Vendor to process all ecommerce transactions. If a department believes that it has a significant business case or processing requirement that cannot be achieved using the services of the Authorized Vendor and wishes to utilize an alternative, it must make its request to the Associate Director, Treasury Services (treasury@elist.tufts.edu). Only the Associate Treasurer, in consultation with Purchasing and TTS, may authorize the adoption of alternative ecommerce vendors and products.
In the event that the Assistant Treasurer authorizes the use of an alternative ecommerce vendor, then the following must occur:
- The alternative ecommerce vendor must execute the Tufts University PCI Amendment or an equivalent agreement before any ecommerce activities may commence..
- The MDRP must provide proof that the alternate ecommerce vendor is certified PCI compliant and ensure that the department and its vendor comply with all relevant provisions of,the Tufts University Policy for Accepting Payment Card and Ecommerce Payments, the Information Security Program, and the Massachusetts Data Laws and Regulations.
Process to Implement Acceptance of Payment Card and Ecommerce Payments
The MDRP or his/her designee must follow the steps below in order to implement payment card processing and ecommerce at Tufts.
- Notify the Associate Director, Treasury Services in Treasury Operations of a need to accept credit card payments and/or conduct ecommerce. Notification should be sent to treasury@elist.tufts.edu.
- Complete the appropriate Application to Become a Merchant Department. (For an application to conduct ecommerce click here). Applications must be signed by the MDRP as well as by a school/division EAD (or designee), or, for an administrative office, a Vice President (or designee). It is the responsibility of the EAD to approve:
- the designated Merchant Department Responsible Person
- the PeopleSoft information provided
- the business case for the department to become a merchant department
- Submit the application for review and approval to the Associate Director, Treasury Services at treasury@elist.tufts.edu. Allow 2-4 weeks for processing of the request.
If the application is approved, the Associate Director, Treasury Services, will provide the requesting department any necessary equipment and training, including determining any required sales tax or unrelated business income reporting requirements. All equipment used purchased through Treasury Operations. Allow between 2-4 weeks to complete this part of the process.
Process for Responding to a Security Breach
In the event of a breach or suspected breach of security, the individual who becomes aware of the breach or suspected breach must immediately follow the procedures listed at Reporting Information Security Incidents.
The Information Security team will make appropriate internal notifications including to the Treasury Operations Office, as necessary. The Office of University Counsel will coordinate any notification plan and required reporting of an incident to federal, state and local officials, including police reports.
Enforcement
Non-compliance with this policy may result in a revocation of a Merchant ID. Charges, costs and penalties assessed to the University as a result of non-compliance may be assigned to the school, department or organization responsible for the non-compliance. The University routinely monitors network activity to ensure the integrity and security of University resources in accordance with applicable policies and laws and may refer suspected violations of law to law enforcement agencies. Individuals found to have violated this policy may be subject to disciplinary action, including possible termination of employment.
Ongoing Policy Management
Tufts University may modify this policy from time to time as required, provided that all modifications are consistent with Payment Card Industry Data Security Standards or any other successor industry standard then in effect. This policy is intended to be consistent with and in addition to other University policies, including the University Information Security Program (see link below).
Approval Entities:
Treasury Operations
Tufts Technology Services
Office of University Counsel
Approval Date: July 1, 2020
Effective Date:July 1, 2020
Executive Sponsor(s): James Hurley, Vice President for Finance and Treasurer
Responsible Officer(s): Beth McClain, Associate Treasurer, Joel Santos, Manager of Treasury Services, Allison Zwaschka, Merchant Services Administrator
PCIDSS Compliance Working Group
Review Cycle: Annual
The PCIDSS Compliance Working Group is responsible for conducting an annual review of this Policy, making appropriate revisions and updates and issuing the revised policy to appropriate Merchant Departments.
Related Documents & Policies
For an application to Become a Merchant Accepting Payment Card and/or Online Payments please contact Allison Zwaschka.