Policy Information
Policy Number: 8.14 | Effective Date: 07/01/2022 |
Responsible Unit: Financial Services - Treasury Office | Last Revised Date: 07/16/2024 |
Email: FNSV-Banking-And-Merchant-Services@arizona.edu | Phone: 520-621-7780 |
Purpose and Summary
This section outlines policies pertaining to the authorization granted to University departments/units, hereon referred to as Merchants, to accept bank/credit cards as a form of payment for services performed or for merchandise sold.
Source
Arizona Board of Regents (ABOR) Policy including but not limited to 3-102
University Information Security Policy
Payment Card Industry Data Security Standards
Arizona Revised Statue (A.R.S.) 18-552 – Notification of Security System Breaches
Scope
This policy applies to all University locations and units, including all University extensions, satellite locations, and off-site campus units, both domestic and international.
All University of Arizona departments who accept bank/credit cards as a form of payment for services performed and/or merchandise sold must comply with this policy.
Definitions
- Acquiring Bank: Merchant bank contracted through Financial Services on behalf of all University departments/units to perform bank card processing services.
- Approved Scanning Vendor (ASV): Organizations that have been approved by the Payment Card Industry Council that validate adherence to certain Payment Card Industry Data Security Standards requirements by performing external vulnerability scans of Internet public facing environments of merchants and service providers.
- Authorization: Process by which a Merchant obtains prior confirmation from the acquiring bank that a specific financial transaction will be processed successfully when settlement is completed.
- Bank/Credit Card: Unexpired credit card affiliated with a credit card company (e.g., Visa U.S.A., MasterCard International) or branded debit card, ATM cards, and any other card or device other than cash or checks affiliated with recognized banking networks for which a Merchant has established card acceptance with the acquiring bank.
- Bank/Credit Card Acceptance Fees/Charges: Costs imposed on Merchants by the acquiring bank in exchange for the privilege of accepting a card. Discount fees are comprised of three components:
- Bank Discount Rate Fee--Acquirer bank charge on all bank/credit card transactions for processing card sales and credits.
- Interchange--non-negotiable fees established by the credit card associations which are collected from the merchant by the acquiring bank and paid by the acquiring bank to the issuing banks.
- Assessments/Access--non-negotiable fees established by the credit card associations which are collected from the merchant by the acquiring bank and paid by the acquiring bank to the credit card associations.
- Processor's fee--negotiable cost established by contract which is collected by the acquiring bank on their own behalf. Processor fees are negotiated and contracted through the Request for Proposal (RFP) process and University Financial Services.
- Cardholder Information: Personally identifiable data associated with the cardholder including account number, expiration date, card validation number (e.g., CVV2, CVC2), transaction information or any other information that may be used to personally identify a bank card account or holder.
- Campus Merchant Agreement: An agreement between Treasury Office and the University Merchant unit/department that outlines the responsibilities, rules, regulations and contractual provisions and obligations regarding the handling of bank/credit cards. The agreement must be signed by the head of the unit/department that is providing the option of accepting bank/credit cards to sell goods and services to their customers.
- Centralized Payment Process: Controlled system of Internet sites, software applications, and communication protocols that interact together for the purpose of capturing and transferring cardholder information to the acquiring bank via the Internet and securely storing the information in a single repository, commonly known as a "gateway".
- Chargeback: A reduction of the Merchant's cash receipts initiated by the acquiring bank in response to a transaction that has been rejected by the acquiring bank, issuing bank, or disputed by the cardholder.
- E-Commerce: Website based business transaction utilizing electronic payments such as bank/credit cards.
- Treasury Office Banking & Merchant Services: A team of Treasury Office personnel who provides services, information, merchant account set up, and act as a liaison between the Acquiring Bank and the Merchant units.
- Issuing Bank: Financial institution that grants credit to a cardholder by issuing a credit card to the cardholder.
- Merchant: A University department/unit that has received the appropriate prior authorization to accept cards as a form of payment for services performed or for merchandise sold by the department. A Merchant is assigned a specific account(s) with the acquiring bank. Merchants fall into one of the following three categories:
- Retail Merchant – conduct the entire card transaction in a face-to-face environment with the card physically present for the transaction.
- Phone/mail Merchant – generate cardholder information forms either through telephone communication with the cardholder, through the mail, or by standalone facsimile machine not connected to any computer network.
- Internet Merchant (E-Commerce) – conduct all card transactions through the Internet within the centralized payment process.
- Merchant Account: An account established to accept credit cards with an acquiring bank that is used to track equipment, credit card transactions, fees, compliance activities, and designated points of contact and all related information of the Merchant.
- Merchant Responsible Person (MRP): A designated full-time employee within the Merchant unit who will have primary authority and responsibility for Payment Card Industry Data Security Standards (PCI-DSS) documentation for bank card transaction processing.
- Operating Guidelines: Rules and procedures published by the acquiring bank that specify the operational parameters that each Merchant must adhere to when accepting a card as a form of payment.
- Payment Card Industry Data Security Standards (PCI-DSS): A specific set of technical requirements and business practices published collaboratively by Visa U.S.A. and MasterCard International addressing cardholder information security that each merchant must comply with and demonstrate compliance on a periodic basis. (e.g., Visa U.S.A. Cardholder Information Security Program (CISP), MasterCard International's Site Data Protection Program (SDP), American Express's Data Security Standards (DSS) and Discover's Information Security and Compliance (DISC) Program).
- Qualified Security Assessor (QSA): The Payment Card Industry (PCI) QSA designation is conferred by the PCI Security Standards Council to individuals that meet specific information security education requirements. The primary goal of QSA is to complete PCI compliance assessments, auditing, and consulting for merchants to ensure and validate the merchant is meeting PCI standards.
- Settlement: Process by which a Merchant presents a single or group of financial transactions to the acquiring bank for the purpose of converting the credit information collected from a cardholder into cash receipts.
Policy
- Arizona Board of Regents (ABOR) Policy 3-102 authorizes the President to designate the responsibility for the collection of monies in connection with University activities to the Vice President for Financial Services, who, in turn, delegates this responsibility to the Financial Services -Treasury Office (Treasury Office).
- Only the Treasury Office has the delegated authority to execute agreements on behalf of the University in connection with banking-type services and to regulate the use of bank/credit card services.
- Services for processing bank/credit cards and any specialized programs or services (e.g. shopping carts, electronic check payment, third party applications) that process directly or have the ability to authorize bank/credit card transactions for payment of University sales and services must have written permission from the Treasury Office. Merchants may use only service providers, approved by Procurement and Contracting Services and the Treasury Office, that meet payment card and acquiring bank certifications, regulations and requirements.
- Merchants must agree and adhere to all federal, bank/credit card regulations, payment card industry (PCI) data security standards, and University policies and standards, including without limitation the University Information Security Policy and the standards and procedures established under it, in the acceptance processing and storing of bank/credit card transactions as outlined in the “Merchant Bank/Credit Cards Acceptance Agreement” and the PCI standards located online at https://www.pcisecuritystandards.org/.
- Merchants may not accept bank/credit cards or authorize or complete settlement for transactions of other University department/units without written authorization from the Treasury Office.
- Bank/credit cards may be accepted by a Merchant for University gifts and donations. The Merchant must contact the University of Arizona Foundation for the specific processes to report the donations and/or gifts. Refer to Reporting Gifts in 8.12 Gifts.
- A Merchant that plans to receive revenue from external sales or services and provide taxable goods to customers outside the University should contact their Financial Services fund accountant to discuss sales tax requirements. Merchants should also refer to and be familiar with Financial Services Manual 8.11 Sales Tax.
- Merchants that accept bank/credit cards and/or electronic payments for gifts, goods or services must designate a full time University employee as the Merchant Responsible Person (MRP). All MRPs will be responsible for the Merchant department/unit complying with all security measures established by the payment card industry, the Information Security Office, the “Merchant Bank/Credit Cards Acceptance Agreement” and this policy.
- Merchants must review and sign the “Merchant Bank/Credit Cards Acceptance Agreement” upon their request for Merchant status. With their signatures, the department/ unit’s head and Merchant Responsible Person (MRP) acknowledge that they understand and agree with the terms and responsibilities outlined in the agreement. This agreement must be reviewed annually. If the MRP changes, the new MRP must sign the agreement, and send an update the Treasury Office.
- No University employee, Designated Campus Colleague (DCC), contractor, or agent who obtains access to bank/credit card or other personal payment information in the course of conducting University business may sell, purchase, provide, or exchange said information in any form including but not limited to imprinted sales slips, carbon copies of imprinted sales slips, mailing lists, tapes or other media obtained by reason of a card transaction to any third party other than to University’s acquiring bank, depository bank, Visa, MasterCard or other bank/credit card company or pursuant to a government request. All requests to provide information to any party outside of the Merchant must be coordinated with the Treasury Office and the Information Security Office.
- Merchant must use a University authorized service provider to process all e-commerce transactions or web-based transmissions of transactions (software based). If a Merchant department/unit believes that it has a significant business case or processing requirement that cannot be achieved using an authorized service provider and wishes to utilize an alternative, it must initiate a written request to the Treasury Office for approval of use. The Treasury Office will review the request with Procurement and Contracting Services and notify the Merchant department/unit of approval or rejection of service provider use. If approved, the Merchant department/unit and service provider are responsible to meet all PCI-DSS requirements and documentation.
- If the Merchant chooses not to utilize the provided e-commerce gateway and an alternative ecommerce gateway or software is necessary, the gateway and service provider must provide a SAQ D -Service Provider and an Attestation of Compliance, or PCI Security Standards Council List of Validated Payment Applications. In addition, the alternative service provider must also be approved by the acquiring bank, the Treasury Office and Procurement and Contracting Services.The third-party service provider must also comply with all University policies.
- All third-party service providers (vendors) that are involved in the acceptance of credit cards, share cardholder data or that could affect the security of the cardholder data must sign an agreement that outlines the security responsibilities of the service provider and the University. The service provider must agree to provide information requested from the University or its PCI Qualified Security Assessors (QSA) to verify security due diligence and PCI-DSS compliance. All third party applications or payment mechanisms that include the acceptance of payments, must provide at the time of the initial campus agreement: Self-Assessment Questionnaire for Service Provider (SAQ D for Service Provider) or Report on Compliance (ROC), Acknowledgement of Compliance (AOC) signed by Qualified Security Assessor, Acknowledgement of the service provider’s responsibility for the security of cardholder data, PCI-DSS Responsibility Matrix, and if applicable, PA-DSS Implementation Guide.
- All new and replacement payment acceptance terminals must be Point to Point Encrypted (P2PE) which are validated by the PCI Council. If not P2PE, the terminal supplier/vendor will provide a Product White Paper from a Qualified Security Assessor or NESA report on the application and equipment to document Acceptable End to End Encryption (E2EE).
- All ecommerce websites that redirect or link to an authorizing gateway must perform quarterly external vulnerability scans through a PCI approved scanning vendor (ASV) and annual internal scans through University provided applications. External scans must be performed after significant network or website changes. All “high” (rating of 4 or more) vulnerabilities must be resolved within 30 days and rescanned until passing results are achieved.
- Upon request of the Treasury Office, the Merchant will complete the appropriate annual PCI-DSS Self-Assessment Questionnaire (SAQ) and provide supporting documentation including network security scans deemed necessary by the Information Security Office, Treasury Office, Acquirer Banks, or Payment Card entities. The Merchant will be responsible for the costs of compliance.
- A Merchant’s ability to offer bank/credit card payment is conditioned on compliance with the PCI-DSS. The Merchant is responsible for complying and maintaining PCI-DSS standards. If the Merchant fails compliance, the merchant is responsible for correcting deficiencies to bring the Merchant into compliance as directed by the Treasury Office and the Information Security Office. Failure to comply with PCI standards will result in withdrawal of the Merchant’s ability to accept bank/credit cards.
- In case of breach or fraud, the responsible Merchant department will pay for all assessed regulatory fines, penalties, forensic, assessment and card replacement costs to campus due to the security failure.
- All Merchants and departments are responsible for:
- Following security measures established by the payment card industry, University Information Security Office and Financial Services policies.
- Performing all periodic compliance activities requested by the Information Security Office in coordination with the Treasury Office in a timely manner.
- Reviewing monthly merchant statements for accuracy. Inaccurate charges must be reported to the Treasury Office within 60 days of statement date.
- Notifying the Treasury Office immediately when Merchant Accounts are no longer needed and should be deactivated.
- Notifying the Treasury Office of Merchant Responsible Person staff changes.
- Enrolling in the business track reporting applications provided by the Acquirer Bank or Processor for tracking, analyzing, chargeback notifications and monitoring payment processing information.
- Responding to chargeback notifications must be met within chargeback notification letter deadlines.
- Ensuring that no cardholder information is stored electronically in any database, application, fax machine or system.
- Following the responsibilities and guidelines in the exhibits included within this policy.
Security Incident Response
- All suspected and/or confirmed security compromises, misuse of card information must be reported immediately to the Information Security Office and the Treasury Office. Additionally, merchants must follow the Incident Reporting and Response Policy.
- If a security breach is confirmed by the Information Security Officer and the Treasury Office, the Treasury Office will be responsible for alerting the merchant acquiring bank, the payment card associations and other merchant regulatory entities deemed necessary of the confirmed security breach. The Information Security Office will be responsible for providing the security breach information to all government agencies required by statute.
Related Information
ABOR Policy 3-102
Arizona Revised Statue (A.R.S.) 18-552 – Notification of Security System Breaches
FSM 8.10 Cash Receiving
FSM 8.11 Sales Tax
FSM 8.12 Gifts
Information Security Policy and Guidance
Bank Card Merchant Security Requirements:
Payment Card Industry (PCI-DSS) Standards
Payment Application Best Practices (PABP)
Arizona Revised Statue (A.R.S.) 18-552 – Notification of Security System Breaches
Approved Service Providers:
PCI Security Standards Council Validated Payment Applications