• UA Touching Lives Link to UA Home

Section II - Credit Card Transactions Processed Through a Card Swipe Terminal (an authorized credit card machine) Self Assessment Questionnaire B (SAQB)

Note: Section I should also be used in conjunction with this section when developing a department's individual policies.

 

Acquiring credit card equipment

  • Credit Card terminals must be requested through Student Receivables. The needed equipment and supplies will be obtained by Student Receivables and distributed to the department.

  • The department will be responsible for equipment costs which will be reflected on the department's monthly credit card statement.

Processing, settling and recording credit card transactions that were taken with a card swipe terminal

  • Initial training for operating the card swipe terminal to process a transaction will be provided by Student Receivables.

  • The terminal activity should be settled daily. Initial training will be provided by Student Receivables.

    • NOTE: Settlements not done within 24 hours will result in an increased rate for all transactions in that batch.

  • Department records should be maintained of the type(s) of revenue (e.g., sales, services, gifts, fees, etc.) that were paid with credit card.

  • Once settled, the summary settlement tape (Totals/settlement report) is the equivalent of depositing the funds into the University's bank account electronically. However, the department must record the revenue to the appropriate University FOAPs in order to reflect the departmental revenue.

Restrict access to cardholder data by business need to know

  • Access to credit card terminals should be limited to only authorized employees. The physical location of credit card terminals should not be accessible by the public.

  • Only authorized employees should have access to credit card terminal settlement processes.

  • Access to secure storage areas should be limited to only authorized personnel. Make sure all visitors are authorized before entering areas where cardholder data is processed or maintained.

  • Maintain strict control over the internal and/or external distribution of any kind of media that contains cardholder data.

  • Classify credit card media so that it can be identified as confidential.

  • Management approval should be obtained prior to moving any and all media containing cardholder data from a secured area.

Securely Store and Retain Cardholder Data

  • Under no circumstances should a department create or store electronic files of customer credit card numbers and expiration dates (including spreadsheets, databases).

  • Do not store the card-validation code or value which is the three-digit or four-digit number printed on the front or back of a payment card. This is normally used to verify identity when the credit card is not available to swipe.

  • Do not store the personal identification number.

  • Physically secure all paper and media that contain cardholder information.

  • Store credit card settlement tapes in a secure, locked (limited access) area.

  • Store any credit card data for which there is a business need to keep in a secure, locked area.

  • Limit the retention time of credit card data to that which is required for business, legal, and/or regulatory purposes. This should not exceed a year.

Destruction of previously retained cardholder data

  • Destroy media containing cardholder information when it is no longer needed, according to the department retention policy.

  • Cross-cut shred hardcopy materials so that cardholder data cannot be reconstructed.

 

Section I – Credit Card Operations General Policies - Applicable to all types of Credit Card Operations
Section II - Credit Card transactions processed through a card swipe terminal (an authorized credit card machine)
Section III - Credit Card transactions processed through a hosted payment gateway
Definitions
Student Receivables