Any department accepting credit card payments on behalf of College for Creative Studies for gifts, goods or services (“Merchant Department”) must designate an individual within that department who will have primary authority and responsibility for eCommerce and credit card transaction processing within that department. This individual will be referred to in the remainder of this policy statement as the Merchant Department Responsible Person or “MDRP”.
Requirements of MDRP
- Execute on behalf of the relevant Merchant Department the Process to Implement Acceptance of Credit Cards for Payment detailed below.
- Ensure that all employees (including the MDRP), contractors and agents with access to payment card data within the relevant Merchant Department acknowledge on an annual basis and in writing that they have read and understood this Policy for Accepting Credit Card and eCommerce Payments. These acknowledgments should be submitted, as requested, to the Director of Business Services.
- Ensure that all credit card data collected by the relevant Merchant Department in the course of performing College for Creative Studies business, regardless of how the payment card data is stored (physically or electronically, including but not limited to account numbers, card imprints, and Terminal Identification Numbers (TIDs)) is secured. Data is considered to be secured only if the following criteria are met:
- Only those with a need-to-know are granted access to credit card and electronic payment data.
- Email should not be used to transmit credit card or personal payment information. If it should be necessary to transmit credit card information only the first and last four digits of the credit card number can be displayed.
- Credit card or personal payment information is never downloaded onto any portable devices such as USB flash drives, compact disks, laptop computers or personal digital assistants.
- Fax transmissions (both sending and receiving) of credit card and electronic payment information occurs only on those fax machines whose access is restricted to just those individuals who must have contact with payment card information in order to do their jobs.
- The processing and storage of personally identifiable credit card or payment information on college computers and servers is prohibited. Exceptions can only be made if the processing and storage methods are compliant with this policy, and PCI Data Security Standards. These standards detail strict encryption protocols.
- Storage of any personally identifiable credit card is kept in a secure location (i.e. Business Office safe) and is destroyed after the card is processed.
- The three-digit card-validation code printed on the signature panel of a credit card is never stored in any form.
- The full contents of any track from the magnetic stripe (on the back of a credit card, in a chip, etc.) are never stored in any form.
- All but the first and last four digits of any credit card account number are always masked, should it be necessary to display credit card data.
- All media containing credit card and personal payment data that is no longer deemed necessary or appropriate to store are destroyed or rendered unreadable.
No College for Creative Studies employee, contractor or agent who obtains access to payment card or other personal payment information in the course of conducting business on behalf of College for Creative Studies may sell, purchase, provide, or exchange said information in any form including but not limited to imprinted sales slips, carbon copies of imprinted sales slips, mailing lists, tapes, or other media obtained by reason of a card transaction to any third party other than College for Creative Studies acquiring bank, depository bank, Visa, MasterCard or other credit card company, or pursuant to a government request. All requests to provide information to any party outside of your department must be coordinated with the Director of Business Services.