Credit Card Processing Guidelines

The purpose of this document is to describe the general responsibilities inherent with the collection, processing, storage, or dissemination of credit card data.

Main Page Content

The document is intended as an overview only, and may not address all facets of PCI compliance. Questions remaining unanswered following a thorough review of these guidelines should be directed to bursar@brockport.edu.

• All credit card processing is subject to review by the Payment Card Oversight Committee. This includes credit card payments received via:
  • web forms
  • walk-in
  • mail
  • phone calls
  • off-site events
    
    
• Cardholder information cannot be accepted/processed via e-mail. If a student/family member/customer should send his/her credit card information to a University department/individual email, the following steps should be taken:
  • DO NOT PROCESS THE TRANSACTION!
  • Click “Reply” on the email
  • Delete the credit card number from the original portion of the email.
  • In your response, Copy and paste the following:
    • “Thank you for contacting (insert department or name). We appreciate your business, however as part of our compliance effort with the Payment Card Data Security Standard and our commitment to protecting our students and their families, we are unable to process the credit card information that you sent through email. We ask that you use one of the accepted methods of processing the sale. Those methods are:
      • (List here, e.g., mail to xxx, phone via extension xxx)
  • Then promptly delete the original email from your “in-box” AND empty the item from your “Deleted” email folder.

***NEVER PROCESS THE CREDIT CARD TRANSACTION USING THE INFORMATION FROM THE EMAIL! Doing so violates PCI compliance/brings the computer via which the card information was received “into scope”. Call the person and relay the alternate ways in which s/he can provide you with secure payment card information.

Cardholder information can only be accepted/processed via FAX if ALL of the following conditions are met:

• Fax machine is stand-alone, land-line paper fax ( cannot be connected to the network) located in an area not accessible to the public,
• Documents are immediately distributed to the individual responsible for key-entering the information into a swipe terminal,
• The payment card information is removed and cross-cut shredded after the transaction has been processed
• The merchant copy is attached to the fax and filed in an appropriate place
• The customer copy is faxed/mailed/emailed back to the customer (optional).

If ALL the above conditions are NOT met, you cannot process the credit card payment.

If your office uses a network-connected fax (e.g., a multi-function network copier with fax capability) and a customer sends his/her credit card information to the department, DO NOT PROCESS THE TRANSACTION ! Instead, the following steps must be taken:

• IMMEDIATELY SHRED the fax
  • Contact the payer via phone or email and let them know the PCI-compliant mechanisms by which credit card information can be received/processed.
    • (List options here, e.g., mail to xxx, phone via extension xxx)
  • Contact LITS and ask that the fax be deleted/”scraped” from the multi-function device’s hard drive so that no electronic record of the secure cardholder data exists

***NEVER PROCESS THE CREDIT CARD TRANSACTION USING THE INFORMATION FROM A FAX CONNECTED TO THE NETWORK!Doing so violates PCI compliance. Call the person and relay the alternate ways in which s/he can provide you with secure payment card information

• Cardholder information may not be stored electronically on any device (e.g. computer hard drives, CDs, disks, and other external storage media). This includes reports from hosted credit card processing vendors.
• The PIN and CVV2 or card verification code (on the back of the card) are NEVER allowed to be stored.
• POS (point of sale) or card swipe terminals must be approved by the Payment Card Oversight Committee prior to implementation/use.
• Access to cardholder information (in any form) must be limited to those individuals whose job responsibilities require it (e.g., accepting credit cards at a service counter).
• Any media, including paper copies that contain cardholder information, must be treated as secure, privileged and confidential, and should be appropriately protected as such.
  • All pre-existing cardholder information must be deleted from electronic databases, including computer hard drives, CDs, disks, and other external storage media, using mechanism(s) approved by the Payment Card Oversight Committee.
• Manual credit card payment slips or other form(s) that include credit card processing data must be transported via Campus Police to the Office of Student Accounts and Accounting; remittance of those forms should occur on a daily basis using a secure (sealed or locked) bag.
• Any paper copies of cardholder information must be securely stored in a locked location prior to processing. Cardholder information must be destroyed according to PCI guidelines immediately after processing.
• Cardholder information (in any form) must never be displayed publically or left unattended; cardholder information should never be disclosed to others.
• Employees, including student workers, handling cardholder information are subject to a background check and must acknowledge understanding of these SUNY Brockport Credit Card Processing Guidelines. Generally, student employees should not have access to cardholder information unless their job requires it. All employees, including student workers, handling cardholder information (including credit cards) are required to attend PCI compliance training on an annual basis.
• Workstations, including “general purpose” and/or laptop devices, may not be used to process credit/debit cards and/or cardholder information; this ban includes input to online web forms.

Last Reviewed: 11/2019

Last Reviewed by: PCI Oversight Committee