Credit Card Payment Policy & Procedure

WESTCHESTER COMMUNITY COLLEGE ACCEPTING CREDIT CARD PAYMENT POLICY DRAFT

Policy

Westchester Community College accepts credit cards as a form of payment. College managers must obtain authorization for their units to accept payments via credit card by contacting the Vice President and Dean of Administrative Services and CFO. Credit card numbers and card verification codes or PINs must never be stored or printed except for the last four (4) digits of credit card numbers that may be included in reports or receipts. All credit card payments must comply with the Payment Card Industry Data Security Standards (PCI DSS) and applicable merchant payment card processing agreements.

Only approved Westchester Community College credit card authorization devices with PIN Transaction Security (PTS) enabled with end-to-end encryption are allowed to be connected to the college network for use by college employees.

PROCEDURES

Establishing a credit card account:

  1. Contact the Vice President and Dean of Administrative Services and CFO to obtain authorization to accept credit cards as a form of payment.
  2. The Bursar Office must establish all merchant accounts to ensure the Bursar Office has access to all accounts for reconciliation purposes.
  3. Departments must provide daily settlement reports to the Bursar Office for all credit card transactions, unless other college-approved arrangements have been made.

Processing credit card payments over the internet:

  1. The college contracts with an online payment gateway that is PCI DSS-compliant for receiving, transmitting, and storing credit card data. Cardholder transaction information is collected and securely stored solely with the vendor. At no time is credit card information stored on college computers or transmitted by the college.
  2. Only payment gateway information necessary to apply the payment (such as the name, amount, and authorization code) may be retained by the college. The full contents of any data from the magnetic stripe, the 16-digit credit card number, the card verification code, or the PIN must not be stored under any circumstances.

Processing credit card payments where a card is presented in person:

  1. PCI DSS-compliant credit card equipment will be provided by the Bursar Office through the merchant service provider.
  2. Signed slips or batch reports must be sent to the Bursar Office daily. Documents must never contain the full credit card number.
  3. The college will accept in-person credit card payments only if the person whose name appears on the card presents the card.

Processing credit card payments when the card is not present:

  1. All rules that apply to “Processing credit card payments where a card is presented in person” are applicable.
  2. The credit card information received should be processed promptly. Following confirmation that the transaction has been transmitted without error, the credit card number and verification code/PIN received should be destroyed.

Reporting security incidents:

All employees handling credit card transactions are responsible for promptly reporting security incidents to College Security and the Bursar Office. An employee who suspects fraud should immediately notify College Security of any suspected or real security incidents involving cardholder data.