NU logo

Text Box: Responsible University Official: Ingrid Stafford
Responsible Office: Financial Operations
Origination Date: July 8, 2008

Merchant Card Processing Policy

Policy Statement

In order to accept credit or debit card payments, a Northwestern University (NU) school, department, or organization must

receive prior permission from the Bursar’s Office and
ensure that the payment process and related recordkeeping adhere to university accounting guidelines, the Payment Card Industry Data Security Standard (PCI DSS), and all applicable legislation.

Reasons for Policy/Purpose

Merchant credit or debit card transactions are monetary transactions and are subject to the same control and reconciliation policies as cash transactions.
Merchant card transactions are governed by university-wide banking agreements; therefore, independent establishment of payment processes may constitute a breach of contract.
Improper protection of merchant card data, whether in electronic or paper form, could lead to a security breach that may result in

· customer ill-will,

· damage to NU’s reputation,

· fines,

· legal fees,

· notification-related costs, and

· concessionary costs, such as offering credit monitoring to individuals put at risk.

Potential ramifications of a data breach are greater if the merchant is not in compliance with the minimum security standards required by the payment card industry (PCI DSS).

Policy Statement 3

Reasons for Policy/Purpose. 3

Who Approved This Policy. 5

Who Needs to Know This Policy. 5

Website Address for this Policy. 5

Contacts. 5

Definitions. 5

Policy Description. 7

Approval to Accept Merchant Cards. 7

Types of Cards Accepted. 7

Establishing Contracts. 7

Cash Control – Merchant Card Transactions. 7

Compliance with PCI Data Security Standards. 8

Security of Non-PCI e-Commerce System Components. 8

NUIT Hosting and Network Services. 8

Review of Web Content 8

Merchant Card Processing Fees. 8

Penalties for Noncompliance. 9

Responding to a Card-Related Security Breach. 9

Appendices. 9

Related Information. 9

History/Revision Dates. 10

Who Approved This Policy

Ingrid Stafford

Who Needs to Know This Policy

Any NU employee, contractor, business partner, or student involved in the processing of debit and credit card payments or who has authority over a system that accepts such payments.

Website Address for this Policy

http://www.northwestern.edu/bursar/docs/ccpolicy.html

Contacts

If you have any questions on the policy or procedure for Merchant Card Processing, you may:

1. Call the Bursar’s Office at 847-491-5343, or

2. Send an e-mail to s-zimmerman@northwestern.edu or j-shields@northwestern.edu

Definitions

e-Commerce	The process of conducting payment transactions over a computer network, usually the Internet. In e-commerce the merchant card is usually not present; instead, the payer enters that data into a form remotely.
e-Merchant	A merchant who uses an e-commerce system to generate revenue.
Merchant	A department, school, or other NU organization that collects revenue. Although merchants may receive payments in various forms (i.e. cash, check, voucher) this policy applies to merchants who wish to receive at least some of their payments from credit or debit card transactions.
Merchant Card	Debit or credit cards, including those under the Visa, Master Card, and American Express brands.
Merchant ID	A merchant identification code is assigned by the bank and is used to identify the owner of merchant card transactions.
PCI DSS	The Payment Card Industry Data Security Standard (PCI DSS) defines security requirements for card transactions and is required by a consortium of card providers (i.e. Visa, Master Card, Discover, and American Express). Failure to comply with PCI DSS may result in substantial fines and increased auditing requirements if a breach occurs. The full text of the standard and other supporting documents are available at https://www.pcisecuritystandards.org/.
Payment Card	See “Merchant Card.”
POS System	Point-of-Sale system. A computer-based system that processes payments over a network. A POS system differs from an e-commerce system in that the payer and card are usually present at the time of the transaction.
Terminal	A machine for electronically processing credit card payments. Card data may be captured by swiping the card through a designated slot in the terminal or by keying in the card number by hand. Payment information may be transmitted over phone lines or the Internet.

Policy Description

Approval to Accept Merchant Cards

Any NU entity that wishes to accept debit or credit card payments through any medium—e-commerce, paper, terminal, point-of-sale system—must first have a unique merchant number. The Bursar secures merchant IDs, establishes them with the preferred processor and has them associated with one of the University’s bank accounts. Generally, only authorized cash collection units may request to become a card processing merchant.

Merchant card transactions may be processed via e-commerce systems, POS systems, imprint machines, or terminals. The Bursar’s Office must approve the desired method(s) of merchant card processing. If a terminal is desired, it must be acquired through the Bursar’s Office. A Merchant Card Processing Request Form must be submitted to and approved by Treasury Operations prior to processing any card payments.

Centrally managed revenues, such as gifts, grants and tuition are the responsibility of special central administrative units. No school or department-based application may solicit or record gifts to the University, grants from sponsors, or tuition for credit courses. (Evaluation of tuition payment options for units already taking credit cards will be handled separately from this policy.)

Types of Cards Accepted

Visa, Mastercard, and American Express are the only types of merchant cards authorized for use at the University. This is in an effort to contain costs to the departments and the University by directing volume to a limited number of card vendors in order to increase our negotiating power for discount rates.

Establishing Contracts

All contracts for payment processing systems or services must have prior approval from Treasury Operations and the Office of General Counsel. For e-commerce systems, NUIT must also approve security policies and system architecture. This includes agreements for the lease or purchase of software or hardware as well as the outsourcing of any payment system development or management. It is the responsibility of the NU merchant to ensure that applicable vendors are PCI compliant at the time of signing as well as throughout the life of the contract.

In some cases a third party may suggest that payments be processed under that company’s Merchant ID rather than one owned by NU. Prior approval for these arrangements must be obtained from Treasury Operations and the Office of General Counsel in order to ensure that the agreement does not violate any existing contracts.

Cash Control – Merchant Card Transactions

A daily accounting of receipts, from sales or deposits, should be balanced against merchant card transactions and deposited with any currency, coins, and checks at the Bursar’s Office. The actual funds for the merchant card transactions are electronically deposited into the university’s bank account automatically and reconciled by the Bursar. All cash handling units are responsible for complying with the Merchant Card Processing Procedures and NU Cash Handling Policy and Procedures and for developing and maintaining detailed, written departmental balancing procedures.

Compliance with PCI Data Security Standards

PCI DSS applies to all merchant card processing and its related recordkeeping, whether electronic or on paper. It is the responsibility of the NU Merchant to read and understand the requirements of PCI DSS, although Treasury Operations may provide additional guidance.

All merchants must participate in the NU PCI Compliance Program. This program includes the completion of a PCI self assessment questionnaire (SAQ) at least annually. For full details of the requirements of the program see the PCI Compliance Program document.

Security of Non-PCI e-Commerce System Components

For e-commerce systems, if the payment processing is outsourced (such as to Paypal) and you do not store, process, or transmit card data on University equipment, those components of the system may not fall under the scope of PCI DSS. Even if you confirm that your system components are outside the scope of PCI DSS, you must take precautions to ensure the security of those system components, including using a firewall to control network traffic. NUIT can provide guidance on security best practices.

Because managing an e-commerce system in accordance with PCI DSS can be challenging and the ramifications of not following the standard can be significant, all merchants are advised to outsource as much of their system as possible to PCI compliant service providers.

NUIT Hosting and Network Services

NUIT will provide hosting and network services (including firewall administration) only for components that are outside of the scope of PCI DSS. If PCI DSS compliance services are required for University computing assets or network segments, merchants should consider outsourcing the management of those to a PCI approved service provider.

Review of Web Content

University Relations reserves the right to review Web content at any time.

Merchant Card Processing Fees

Merchants are responsible for fees and other costs associated with merchant card processing. The school or department business administrator must review e-commerce business cases and technical requirements to assess the budget and administrative impact due to payment processing activities. The associated startup and recurring costs include, but are not limited to

fees for credit card transactions,
equipment rental and maintenance,
hosting services or equipment costs,
application and database development and maintenance,
customer support costs,
resources to implement and maintain merchant equipment,
accounting support to do reconciliation, and
audits and reviews related to PCI compliance.

For a list of current fees see the Merchant Card Processing Fees List (Contact the Bursar's Office for current rates.)

Penalties for Noncompliance

The Bursar may revoke merchant card processing privileges at any time if the merchant fails to adhere to this policy and its related procedures. This includes failing to pay associated fees, failing to complete the annual self-assessment questionnaire accurately and in the timeframe dictated, and failure to attend annual PCI DSS security training.

In the event that a security breach exposes or is suspected to have exposed sensitive data the merchant may be responsible for fines, legal fees, notification costs, and concessionary expenses related to the breach. Additionally, the related merchant account may be revoked.

Responding to a Card-Related Security Breach

In the event that cardholder data may have been accessed by unauthorized persons, please follow the NU Incident Response Protocol and notify the Bursar’s Office immediately. Examples of such incidents include the compromise of electronic information systems as well as loss of paper records.

Appendices

Appendices are available for download at http://www.northwestern.edu/bursar/docs/ccpolicy.doc or by request from the Bursar’s Office.

Forms:

Merchant Card Processing Request Form

Instructions and Procedures:

PCI Compliance Program

Merchant Card Processing Procedures

Reference:

Merchant Card Processing Fees List (available by request from Bursar's Office)

Related Information

Payment Card Industry Data Security Standard (PCI DSS)

NU Cash Handling Policy and Procedures

NU Incident Response Protocol

History/Revision Dates

Origination Date: July 8, 2008

Last Amended Date: Initial Version

Next Review Date: April 2009

Table of Contents