Virginia Polytechnic Institute and State University
Accepting and Handling Payment Card Transactions - No. 3610 - Page 4
Each university merchant that handles payment card information must have written procedures specific to its
operations that are consistent with this policy and other related university policies and procedures such as
Information Technology Security, Funds Handling, and Fiscal Responsibility. The procedures should include,
but not be limited to: segregation of duties, deposits, reconciliation procedures, physical security and
identification of card processing area, disposal, storage, separate passwords, firewall, anti-virus software, cash
register procedures and personnel screening and criminal conviction check procedures. See University Policy
4060, Conviction and Driving Record Investigation for Employment (http://policies.vt.edu/4060.pdf
).
When an employee is no longer involved with payment card operations due to termination or a change in job
responsibilities, access to payment card information, keys, access codes, and passwords must be revoked and/or
changed immediately to prevent any future unauthorized access.
University merchants handling payment card transactions must segregate all duties related to data processing and
storing of payment card information. For example, the same person that processes payment card transactions
cannot perform the monthly reconciliation or process refunds.
The manual or electronic collection of the full sixteen digit cardholder number, referred to as the primary account
number (PAN), is discouraged. All paper based processes where customers write down their payment card
number and provide it to a university merchant should be re-engineered to utilize the university’s preferred hosted
payment solution or point of sale, stand-alone dial out phone terminals. Any paper media containing the full
sixteen digit cardholder number must be kept in a locked and secured location at all times and destroyed after
authorization of the transaction. All point of sale swipe payment card machines must mask the payment card
number on both the merchant and customer copies of the receipt and any batch and settlement report(s). When
utilizing the university’s preferred hosted payment solution, the customer enters their payment card number on
an externally hosted website for processing, eliminating the need for university employees to collect their
payment card number.
Verification of controls and approval of University Bursar must be obtained prior to storage of any cardholder
data and annually thereafter. Electronic storage of Sensitive Authentication Data and unencrypted cardholder
data is prohibited. This includes but is not limited to any computer program, university system, email, or any
electronic visual image.
In addition to the PCI DSS, university merchants must comply with the Standard for Storing and Transmitting
Personally Identifying Information, which is located on the Information Technology Security Officer’s website.
4. Payment cards may be accepted only using methods approved by the Office of the University Bursar.
All university merchants who accept card payments via the internet are required to use the university’s preferred
hosted payment solution. Stand alone, dial out phone terminals are the preferred method for in-person acceptance
of card payments. University merchants considering changes to collection of card data, such as kiosks, telephone
orders, call centers operations, etc. with higher risks must update their merchant ID application with the Bursar’s
office and receive approval prior to implementation. See Exceptions section of this policy for guidance on the
approval of other processing methods.
New technology evolutions must be approved prior to implementation and must be properly secured and
documented. Procurement of any software applications, third party services, or development of payment
channels for the acceptance of credit cards must be approved by the University Bursar prior to execution of
contractual agreements.