Policies

Welcome to Farmingdale State College’s Policy Library. This library is the official repository for all institutional policies and procedures and is intended to be a resource for faculty, staff and students seeking information related to the policies that govern the institution. This library does not contain department-specific policies and procedures. Please contact the department for specific departmental policies and procedures.

Please direct all questions regarding policy content to the Responsible Office listed on the respective policy.

If you wish to propose or amend an institutional policy, please review the Policy for Developing Institutional Policies and complete the Policy Proposal Form.

For assistance with drafting and amending policies, please refer to the Policy Writing Guidance and/or contact the Risk and Compliance Office at 934-420-5365.

Farmingdale State College's Payment Card Policy

Policy Purpose

The purpose of this policy is to establish processes and procedures for accepting payment cards at Farmingdale State College while complying with the Payment Card Industry Data Security Standards (PCI-DSS). Every organization that accepts credit and debit card payments is required to comply with PCI-DSS, which is a proprietary information security standard for protecting payment card data and intended to minimize the risk of exposing cardholder data.

Persons Affected

Faculty, Staff, Students, Third-Parties

Policy Statement

Farmingdale State College is committed to protecting cardholder data, securing customer information, providing the greatest value and availability of services, and complying with PCI-DSS. Failure to protect such information or comply with PCI-DSS may result in financial loss for individuals and entities, suspension of payment card processing privileges, fines, and damage to the reputation of the College.

All faculty, staff, students, affiliated organizations, contractors, or consultants that accept, handle, or process card payments and or cardholder data on behalf of the College are required to participate in necessary trainings, follow the procedures outlined in this policy, and comply with PCI-DSS to ensure that the processing and transmission of payment card information takes place in a secure environment.

Only devices and online platforms approved by the Finance Office can be used to accept card payments. All third parties used for processing payment cards must be preapproved by the Finance Office and Information Technology. Agreements and contracts with third parties providing payment card services must acknowledge that their services are PCI compliant in any contracts or agreements. Department heads utilizing third parties for such services must request an annual Attestation of Compliance (AOC) from the third party and submit it to the PCI Committee as part of the PCI compliance process.

Card payments and cardholder data must never be collected or transmitted through mail, email, fax, text message, or over the phone. Cardholder data must not be stored electronically, on paper, or in any other manner.

Faculty, staff, students, and third parties are prohibited from manually entering credit card information for customers using Farmingdale’s IT network (both wired and wireless connections) and/or College-issued workstations (desktop, laptop, tablet, mobile device).

All faculty, staff and students are responsible for abiding by the FSC Credit Card Security Incident Response Plan and reporting any suspected or detected tampering of payment card devices. Such reports should be made to a member of the Response Team as indicated in the FSC Credit Card Security Incident Response Plan. College affiliates using third parties for their payment card device(s) must also follow procedures outlined in their agreements.

Procedures

  1. To request authorization to collect card payments, College department heads must contact the Finance Office.
  2. Based on the request, the Finance Office will determine the best method for collecting card payments. The two primary methods include an online platform (i.e., Marketplace) and in-person point of sale (POS) machine.
  3. Once approved to accept payment cards, whether in person or online, each department must create departmental procedures for collecting card payments. Departments may adopt the procedural templates provided in this document or create their own. These procedures must be submitted annually through the PCI Compliance process.
  4. Access to process card payments and other aspects of the processing environment should be limited to only personnel who have a business need. This includes access to devices and approved online platforms.
  5. It is the department head’s responsibility to ensure all appropriate personnel are trained as required by PCI-DSS. The following personnel are required to complete training provided by the PCI Committee, upon hire and annually:

  1. Anyone processing a payment card transaction
  2. Managers with oversight of any payment card processing activities
  3. All those with access to cardholder data
  4. All those who have access to the processing environment, including those accepting payment cards through approved online platforms

  1. The following steps must be taken for processing in-person payments through a payment card device:
    1. Department heads will be responsible for the security of the payment devices and must review the Guidance on Inspecting Payment Card Devices
    2. Department supervisors must maintain a list of all POS devices and personnel authorized to use them
    3. Credit card terminal passwords must be kept in a secure location and should never be displayed
    4. A PCI Payment Card Device Log must be completed on a regular basis to check for tampering of the device
    5. Devices should be kept in a secure location when not in use
    6. Credit Cards with a Chip must be processed using the Chip Reader. If the Chip does not work, the card number may not be entered directly in the device. The customer must use a different card or another method of payment.
    7. Someone other than the cardholder may not authorize payment
    8. Picture ID is required if the card is not signed
    9. Customers should be provided with a receipt for the transaction
    10. Transaction documentation and merchant receipt should be stored in a secure (locked) area
    11. Student Accounts and third-party credit card machine batch out procedures must be followed
  2. The Finance Office or third party will provide access to approved online platforms.
  3. Card payments and cardholder data must never be collected or transmitted through mail, email, fax, text message, or over the phone. If payment card information is submitted by these means, do not process the payment, or transmit it by any means. Respond to the mail, email, fax, caller, or text by clearly stating the policy of not taking card payments via these methods. Identify steps to delete or dispose of the cardholder data as soon as possible.
  4. The department heads of all areas processing payment card transactions must complete an annual PCI Compliance Form to ensure compliance with PCI-DSS. The form will require the following:
  • A listing of staff who process payment card transactions, have access to cardholder data, and those with access to the processing environment
  • Acknowledgement that all appropriate staff have completed PCI-DSS training
  • Indicate methods of collecting card payments
  • Submit department specific procedures for collecting and processing card payments and cardholder data
  • Submit PCI Device Inspection Logs, if applicable
  • Attest that cardholder data is not being stored in any manner
  • Attestation of Compliance for Third Parties, if applicable
  • Other information necessary to assist the PCI Committee in completing the Self-Assessment Questionnaire (SAQ)

Definitions

Processing Environment - the processing environment includes processing a payment card transaction by means of a payment card device, referring customers to make online payments, virtual access to online platforms utilized for processing transactions, and the physical access to payment card devices and other related documentation.

Payment card – any payment card/device that bears the logo of American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or Visa, Inc

Cardholder Data - Elements of payment card information that must be protected, including primary account number (PAN), cardholder name, expiration date, and the service code.

Payment Card Industry Data Security Standards (PCI DSS) - The security requirements defined by the Payment Card Industry Data Security Standards Council and the major credit card brands including Visa, MasterCard, Discover, American Express, and JCB.

Related Documents

Payment Card Industry Data Security Standards (PCI DSS)

Departmental Procedure Template for Accepting Payment Cards

Guidance on Inspecting Payment Card Devices

FSC Credit Card Security Incident Response Plan

Responsible Office

Risk and Compliance

Policy History

Approval Date: 7,12,2022

Categories