Payment Card

  • Policy Type: Business Services 
  • Policy Title: Payment Card 
  • Policy Number: NA
  • Office Responsible: Business Services
  • Related Policies: N/A
  • Related Procedures: Safekeeping and Storage of Cardholder Data
  • Related Laws: N/A
  • HLC Criterion: N/A

Policy Statement

It is the policy of the College to allow acceptance of payment cards as a form of payment for goods and services. OCC requires all departments that accept payment cards to do so only in accordance with the Payment Card Industry Data Security Standard (PCI-DSS), this policy and the OCC Safekeeping and Security Procedures for the Storage of Cardholder Data.

All College employees accepting payment cards will acknowledge their responsibilities, as well as the security requirements (PCI-DSS), and OCC’s Safekeeping and Security Procedures for the Storage of Cardholder Data that must be followed. Failure to follow the requirements of the College’s Payment Card Policy and Safekeeping and Security Procedures for the Storage of Cardholder Data may result in the revocation of an employee’s ability to accept card payments.

PCI-DSS
PCI-DSS is a mandated set of requirements agreed upon by the five major credit card companies: VISA, MasterCard, Discover, American Express and JCB. These security requirements apply to all transactions surrounding the payment card industry and the merchants/organizations that accept these cards as forms of payment. Further details about PCI can be found at the PCI Security Standards Council Website.

In order to accept credit card payments, the College must prove and maintain compliance with the PCIDSS, the College’s Payment Card Policy, and Safekeeping and Security Procedures for the Storage of Cardholder Data. The policy and procedures provide the requirements for processing, transmission, storage, and disposal of cardholder data transactions. These requirements are mandated to reduce the institutional risk associated with the administration of credit card payments by individual departments and to ensure proper internal control and compliance with the PCI-DSS.

Scope/Applicability
The OCC Payment Card Policy applies to all employees, staff, third-party vendors, individuals, systems, and networks involved with payment card handling. This includes transmission, storage and/or processing of payment card data, in any form (electronic or paper), on behalf of the College.

Security, Processing, Collection, Storage and Distribution of Cardholder Data
Cardholder data (CHD) includes, but is not limited to, cardholder primary account number (PAN), card
expiration date, and card verification value (CVV).

All departments authorized to accept payment and transactions must have their card handling procedures documented and made available for periodic review. Departments must institute the following procedures:

  • Documents or papers that have full cardholder data should be shredded or placed in a secured bin where all contents are shredded on a regular schedule. CHD must never be disposed of in a trash container.
  • CHD should only be kept long enough to enter the information into the P2PE device, and then shredded.
  • Printed transaction receipts, with masked CHD, must be kept in a secured and locked location and may also be kept in accordance with the College’s retention policy and shall be destroyed immediately following the required retention period. A regular schedule of deleting or destroying data should be established to ensure no CHD is kept beyond the required retention period. The secured and locked location should only be accessible to those employees who may need access to the printed document(s) for chargebacks or questions regarding a transaction.
  • CHD or cardholder personally identifiable information (PII) should never be emailed or sent via inter-office mail.
  • The three (3) or four (4) digit card CVV should never be saved or written on any document that is kept for retention purposes.
  • CHD or cardholder personally identifiable information (PII) must never be downloaded, uploaded, or copied to any electronic device or cloud-based service.
  • All devices used for transmission of CHD to an approved third party must be securely attached to a physical object, such that the devices cannot easily be removed from their location. When the device is not in use, the device status should be kept in a locked state to prevent unauthorized use of the device.
  • On a regular basis, card devices should be checked for signs of tampering, which may include:
    • Has the device been moved from its original location?
    • Look for damage to the device
    • Additional items plugged into the device
    • Objects attached to card swipe or dip slots
  • Contact the Manager of Banking Services immediately regarding any devices that show signs of tampering.
  • Technical and repair services for devices should be conducted through the Manager of Banking Services.

Incident Response
In the event of a breach or a suspected breach of security, the department or affected unit must immediately contact the IT Support Center. The incident response must include notifications, staff requirements, and proper handling procedures.

Policy and Training
All users handling CHD must sign an acknowledgement of understanding and compliance agreement with the Payment Card Policy and applicable procedures. Training on PCI-DSS, this policy and procedures for safekeeping and security of CHD will be provided to all staff members with access to cardholder data.

Sanctions
Persons in violation of this policy are subject to sanctions, including loss of network access privileges, disciplinary action, suspension, termination of employment, and may face legal action. Some violations may constitute criminal offenses under local, state or federal laws. The College will carry out its responsibility to report such violations to the appropriate authorities.

Change Log

  • 02-08-2021  Approved by Vice Chancellor of Administration Services
  • 02-08-2021  Effective date

OCC Logo