Tufts University Policy for Accepting Credit Card and eCommerce Payments

This policy was originally issued on January 1, 2007 and has been approved by the Vice President for Finance and Treasurer (Vice President for Finance) and the Vice President for Information Technology and Chief Information Officer (Vice President for IT and CIO).

Tufts University Policy for Accepting Credit Card and eCommerce Payments

This policy was originally issued on January 1, 2007 and has been approved by the Vice President for Finance and Treasurer (Vice President for Finance) and the Vice President for Information Technology and Chief Information Officer (Vice President for IT and CIO).

Contents:

Background and Purpose

Tufts’ acceptance of credit cards to pay for gifts, goods and services has been growing over the past several years. Increased interest in accepting payments over the Internet (eCommerce) has also grown, spurring the need to establish business processes and policies that protect the interests of the University and its customers.

While the costs for accepting credit card payments can be significant (1.5-3.0% of every transaction, depending on the card type), it often makes sense to accept this type of payment for business reasons, which include control of receivables, competitive position and efficient processing. To the extent that it makes economic sense to do so, the University would like to support this activity. In order to ensure that credit card activities are consistent, efficient and secure, the University has adopted the following policy and supporting procedures for all types of credit card activity transacted in-person, over the phone, via fax, mail or the Internet. This policy provides guidance so that credit card acceptance and eCommerce processes comply with the Payment Card Industry Data Security Standards (PCI DSS) and are appropriately integrated with the University’s financial and other systems.

Security breaches can result in serious consequences for the University, including release of confidential information, damage to reputation, added compliance costs, the assessment of substantial fines, possible legal liability and the potential loss of the ability to accept credit card payments.

Tufts has contracted with a third-party vendor (“Authorized Vendor,”) whose core business includes the support and processing of eCommerce transactions. The Authorized Vendor will provide the University with a secure gateway and hosted solution in which all credit card and personal payment information is transmitted to and stored on off-site computers which the Authorized Vendor owns and maintains. The Authorized Vendor must maintain PCI DSS compliance certification. This relationship will enable the University to leverage the volume of eCommerce transactions and reduce processing costs.

Applicability

Any Tufts University employee, contractor or agent who, in the course of doing business on behalf of the University, is involved in the acceptance of credit card and eCommerce payments for the University is subject to this policy. Failure to comply with the terms of this policy may result in disciplinary actions and could also limit a department’s credit card acceptance privileges.

Policy Statement

Any department accepting credit card and/or electronic payments on behalf of Tufts University for gifts, goods or services (“Merchant Department”) must designate an individual within that department who will have primary authority and responsibility for eCommerce and credit card transaction processing within that department. This individual will be referred to in the remainder of this policy statement as the Merchant Department Responsible Person or “MDRP”.

All MDRPs must:

  1. Execute on behalf of the relevant Merchant Department the Process to Implement Acceptance of Credit Cards for Payment detailed below.

  2. Ensure that all employees (including the MDRP), contractors and agents with access to payment card data within the relevant Merchant Department acknowledge on an annual basis and in writing that they have read and understood this Policy for Accepting Credit Card and eCommerce Payments. These acknowledgements should be submitted, as requested, to the Cash Manager in Treasury Operations, (located in the Tufts Administration Building, Medford) on an annual basis.
  3. Ensure that all credit card data collected by the relevant Merchant Department in the course of performing Tufts University business, regardless of how the payment card data is stored (physically or electronically, including but not limited to account numbers, card imprints, and Terminal Identification Numbers (TIDs)) is secured. Data is considered to be secured only if the following criteria are met:
    • Only those with a need-to-know are granted access to credit card and electronic payment data.

    • Email should not be used to transmit credit card or personal payment information. If it should be necessary to transmit credit card information only the first and last four digits of the credit card number can be displayed.
    • Credit card or personal payment information is never downloaded onto any portable devices such as USB flash drives, compact disks, laptop computers or personal digital assistants.
    • Fax transmissions (both sending and receiving) of credit card and electronic payment information occurs only on those fax machines whose access is restricted to just those individuals who must have contact with payment card information in order to do their jobs.
    • The processing and storage of personally identifiable credit card or payment information on University computers and servers is prohibited. Exceptions can only be made if the processing and storage methods are compliant with this policy, the Tufts University Information Technology Resources Security Policy and PCI Data Security Standards. These standards detail strict encryption protocols. Links to these policies and standards are provided at the end of this document.
    • Only secure communication protocols and/or encrypted connections to the Authorized Vendor are used during the processing of eCommerce transactions. (NOTE: University Information Technology (UIT) maintains a staff of security professionals who are available, as required, to provide consultative services on appropriate security practices. The UIT Security Group can be contacted to request these services at security@net.tufts.edu.)
    • The three-digit card-validation code printed on the signature panel of a credit card is never stored in any form.
    • The full contents of any track from the magnetic stripe (on the back of a credit card, in a chip, etc.) are never stored in any form.
    • All but the first and last four digits of any credit card account number are always masked, should it be necessary to display credit card data.
    • All media containing credit card and personal payment data that is no longer deemed necessary or appropriate to store are destroyed or rendered unreadable.

No Tufts University employee, contractor or agent who obtains access to payment card or other personal payment information in the course of conducting business on behalf of Tufts University may sell, purchase, provide, or exchange said information in any form including but not limited to imprinted sales slips, carbon copies of imprinted sales slips, mailing lists, tapes, or other media obtained by reason of a card transaction to any third party other than to Tufts University’s acquiring bank, depository bank, Visa, MasterCard or other credit card company, or pursuant to a government request. All requests to provide information to any party outside of your department must be coordinated with the Cash Manager in Treasury Operations.

Merchant Departments must use the services of the Authorized Vendor to process all eCommerce transactions. If a department believes that it has a significant business case or processing requirement that cannot be achieved using the services of the Authorized Vendor and wishes to utilize an alternative, it must initiate its request to the Cash Manager (treasury@elist.tufts.edu) for a release from the Authorized Vendor requirements specified by this policy. The Cash Manager will forward the request to the Vice President for Finance and the Vice President for IT and CIO with a recommendation. Only the Vice President for Finance and the Vice President for IT and CIO may authorize the adoption of alternative eCommerce vendors and products.

In the event that the Vice President for Finance and Vice President for IT and CIO authorize the use of an alternative eCommerce vendor, then the following must occur:

  • The alternative eCommerce vendor must execute the Tufts University PCI Amendment or an equivalent agreement before any eCommerce activities may commence. (The MDRP may contact the Cash Manager for further details of this process.)

  • The MDRP must provide proof that the alternate eCommerce vendor is certified PCI compliant and ensure that the department and its vendor comply with all relevant provisions of the Tufts University Information Technology Resources Security Policy and the Tufts University Policy for Accepting Credit Card and eCommerce Payments.

Process to Implement Acceptance of Credit Card and eCommerce Payments

The MDRP or his/her designee must follow the steps below in order to implement payment card processing and eCommerce at Tufts.

  1. Notify the Cash Manager in Treasury Operations of a need to accept credit card payments and/or conduct eCommerce. Notification should be sent to
  2. treasury@elist.tufts.edu.

  3. Complete an Application to Become a Merchant Department. (For an application click here ). Applications must be signed by the MDRP as well as the school/division Budget and Fiscal Officer. It is the responsibility of the BFO to approve the business case for the department to become a merchant department, the PeopleSoft information provided and the designated Merchant Department Responsible Person.
  4. Submit the application for review and approval to the Cash Manager at treasury@elist.tufts.edu. Allow 2-4 weeks for processing of the request. All applications require the approval of the Vice President for Finance. Applications that request eCommerce capabilities will also require approval of the Vice President for IT and CIO.
  5. If the application is approved, the Cash Manager will provide the requesting department any necessary equipment and training. The Cash Manager will also provide a Merchant Department Handbook, which includes additional information about processing, policies and what to do in the case of a security breach. Allow between 2-4 weeks to complete this part of the process.

Process for Responding to a Security Breach

In the event of a breach or suspected breach of security, the Merchant Department must immediately execute each of the relevant steps detailed below.

  1. The MDRP or any individual suspecting a security breach must immediately notify the Cash Manager (
  2. treasury@elist.tufts.edu) of an actual breach or suspected breach of credit card information. Email should be used for initial notification and to provide a telephone number for the Cash Manager to call in response. Details of the breach should not be disclosed in email correspondence.

  3. The MDRP or any individual suspecting a security breach involving eCommerce also must immediately ensure that the following steps, where relevant, are taken to contain and limit the exposure of the breach:
    • Prevent any further access to or alteration of the compromised system(s). (i.e., do not log on at all to the machine and/or change passwords; do not log in with ROOT or Administrative authority.)

    • Do not switch off the compromised machine; instead, isolate the compromised system(s) from the network by unplugging the network connection cable.
    • Preserve logs and electronic evidence.
    • Log all actions taken.
    • If using a wireless network, the Cash Manager will contact UIT Network Services and request a change to the SSID on the AP and other machines that may be using this connection. (No changes should be made to any systems believed to be compromised, however.)
    • Be on HIGH alert and monitor all eCommerce applications.

  4. The Cash Manager shall alert the merchant bank, the payment card associations, the Tufts University Police Department, the University Counsel and Executive Director of Communications, the FBI, United States Secret Service and other relevant regulatory agencies of the suspected breach
  5. Where an actual breach of credit card data is confirmed, the Cash Manager, with the assistance of the Security Officer, will ensure that compromised credit card account information is securely sent to the appropriate Fraud Control Groups and affected credit card associations.
  6. Within 48 hours of the breach, the Cash Manager, with assistance from the relevant MDRP, shall provide the affected credit card associations with proof of PCI compliance.
  7. Within 4 business days of the breach, the Cash Manager, with assistance from the relevant MDRP, shall provide the affected credit card associations with an incident report.
  8. At the relevant credit card associations’ request and depending on the level of risk and data elements compromised, the Cash Manager in conjunction with the University Security Officer shall, within 4 business days of the event:
    • Arrange for an independent forensic review.
    • Arrange for a network and system vulnerability scan.
    • Complete a compliance questionnaire and submit it to relevant card association(s).

Ongoing Policy Management

  • Tufts University may modify this policy from time to time as required, provided that all modifications are consistent with Payment Card Industry Data Security Standards then in effect.

  • The Cash Manager is responsible for initiating and overseeing an annual review of this Policy, making appropriate revisions and updates and issuing the revised policy to appropriate Merchant Departments. The review will include reconfirmation of certified PCI compliance of Tufts’ third party vendors that accept credit card payments on behalf of the University.

Related Documents

Tufts University Information Technology Resources Security Policy: http://uit.tufts.edu/?pid=431

Application to Become a Merchant Accepting Credit Card and/or Online Payments: http://finance.tufts.edu/treasury/files/merchant_dept_application.doc

The web site for the PCI Security Standards Council: https://www.pcisecuritystandards.org/