Loyola University Chicago

- Navigation -

Loyola University Chicago

Financial Services

Credit Card Policy

This policy applies to all employees of Loyola University Chicago who accept credit cards as a form of payment for any item pertaining to the University, including but not limited to conferences, tickets, physical items, donations, etc., accepted via phone, mail, point of sale (POS), or via the Internet. The University holds a system-wide contract that binds us to using one credit card processor and an Internet payment gateway, thereby necessitating a systematic process.

Cash Management Services (CMS) must approve all credit card processing at the University. The role of CMS is to administer credit card processing and to act as facilitator. Student organizations are not allowed to accept credit cards.

University departments are authorized to accept only credit cards approved by CMS and agree to operate in accordance with the contract(s) the University holds with its service provider(s) and credit card issuers. This is to ensure that all transactions are in compliance with all credit card association rules and regulations, including Payment Card Industry Data Security Standards (PCI-DSS), as well as the University’s policies regarding security and privacy.

All credit card payments received must be directed into the University’s approved bank account. Department(s) may not set up their own banking relationships for payment card processing.

Department(s) will also establish and maintain appropriate segregation of duties between credit card processing, the processing of refunds, and the reconciliation of credit card transactions.

Accounting entries to record the receipt of the credit card payments will be made by the next business day after the credit card transaction(s) have been processed. The credit card deposit slip and receipts will also be submitted daily to the Office of the Bursar or Advancement Office of Gift Processing.

To receive approval to accept credit cards, please send an e-mail to CashMgmt@luc.edu with the following information:

If you desire to use a third party for credit card processing, please send an e-mail to CashMgmt@luc.edu with the following information: 

Any third party service provider must demonstrate the ability to comply with all University policy requirements outlined in this document, most notably PCI-DSS and also be able to process the credit card transactions through the University Payment Gateway System. The department establishing a contract with a third party is responsible for all associated costs in regard to the payment processing service.

You may NOT process credit cards under any circumstances without the approval of CMS.

You may NOT sign a contract with a Third Party to process credit cards under any circumstances without the approval of CMS.

Once approval has been given, the entire credit card setup process will take a minimum of four weeks or longer depending upon the complexity of the setup and the needs of the department.

Payment Card Industry Data Security Standards (PCI-DSS) compliance

Department(s) must maintain Payment Card Industry Data Security Standards (PCI-DSS) compliance. The University Information Technology Services Department (ITS) will maintain all internal infrastructure related issues for PCI compliance.

An annual internal audit of all credit card merchants will occur per PCI-DSS policy. ITS will also annually audit all internal infrastructure related issues for each department.
 

Credit Card Equipment (Hardware and Software)

The University has purchased a payment gateway for the acceptance of credit cards via the Internet. This gateway is to be used for all Internet credit card activity. The payment gateway server will house the credit card information in an encrypted format and will only make it available to authorized personnel.  Accepting payments over the Internet must be done in a secure manner complying with PCI-DSS standards.

All credit card equipment is to be obtained via CMS, including but not limited to POS hardware and software. No wireless hardware may be used to process credit card payment data.

All hardware, including but not limited to servers, firewalls, etc., approved for credit card payment activity must be housed within the ITS Department and administered in accordance with the requirements of all University policies and the PCI-DSS. POS hardware is the exception to this rule, which will be provided by CMS.

Use of imprint machines to process credit card payments is prohibited, as they display the full 16-digit credit card number and expiration date on the customer copy.

Merchant Account

Any changes to an existing merchant account processing must first be approved by CMS. Examples of changes include purchasing, selling, or discarding a terminal; purchasing software; or selecting a new service provider. Signing a contract with any third party vendor related to credit card processing must be approved by CMS prior to signing an agreement.

Credit Card Data Breach

If at any time a department experiences a breach or compromise of any payment information or related data, that department must report the event immediately to CMS and ITS Data Security. CMS will then assess the situation in cooperation with ITS and invoke the necessary incident response plan. CMS will then notify the University’s acquirer. Departments should also notify their respective campus information security office.

University Employees

Departments should perform applicable background checks on potential employees who will have access to systems, networks, or cardholder data. If employees have access to one card number at a time to facilitate a transaction, such as store cashiers, background checks are not required by PCI-DSS.

Any person at the University handling credit card data will be required to sign the “Responsibilities of Credit Card Handlers and Processors” form.

Record Handling

All but the last four digits of the account number must be masked when displaying cardholder data. Paper documents containing credit card information must be attached to the deposit ticket given to the Office of Bursar or Advancement Office of Gift Processing in a confidential envelope.  The Office of the Bursar will forward all credit card documents to General Accounting in a confidential envelope. Credit card data may not be stored on paper, server, laptop, floppy, CD, DVD, USB, or any other electronic manner. It is the Department’s responsibility to keep credit card information secure.

Where possible University offices should refrain from storing cardholder data.  If required for systems processing or legal purposes storage of cardholder data should be limited to no more than ninety (90) days.

Any historical documentation having credit card data on it must be destroyed by a cross-cut shredder.

For your Department to accept credit cards you must comply with the following security measures:

Security and Privacy

You agree not to disclose or acquire any information concerning a cardholder's account without the cardholder's consent. You will not sell, purchase, provide, disclose or exchange card account information or any other transaction information. E-mail, instant messaging, and chat can be easily intercepted by packet sniffing during delivery traversal across internal and public networks. Do not utilize these messaging tools to send credit card numbers or expiration dates unless they can provide encryption capabilities.

Internet Credit Card Transactions

You must use the University Payment Gateway for all Internet credit card transactions. The University Payment Gateway will return a reference number for the transaction. The reference number must be retained along with pertinent information describing the transaction for a period of one year. This information must be stored using high security protection. The University Payment Gateway server will house the credit card information in an encrypted format and will only make it available to authorized personnel. Any breach of security due to poor internal controls can expose the University to significant liability and adverse publicity.

Card Swiped and Non-Swiped Credit Card Transactions

The Department accepting credit cards can only keep a copy of the Settlement Batch Report for their files. General Accounting or Advancement Office of Gift Processing will keep the original copy of each sales draft including all information related to the sale for the current fiscal year and will also maintain all card documentation (i.e.: sales draft, mail authorization forms) containing card account numbers in a secure environment limited to selected personnel and destroy these materials at the end of the fiscal year audit in a manner that will render them unreadable.  These documents must be stored in a manner that if a credit card chargeback is received and proof of the credit card transaction is required, this documentation must be able to be presented in 48 hours.  Any breach of security due to poor internal controls can expose the University to significant liability and adverse publicity.  

If you have any questions, regarding this policy, please contact Director, Cash Management in CMS at CashMgmt@luc.edu 

 

Approved by the President’s Cabinet on October 22, 2007

Amended on November 1, 2012



Loyola

Loyola University Chicago Financial Services ยท 820 N. Michigan Ave. LT-1300, Chicago, IL 60611

Notice of Non-discriminatory Policy