The Office of Treasury Operations has oversight for the university's credit card operations and has developed guidelines for campus merchants who wish to accept credit cards as payments for goods and services. This section addresses the nuances of credit card processing, including the University's Cardholder Data Security Policy, Payment Card Industry (PCI) Compliance, and establishing a campus merchant ID.
Credit Card Policy
The Offices of Treasury Operations and Information Technology have partnered to assess the university's overall credit card acceptance compliance with the Payment Card Industry (PCI) Data Security Standards. Adherence to these standards is mandated by the banks that settle all credit card transactions. American University is committed to protecting cardholder data. Ensuring that appropriate safeguards are in place reduces the possibility of a data breach that could result in significant penalties, reputational harm, and the suspension of credit card acceptance privileges. The Office of Treasury Operations has developed a new University Policy governing Cardholder Data Security and companion procedures to assist our community with safeguarding cardholder data.
The Payment Card Industry (PCI) has adopted security standards that mandate the proper handling, processing, and storing of cardholder data as it relates to credit card acceptance. These standards were developed by VISA, MasterCard, Discover, and American Express for merchants who accept these cards as forms of payment. It applies to e-commerce, mail/telephone order, and card-present transactions. The university's Cardholder Data Security Policy was developed in adherence to these standards.
The university has approved devices for mobile payments processing that meet the requirements for PCI processing. For information on mobile payments processing for your unit, please contact Bob Carter, firstname.lastname@example.org.
With the evolving scope of PCI and data security in general, it is incumbent upon university departments that wish to accept credit cards as a form of payment to adhere to the standards set forth by the Payment Card Industry. Failure to comply could result in fines and/or suspension of credit card privileges by the credit card companies.
The Payment Activity Acceptance Clarification (PAAC) form must be completed by departments wishing to accept credit cards for payment of goods and services. Upon submission and review by Treasury Operations, a Merchant ID will be assigned. Users also will be required to sign a university confidentiality agreement.
Departments that wish to accept credit cards for payment will incur the cost of the point-of-sale terminal or other devices, as well as OIT data line installation fees.
The Office of Treasury Operations will assist in the installation of hardware or software and provide initial training on use of the devices. PCI also mandates that the university provide annual security awareness training to individuals who handle sensitive cardholder data as part of their normal job function. This training is coordinated by Treasury Operations.