Every department that accepts payments on PSU’s behalf must have a written procedure document in the office that incorporates the following policy guidelines:
- Once a payment is processed, immediately shred the portion of any form that contains credit card or routing/bank account numbers. If a credit card was used, keep the cardholder’s signature. There is no legitimate business need to retain cc or bank account information.
- To refund a credit card, all you need is the authorization code.
- You must use a crosscut or micro-cut shredder. (Note: It is okay to use a Shred It bin as long as it is secured to the wall or floor and is in a secure location. It is best, however, to shred it immediately if possible.)
- If a payment cannot be processed immediately upon receipt, it must be promptly locked away in a secure location. (Note: Not all locked cabinets are secure – it depends on the type of lock that is installed on it.)
- A background check is required for anyone that will process and/or come in contact with checking or credit card information, unless all payments are point-of-sale transactions.
- If using a point-of-sale credit card terminal, it must not print all the digits of the card number and it must be locked up at the close of business each day, unless it has tamper-proof controls on it.
- If accepting payment information via fax, the machine should not print if you are not open for business. (If you are using a multifunctional device as your fax, contact ITS services to determine if security measures can be installed on it.)
- If you have storage files (physical or virtual) that might contain sensitive payment information, you need to review the files and remove this data immediately.
- Bolt all safes to the floor or wall.
- If you are contracting with a third party company to accept credit card payments on PSU’s behalf, the company must be Payment Card Industry Data Security Standards (PCI DSS) compliant and provide appropriate documentation of it.
- If payments are being accepted remotely (over the phone or through a payment gateway), be sure to request the 3 or 4 digit security code.
- Effective June 2013 – If processing payments via an online payment processor, work with Information Technology Services to ensure you are accessing the processor through a dedicated machine (virtual or physical).
- Effective June 2013 – Staff members who do not process payments, whether they are internal department employees or general services employees must not have access to locations containing payment information unless they are accompanied by a payment processing employee.
- Do not copy cash (in full or in part).
- Do not write down credit card security codes (the 3 or 4 digit security code on the back of a credit card).
- Do not copy checks.
- Do not accept credit card or checking information via email or through social networks, such as Twitter and Facebook.(Note: If an unsolicited email with credit card or checking information is received, delete the payment information immediately, let the sender know that PSU does not accept payments this way and provide him/her with an appropriate means by which to make his/her payment.)
- Do not simply cross out or cover up payment data (i.e. with a marker or white-out etc…). It does not provide sufficient security; it must be cut out and shred immediately after processing.