Credit Card Policy
This policy applies to all employees of Loyola University Chicago who accept credit cards as a form of payment for any item pertaining to the University, including but not limited to conferences, tickets, physical items, donations, etc., accepted via phone, mail, point of sale (POS), or e-Commerce. The University holds a system-wide contract that binds us to using a single credit card processor and internet payment gateway, thereby necessitating a systematic process.
Cash Management Services (CMS) must approve all credit card processing at the University. The role of CMS is to administer credit card processing and to act as facilitator.
Please note that the University cannot process credit card payments for student organizations unless approved by CMS.
University departments that have been approved by CMS to accept credit card payments must also agree to operate in accordance with the contract(s) the University holds with its service provider(s) and credit card issuers. This is to ensure that all transactions are in compliance with all credit card association rules and regulations, including the Payment Card Industry-Data Security Standard (PCI-DSS), as well as the University’s policies regarding security and privacy.
The use of Quick Response (QR) codes to direct users to make credit card payments is not authorized unless it has been reviewed and approved by CMS.
Department(s) will also establish and maintain appropriate segregation of duties between credit card processing, the processing of refunds, and the reconciliation of credit card transactions.
All credit card payments received must be directed into the University’s approved bank account. Department(s) may not set up their own banking relationships for payment card processing.
Revenue from credit card payments should be deposited to the specific General Ledger accounting unit and account the next business day after the credit card transaction(s) have been processed. Revenue that is not deposited will remain in the University’s general fund, and will not be allocated as departmental revenue. Deposits and supporting documentation should be made to the Office of the Bursar, Advancement Office of Gift Processing or General Accounting as appropriate.
All credit card acceptance at the University is subject to review and approval by CMS. To receive approval to accept credit cards, please complete the Credit_Card_Questionnaire and email it to Cash Management at LUC-Payments@luc.edu.
If you desire to use a third party for credit card processing, please complete the Credit_Card_Questionnaire and e-mail it to CMS at LUC-Payments@luc.edu along with the following additional information:
- Reason for needing to accept credit cards through a third party
- Name of the third party, and name of software and/or hardware
- A general understanding of how credit card data will be transmitted, processed and stored
- A copy of the third party’s Attestation of Compliance (AOC)
- A copy of the contract with the third party (CMS must approve contract prior to signing.)
- Can transactions be processed on a LUC merchant account?
- Can transactions be processed via the TouchNet Payment Gateway?
Any third party service provider must demonstrate the ability to comply with all University policy requirements outlined in this document, most notably the Payment Card Industry – Data Security Standard (PCI-DSS). The third party is required to provide documentation establishing their PCI compliance, must be on VISA’s list of acceptable service providers (if applicable), and must also be able to process the credit card transactions through the University Payment Gateway System and a University merchant account established by CMS. The department establishing a contract with a third party is responsible for all associated costs in regard to the payment processing service.
You may NOT process credit cards under any circumstances without the approval of CMS.
You may NOT sign a contract with a Third Party to process credit cards under any circumstances without the approval of CMS.
Once approval has been given, the entire credit card setup process will take a minimum of four weeks or longer depending upon the complexity of the setup and the needs of the department.
Payment Card Industry Data Security Standard (PCI-DSS) compliance
Department(s) must maintain compliance with the Payment Card Industry-Data Security Standard (PCI-DSS). The University Information Technology Services Department (ITS) will maintain all internal infrastructure related issues for PCI compliance.
An annual internal audit of all credit card merchants will occur per PCI-DSS policy. ITS will also annually audit all internal infrastructure related issues for each department.
Credit Card Equipment (Hardware and Software)
The University has purchased a payment gateway for the acceptance of credit cards via the Internet. This gateway is to be used for all Internet credit card activity. The payment gateway server will house the credit card information in an encrypted format and will only make it available to authorized personnel. Accepting payments over the Internet must be done in a secure manner complying with PCI-DSS standards.
Departments can only acquire or utilize credit card processing equipment (hardware and/or software) approved and obtained through CMS. CMS maintains a list of all credit card equipment approved for use, including relocated and decommissioned equipment. Departments cannot install, replace or return credit card devices without the approval of CMS.
Assigned department personnel are trained to inspect credit card equipment. Departments must inspect their point-of-sale devices on a regular basis, comparing the equipment to the POS Terminal Characteristics Form which includes descriptions and pictures of equipment. Each department that has a point-of-sale terminal will submit the POS Terminal Inspection Checklist to CMS according to the approved schedule. Departments should notify CMS and the University Information Security Office (UISO) if something appears to be changed, added or different. More specifically, departments should inspect for skimming devices or other malware that may have been attached to or downloaded onto POS devices, which could be used by thieves to steal credit card information.
All hardware, including but not limited to servers, firewalls, etc., approved for credit card payment activity must be housed within the ITS Department and administered in accordance with the requirements of all University policies and the PCI-DSS. POS hardware is the exception to this rule and will be provided and administered by CMS.
Use of imprint machines (non-electronic portable devices that slide over a customer’s credit card to make an imprint of the information on the front of the card) to process credit card payments is prohibited, as they display the full 16-digit credit card number and expiration date.
Wireless Credit Card Processing
Departments cannot process credit card payments through the University’s wireless network unless they are using a PCI validated P2PE solution and have been approved to do so by the ITS University Information Security Office and CMS. The use of cell phones, tablets or other similar devices to process credit card payments is also prohibited. For approved wireless credit card processing, CMS can provide a handheld wireless device to process credit card payments using a cellular connection only.
Third Party Credit Card Processing
Departments cannot allow third party vendors to process payments on campus using Loyola’s analog lines, Ethernet connections, or wireless internet. Employees cannot share their user credentials with third parties who come on-campus, and third parties cannot use the University’s guest wireless access to process credit card payments.
Any changes to an existing merchant account processing must first be approved by CMS. Examples of changes include purchasing, selling, or discarding a terminal; purchasing software; or selecting a new service provider. Signing a contract with any third party vendor related to credit card processing must be approved by CMS prior to signing an agreement.
Credit Card Data Breach
If at any time a department experiences a breach or compromise of any payment information or related data or suspects that credit card information has been exposed, stolen or misused, that department must report the event immediately to their supervisor, CMS and ITS Information Security. CMS will then assess the situation in cooperation with ITS and invoke the necessary incident response plan. CMS will then notify the University’s acquirer.
To notify CMS, please call 312-915-7455 or email LUC-Payments@luc.edu. To notify ITS Information Security, call 773-508-7373, email DataSecurity@luc.edu, or submit via https://www.luc.edu/uiso/contactus/report.shtml. Please do NOT disclose any credit card payment data in your notification. Please include the department name and contact number.
Per the LUC HR Department, "Manager Resources, Recruitment and Hiring Guide" background checks are performed on all potential employees who will have access to systems, networks, or cardholder data.
Any person at the University who handles credit card data or has access to a system that processes credit card payments will be required to sign and/or acknowledge the “Responsibilities of Credit Card Handlers and Processors” form.
Storage & Record Handling
Departments should NOT store credit card data for any reason unless data storage has been reviewed and approved by CMS. Cardholder data storage should be kept to a minimum and will only be approved if it is required for business, legal, or regulatory purposes. Sensitive authentication data including full magnetic stripe data (or equivalent on a chip) and card validation codes or values (CAV2, CVC2, CVV2, CID) should not be stored.
Stored cardholder data must be protected at all times, and such storage must be in accordance with the University’s Policy for Financial Records Retention. It is the department’s responsibility to keep credit card information secure. If your department has not been approved to store cardholder data, it may not be saved in any format including but not limited to paper, server, desktop, laptop, floppy, CD, DVD, USB, or any other electronic manner.
Departments accepting credit card payments on POS Terminals may only keep a copy of the Settlement Batch Report for their files. All credit card transaction receipts must be attached the deposit ticket given to the Office of the Bursar or Advancement Office of Gift Processing in a confidential envelope.
The Office of the Bursar will upload deposit information and destroy transaction receipts in accordance with the Policy for Financial Records Retention. The Advancement Office of Gift Processing will keep the original copy of each transaction receipt as well as any authorization forms containing information related to the transaction in a redacted format.
Any historical documentation containing credit card data must be destroyed by a cross-cut shredder.
All but the last four digits of the account number must be masked when displaying cardholder data.
Security and Privacy
You agree not to disclose or acquire any information concerning a cardholder's account (including but not limited to the full or partial 16-digit credit card number, the expiration date or card validation code) without the cardholder's consent. You will not sell, purchase, provide, disclose or exchange card account information or any other transaction information.
Any breach of security due to poor internal controls can expose the University to significant liability and adverse publicity.
If you have any questions, regarding this policy, please contact Director, Cash Management in CMS at LUC-Payments@luc.edu.
Approved by the President’s Cabinet on October 22, 2007