Credit Card Policy
This policy applies to all employees of Loyola University Chicago who accept credit cards as a form of payment for any item pertaining to the University, including but not limited to conferences, tickets, physical items, donations, etc., accepted via phone, mail, point of sale (POS), or e-Commerce. The University holds a system-wide contract that binds us to using one credit card processor and an Internet payment gateway, thereby necessitating a systematic process.
Cash Management Services (CMS) must approve all credit card processing at the University. The role of CMS is to administer credit card processing and to act as facilitator.
Please note that the University cannot process credit card payments for student organizations.
University departments that have been approved by CMS to accept credit card payments must also agree to operate in accordance with the contract(s) the University holds with its service provider(s) and credit card issuers. This is to ensure that all transactions are in compliance with all credit card association rules and regulations, including the Payment Card Industry Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS), as well as the University’s policies regarding security and privacy.
Department(s) will also establish and maintain appropriate segregation of duties between credit card processing, the processing of refunds, and the reconciliation of credit card transactions.
All credit card payments received must be directed into the University’s approved bank account. Department(s) may not set up their own banking relationships for payment card processing.
Revenue from credit card payments should be deposited to the specific General Ledger accounting unit and account the next business day after the credit card transaction(s) have been processed. Revenue that is not deposited will remain in the University’s general fund, and will not be allocated as departmental revenue. Deposits and supporting documentation should be made to the Office of the Bursar, Advancement Office of Gift Processing or General Accounting as appropriate.
To receive approval to accept credit cards, please send an e-mail to LUC-Payments@luc.edu with the following information:
- Department name, contact name, and telephone number
- Reason for accepting credit cards: what will be sold
- Is this function selling items such as food & beverage, merchandise or entertainment (tickets to games or other events)? Please note that if meals are included as part of a Loyola conference registration fee, please answer NO. If YES:
- Has Loyola’s Illinois sales tax exemption certificate or an Illinois CRT-61 resale certificate been provided to the merchant for the items that will be offered for sale?
- Are these items being sold at/above the cost of the goods?
- Which University GL account will funds be deposited to?
- Are these funds remaining at the University and being collected for the benefit of the University?
- Is this function collecting any donations or fund-raising for the University or any other company or organization?
- What is the start and end date of credit card sales?
- For conference or events: how long will the conference/event be and how many conferences/ events will be held per year?
- Estimated number of transactions per year
- Estimated yearly dollar volume
- Are you accepting any other forms of payment for this function? Please detail.
- If an Internet storefront; what date should the storefront be taken offline?
- For POS terminals, please confirm where the terminal will be used and the connection type available (analog or cellular).
- For POS terminals, how many terminals are needed for the event?
- For POS terminals, please list ALL users as well as the individual who will be responsible for terminal security before, during & after the event.
- For POS terminals, where will the terminal be stored when not in use?
If you desire to use a third party for credit card processing, please send an e-mail with all of the above questions as well as the following additional information to LUC-Payments@luc.edu:
- Reason for needing to accept credit cards through a third party
- Name of the third party, and name of software and/or hardware
- A general understanding of how credit card data will be transmitted, processed and stored
- A copy of the third party’s PCI Compliance Certificate
- A copy of the contract with the third party (CMS must approve contract prior to signing.)
- Can transactions be processed on a LUC merchant account?
- Can transactions be processed via the TouchNet Payment Gateway?
Any third party service provider must demonstrate the ability to comply with all University policy requirements outlined in this document, most notably the Payment Card Industry – Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS). The third party is required to provide documentation establishing their PCI compliance, must be on VISA’s list of acceptable service providers (if applicable), and must also be able to process the credit card transactions through the University Payment Gateway System and a University merchant account established by CMS. The department establishing a contract with a third party is responsible for all associated costs in regard to the payment processing service.
You may NOT process credit cards under any circumstances without the approval of CMS.
You may NOT sign a contract with a Third Party to process credit cards under any circumstances without the approval of CMS.
Once approval has been given, the entire credit card setup process will take a minimum of four weeks or longer depending upon the complexity of the setup and the needs of the department.
Payment Card Industry Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS) compliance
Department(s) must maintain compliance with the Payment Card Industry-Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS). The University Information Technology Services Department (ITS) will maintain all internal infrastructure related issues for PCI compliance.
An annual internal audit of all credit card merchants will occur per PCI-DSS policy. ITS will also annually audit all internal infrastructure related issues for each department.
Credit Card Equipment (Hardware and Software)
The University has purchased a payment gateway for the acceptance of credit cards via the Internet. This gateway is to be used for all Internet credit card activity. The payment gateway server will house the credit card information in an encrypted format and will only make it available to authorized personnel. Accepting payments over the Internet must be done in a secure manner complying with PCI-DSS standards.
Departments can only acquire or utilize credit card processing equipment (hardware and/or software) approved and obtained through CMS. CMS maintains a list of all credit card equipment approved for use, including relocated and decommissioned equipment. Departments cannot install, replace or return credit card devices without the approval of CMS.
Assigned department personnel are trained to inspect credit card equipment. Departments must inspect their point-of-sale devices on a regular basis, comparing the equipment to the POS Terminal Characteristics Form which includes descriptions and pictures of equipment. Each department that has a point-of-sale terminal will submit the POS Terminal Inspection Checklist to CMS according to the approved schedule. Departments should notify CMS and the University Information Security Office (UISO) if something appears to be changed, added or different. More specifically, departments should inspect for skimming devices or other malware that may have been attached to or downloaded onto POS devices, which could be used by thieves to steal credit card information.
All hardware, including but not limited to servers, firewalls, etc., approved for credit card payment activity must be housed within the ITS Department and administered in accordance with the requirements of all University policies and the PCI-DSS. POS hardware is the exception to this rule and will be provided and administered by CMS.
Use of imprint machines (non-electronic portable devices that slide over a customer’s credit card to make an imprint of the information on the front of the card) to process credit card payments is prohibited, as they display the full 16-digit credit card number and expiration date.
Wireless Credit Card Processing
Departments cannot process credit card payments over a wireless internet or cellular connection via laptops, cell phones, tablets or other similar devices. Wireless credit card processing must be approved by CMS and can only be done via VeriFone vx680 swipe terminal over cellular connection.
Third Party Credit Card Processing
Departments cannot allow third party vendors to process payments on campus using Loyola’s analog lines, Ethernet connections, or wireless internet. Employees cannot share their user credentials with third parties who come on-campus, and third parties cannot use the University’s guest wireless access to process credit card payments.
Any changes to an existing merchant account processing must first be approved by CMS. Examples of changes include purchasing, selling, or discarding a terminal; purchasing software; or selecting a new service provider. Signing a contract with any third party vendor related to credit card processing must be approved by CMS prior to signing an agreement.
Credit Card Data Breach
If at any time a department experiences a breach or compromise of any payment information or related data or suspects that credit card information has been exposed, stolen or misused, that department must report the event immediately to their supervisor, CMS and ITS Information Security. CMS will then assess the situation in cooperation with ITS and invoke the necessary incident response plan. CMS will then notify the University’s acquirer.
To notify CMS, please call 312-915-7438, email LUC-Payments@luc.edu, or fax 312-915-7773. To notify ITS Information Security, call 773-508-7373, email DataSecurity@luc.edu, or submit via https://www.luc.edu/its/uiso/contacttheuiso/report.shtml. Please do NOT disclose any credit card payment data in your notification. Please include the department name and contact number.
Per the LUC HR Department, "Manager Resources, Recruitment and Hiring Guide" background checks are performed on all potential employees who will have access to systems, networks, or cardholder data.
Any person at the University who handles credit card data or has access to a system that processes credit card payments will be required to sign and/or acknowledge the “Responsibilities of Credit Card Handlers and Processors” form.
Storage & Record Handling
Departments should NOT store credit card data for any reason unless data storage has been reviewed and approved by CMS. Cardholder data storage should be kept to a minimum and will only be approved if it is required for business, legal, or regulatory purposes. Sensitive authentication data including full magnetic stripe data (or equivalent on a chip) and card validation codes or values (CAV2, CVC2, CVV2, CID) should not be stored.
Stored cardholder data must be protected at all times, and such storage must be in accordance with the University’s Policy for Financial Records Retention. It is the department’s responsibility to keep credit card information secure. If your department has not been approved to store cardholder data, it may not be saved in any format including but not limited to paper, server, desktop, laptop, floppy, CD, DVD, USB, or any other electronic manner.
You must use the University Payment Gateway for all Internet credit card transactions. The University Payment Gateway server will house the credit card information in an encrypted format and will only make it available to authorized personnel.
Departments accepting credit card payments on POS Terminals may only keep a copy of the Settlement Batch Report for their files. All credit card transaction receipts must be attached to the deposit ticket given to the Offfice of the Bursar or Advancement Office of Gift Processing in a confidential envelope.
The Office of the Bursar will upload deposit information and destroy transaction receipts in accordance with the Policy for Financial Records Retention. The Advancement Office of Gift Processing will keep the original copy of each transaction receipt as well as any authorization forms containing information related to the transaction in a redacted format.
Any historical documentation having credit card data on it must be destroyed by a cross-cut shredder.
All but the last four digits of the account number must be masked when displaying cardholder data.
Security and Privacy
You agree not to disclose or acquire any information concerning a cardholder's account (including but not limited to the full or partial 16-digit credit card number, the expiration date or card validation code) without the cardholder's consent. You will not sell, purchase, provide, disclose or exchange card account information or any other transaction information.
Any breach of security due to poor internal controls can expose the University to significant liability and adverse publicity.
If you have any questions, regarding this policy, please contact Director, Cash Management in CMS at LUC-Payments@luc.edu.
Approved by the President’s Cabinet on October 22, 2007