About CSB and SJU | Academics | Admission | Alumnae/i and Friends | Arts and Culture | News, Events and Sports | Student Life

Credit Card Processing and Security Policy

PURPOSE

The purpose of this policy is to define the guidelines for accepting and processing credit cards and storing personal cardholder information.  The policy will help to ensure that cardholder information supplied to The College of Saint Benedict is secure and protected.  The College is complying with credit card company requirements and the Payment Card Industry Data Security Standard. 

SCOPE

This policy applies to all College of Saint Benedict employees.   The policy pertains to all departments that process, transmit, or handle cardholder information.  The cardholder information may be in a physical or an electronic format.

POLICY

All transactions that the College processes must meet the standards outlined in the policy.

  1. Electronic credit card numbers should not be transmitted or stored on a personal computer or e-mail account. Electronic lists of customer’s credit card numbers should not be retained. Credit card information should only be accepted online, by telephone, mail, or in person.  This information should not be accepted via e-mail and departments should not e-mail credit card information.
  2. Physical cardholder data must be locked in a secure area.  Access should be limited to individuals that require the use of the data.  Access should also be restricted on a ‘need to know’ basis.
  3. Only essential information should be stored.  Do not store the Card Validation Code (also known as the Security Digits, V Code, or CID). Do not store users PIN’s or the full data from a cards magnetic stripe.
  4. Credit card information should only be retained for the time needed to process, or if retained for reconciliation, for as long as one-year maximum if necessary.
  5. Credit card information, if it does not need to be retained, should be destroyed.  Information should be destroyed by shredding (cross-cut) immediately after processing, or immediately after they no longer need to be retained.
  6. Credit card receipts may only show the up to the last five digits of the credit card number.  If receipts show more than the last five digits, the receipts must be shredded or retained in a secure area.
  7. All departments must comply with the Payment Card Industry Data Security Standard

https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm

  1. Exceptions to the policy may be granted by the College Controller.

PROCEDURES

All credit card and debit card transaction acceptance, including web based transactions, must be initiated and controlled through the College Controller.  Because the sale of goods and services to entities outside the college community may raise special considerations, questionable sales issues should be reviewed by the Controller’s Office.

Departments, who need to accept credit/debit cards and obtain a physical terminal to either swipe or key transactions, need to contact the Controller’s Office to execute the required paper work, obtain a Merchant Number,  and be given direction as how to process those transactions for accounting purposes.

Departments wishing to engage in electronic transactions are required to use the College of St. Benedict’s Touchnet credit card processing system. Touchnet is a safe and secure electronic payment mechanism. All servers and computers used for electronic transactions will be secure and Payment Card Industry compliant. After contacting the College of St. Benedict’s Controller, a specialized Merchant Number can be established, and the department will be provided with contacts to receive technical instruction.  The department will be responsible for creating its own web site and integrating to the Touchnet system.  Once the web site passes the required payment parameters, secure payment will be executed, and approval codes, and other related elements will be returned to the originating web site. 

Under no circumstance will it be permissible to obtain or send credit card information, or transmit credit card information by e-mail.

The only approved payment mechanism for electronic transactions on the web at the College of St. Benedict is the Touchnet system.  Exceptions to this procedure may be granted only after a request from the department has been reviewed and approved by the College of St. Benedict’s Controller. 

SANCTIONS

If the requirements of the policy are not followed, suspension of physical and/or electronic payment options will result.  Fines may also be imposed by the affected credit card company.

Minimum fines from VISA for violation of the Payment Card Industry Data Security Standard begin at $50,000. The College may be required to report violations to the appropriate authorities.

 




Copyright © 2009 College of Saint Benedict (37 South College Avenue, St. Joseph, Minnesota 56374; 320-363-5011) and
Saint John's University (P.O. Box 2000, Collegeville, Minnesota 56321; 320-363-2011). All rights reserved.
Affirmative Action/Equal Opportunity Employers. E-mail the CSB/SJU Web Coordinator.