Credit Card Policy
The University’s credit card program is managed by the Office of Treasury Operations pursuant to applicable state and federal laws and regulations, and the regulations of the payment card industry. All credit card collections programs must be registered with the Treasury Office. For purposes of this policy, the term credit card includes branded (having credit card logo and not requiring pin input) debit cards unless otherwise indicated.
University departments may accept credit cards for the receipt of payments for transcripts, application fees, housing deposits, miscellaneous charges, conference fees, event tickets, payments in collection and donations. Except as related to the School of Professional and Continuing Studies (PCS) and all Summer Sessions, tuition, room and board, general fees, and technology fees may not be collected by credit card.
All fees and charges associated with credit card payments are the responsibility of the department collecting the receipts.
Fordham accepts Visa, MasterCard, Discover and American Express cards only.
Reason for Policy
Credit card data is high risk confidential information that is protected by state and federal law and Fordham University has a legal obligation to protect it. Credit card associations require all merchants to follow protocols entitled Payment Card Industry Data Security Standards (“PCI DSS”), which are designed to prevent cardholder fraud and identity theft. PCI DSS is a set of association mandated requirements for the handling of credit card information, classification of merchants and validation of merchant compliance. All merchants must comply with PCI DSS before accepting credit cards and must also certify their compliance annually. The risks of non-compliance include substantial fines and penalties imposed on the University by the card associations, liability for all financial losses incurred as a result of a security failure, and damage to the University’s reputation.
Who Must Comply
All individuals and departments that collect credit card payments or process, store or transmit cardholder data or plan to outsource the process, storage or transmission of cardholder data must comply fully with this policy.
It should be noted that while accepting credit cards is a convenience for customers, it also entails legal/financial risk for the University and requires substantial compliance activities. Before requesting a merchant account, departments should consider the risks and responsibilities associated with accepting credit cards, as well as payment alternatives.
The basic accounting and control element for credit card collection is the Merchant ID. The ID is an account established with the University’s credit card processor to uniquely identify and track credit/debit cards sales and processing fees for a department or program within a department. Merchant ID’s are approved and assigned by the Office of Treasury Operations (see below).
There is a monthly fee for each Merchant ID and departments are requested to consolidate collection programs under a single ID when practicable. Requests for more than one Merchant ID must include supporting justification.
The department requesting the Merchant ID must identify a single individual who shall be responsible for compliance with this policy. Changes to responsible parties must be reported to the Treasury Office.
For one-time events or to set up an event: Contact the Treasury Operations at 718-817- 4544.
1. Ongoing Merchant ID:
1. Review the Application for Merchant ID form available from Treasury Operations, to understand the types of information required for merchant set up.
2. Understand merchant compliance requirements.
3. Prepare a rough estimate of monthly dollar and transaction volumes.
4. Agree to prepare monthly reconciliation and send information to the Controller's office.
5. Must be signed by area Dean or Vice President.
2. Request merchant set up.
1. All Merchant account requests must be signed by a Dean or Vice-President on behalf of his/her department.
2. To establish a new merchant account, complete and submit the following forms to Treasury Department:
1. Application for Merchant ID form available from Treasury Operations
2. Signed acceptance of Fordham University Credit Card Policy
3. Allow sufficient time for merchant set up. Depending on the complexity of the request, setting up a new credit card merchant account can take several weeks after Treasury Operations has received and approved all of the appropriate documentation. Schools/Departments should request credit card merchant accounts as soon as possible after determining one is needed.
3. Transmission of monthly reconciliation information to the Controller’s office.
4. Compliance and annual certification. These include annual certifications, monthly reconciliations, and audits where appropriate.
The Office of Treasury Operations is responsible for determining into which of the University’s bank accounts, credit card collections will be deposited.
In general, the processing of credit card receipts involves two stages. The first or front-end stage is utilized when a transaction is initially recorded; the second stage involves the movement of funds through the banking system.
The University uses a single vendor for the second stage. Unless expressly approved by Treasury, all credit card processing must use this vendor.
All front-end processors must be compatible with the second stage processor as determined by Treasury. The University currently uses TouchNet as its stage 2 processor.
Accounting Reconciliation Procedures:
1. Each department is responsible for reporting their credit card transactions to the Controller’s office on a monthly basis. Such reports should provide the budget code to which each transaction should be credited, as well as the date of each transaction.
2. The Controller’s Office is responsible for performing monthly reconciliation on the bank accounts that receive credit card deposits.
3. Each department is responsible for researching and resolving all unreconciled transactions within three months of transaction dates.
4. Each department is responsible for responding to all charge back requests, and inquiry for additional information from the card processor.
5. Each department will be responsible for all processing charges, including monthly Merchant ID fees and advice the Controller’s Office of the budget codes to which such charges should be applied.
Compliance and Annual Certification
The PCI DSS is a comprehensive set of international security requirements to help protect cardholder data, prevent fraud and identity theft. All acquirers and card issuers must comply, and must also ensure the compliance of their merchants and service providers who store, process or transmit customer data.
1. Building and Maintaining a secure network – Install and maintain a firewall
2. Not using vendor-supplied defaults for system passwords and other security
3. Protecting cardholder data configuration to protect cardholder data. parameters
a. The card verification code or value (3-digit or 4-digit printed on the front or back of the credit card is not to be stored under any circumstances
b. The personal identification number (PIN) or the encrypted PIN block are not to be stored under any circumstances
c. All primary account numbers (PANs) should be masked, and viewing will be limited to employees and other parties with a legitimate need to know.
4. Encrypt transmission of cardholder data across open, public networks
5. Maintaining a vulnerability management program – Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Implementing Strong Access Control Measures – Restrict access to cardholder data
8. Regularly monitor and test networks – virus software by business need-to- know.
a. Track & Monitor all access and regularly test security systems.
b. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data – all paper and electronic records must be stored in secured locations.
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintaining an Information Security Policy – maintain a policy that addresses information security.
In addition all merchants must validate their compliance by completing an annual certification.
IT Risk and Data Integrity performs periodic merchant audits and evaluates the security levels of credit card server locations and advises the Office of Treasury Operations of the results of such audits and evaluations and of any related action necessary to maintain compliance.
Office of Treasury Operations is responsible for facilitating user training, and monitoring all non-IT related components of the credit card collection program. This office is also responsible for filing the annual compliance certificates.