Merchant Credit Card Acceptance Policy
The University’s credit card program is managed by the Office of Treasury Operations pursuant to applicable state and federal laws and regulations, and the regulations of the payment card industry (PCI). All credit card collection programs must be registered with the Treasury Office. For purposes of this policy, the term credit card includes branded debit cards (having credit card logo and not requiring pin input) unless otherwise indicated.
University departments may accept credit cards for the payment of tuition deposits, transcripts, application fees, housing deposits, miscellaneous charges, conference fees, event tickets, payments in collection and donations. Except as related to the School of Professional and Continuing Studies (PCS) and all Summer Sessions, tuition, room and board, general fees, and technology fees may not be collected by credit card.
All fees and charges associated with credit card payments are the responsibility of the department collecting the receipts.
Fordham accepts Visa, MasterCard, Discover and American Express cards.
Reason for Policy
Credit card data is high risk confidential information that is protected by state and federal law and Fordham University has a legal obligation to protect it. Credit card associations require all merchants to follow protocols entitled Payment Card Industry Data Security Standards (“PCI DSS”), which are designed to prevent cardholder fraud and identity theft. PCI DSS is a set of association mandated requirements for the handling of credit card information, classification of merchants and validation of merchant compliance. All merchants must comply with PCI DSS before accepting credit cards and must also certify their compliance annually. The risks of noncompliance include substantial fines and penalties imposed on the University by the card associations, liability for all financial losses incurred as a result of a security failure, and damage to the University’s reputation.
Who Must Comply
All individuals and departments that collect credit card payments or process, store or transmit cardholder data or plan to outsource the process.
Credit card acceptance is a convenience but it also entails legal/financial risk for the University and requires substantial compliance activities. Before requesting a merchant account, departments should consider the risks and responsibilities associated with accepting credit cards, as well as payment alternatives.
A Merchant Identification Number (MID) is an account established with the University’s credit card processor and bank to uniquely identify and track credit/debit card sales and processing fees. MID’s are approved and assigned by the Office of Treasury Operations.
The department requesting the Merchant ID must identify an individual who shall be responsible for reporting and for compliance with this policy. Changes to responsible parties must be reported to the Treasury Office.
For one-time events or to set up an event: Contact the Treasury Operations at 718-817-4544.
1. Ongoing Merchant ID:
a. Request an Application for Merchant ID form, to understand the types of information required for merchant set up.
b. Understand merchant compliance requirements.
c. Prepare a rough estimate of monthly dollar and transaction volumes.
d. Agree to prepare monthly reconciliation and send information to the Controller’s office.
e. Must be signed by area Dean or Vice President.
2. Request merchant account.
a. All Merchant account requests must be signed by a Dean or Vice-President for his/her department.
b. To establish a new merchant account, complete and submit the following forms to Treasury Department:
- Application for Merchant ID
- Signed acceptance for Fordham University Credit card policy
3. Allow sufficient time for merchant set up. Depending on the complexity of the request, setting up a new credit card merchant account can take several weeks after Treasury Operations has received and approved all of the appropriate documentation. Schools/Departments should request merchant accounts as soon as possible after determining one is needed.
4. Transmission of monthly reconciliation information to the Controller’s office.
5. Compliance and annual certification. These include annual certifications, monthly reconciliations, and audits where appropriate.
The Office of Treasury Operations is responsible for determining into which of the University’s bank accounts, credit card collections will be deposited.
Accounting Reconciliation Procedures:
1. Each department is responsible for reporting all credit card transactions to the Controller’s office on a monthly basis. Such reports should provide the budget codes to which income would be credited; and credit card fees would be debited.
2. The Controller’s Office is responsible for performing monthly reconciliation on the bank accounts that receive credit card deposits.
3. Each department is responsible for researching and resolving all unreconciled transactions within 30 days of transaction dates.
4. Each department is responsible for responding to all charge back requests, and inquiry for additional information from the card processor.
5. Each department will be responsible for all processing charges, including monthly Merchant ID fees and advice the Controller’s Office of the budget codes to which such charges should be applied.
Compliance and Annual Certification
The PCI DSS is a comprehensive set of international security requirements to help protect cardholder data, prevent fraud and identity theft. All acquirers and card issuers must comply, and must also ensure the compliance of their merchants and service providers who store, process or transmit customer data.
1. Building and Maintaining a secure network – Install and maintain firewall configurations to protect cardholder data.
2. Not using vendor-supplied defaults for system passwords and other security parameters.
3. Protecting cardholder data.
a. The card verification code or value (3-digit or 4-digit printed on the front or back of the credit card is not to be stored under any circumstances.
b. The personal identification number (PIN) or the encrypted PIN block are not to be stored under any circumstances.
c. All primary account numbers (PANs) should be masked. Viewing will be limited to employees and other parties with a legitimate need to know.
4. Encrypt transmission of cardholder data across open, public networks.
5. Maintaining a vulnerability management program – Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications.
7. Implementing Strong Access Control Measures – Restrict access to cardholder data by business need-to-know.
8. Regularly monitor and test networks –
a. Track & Monitor all access and regularly test security systems.
b. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data – all paper and electronic records must be stored in secured locations.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintaining an Information Security Policy – maintain a policy that addresses information security.
In addition, all merchants must validate their compliance by completing an annual certification.
IT Risk and Data Integrity performs periodic merchant audits and evaluates the security levels of credit card server locations and advises the Office of Treasury Operations of the results of such audits and evaluations and of any related action necessary to maintain compliance.
Office of Treasury Operations is responsible for facilitating user training, and monitoring all non-IT related components of the credit card collection program. This office is also responsible for filing the annual compliance certificates.
Credit Card Policy Acceptance
I hereby certify that I have read and accept Fordham University’s Credit Card Policy. Please use the electronic signature to accept the policy.