FIN-037: Governance and Compliance Requirements for Payment Card Activities

Status: Final
Policy Type: University
Oversight Executive: Vice President for Finance
Applies To: Academic Division and the College at Wise.
Reason for Policy:

The University is committed to protecting cardholder data from loss or compromise. Consistent with that commitment, the University requires adherence to the Payment Card Industry Data Security Standards (PCI-DSS). In addition to protecting cardholder data, adherence to PCI-DSS reduces the likelihood of fines, penalties, and reputational damage to the University associated with data breaches.

The University’s adherence to the PCI-DSS is a contractual requirement. This policy identifies the administrative offices responsible for establishing business processes for University units that process, store, or transmit cardholder data. Cardholder data are “highly sensitive data” subject to the security requirements of University policy and must be protected in accordance with all related University policies, standards, and procedures in addition to the PCI-DSS.

[Note: The aligned policy for the Medical Center is 0335, Use of Payment Cards at the Medical Center.]

Definition of Terms in Statement:
  • Attestation of Compliance (AOC):

    Forms a merchant, service provider, or Qualified Security Assessor (QSA) may use to attest to the results of an annual Payment Card Industry Data Security Standards self-assessment.

  • Cardholder Data (CHD):

    Primary cardholder account number that identifies the issuer and a particular cardholder account, which can include cardholder name, expiration date and/or service code.

  • End User License Agreement (EULA):

    A legal contract between the software licensor and purchaser which establishes the purchaser’s right to use the software. Many EULAs are digital documents where the purchasers must “accept” terms and conditions by way of a “click-through” agreement.

  • Merchant:

    A University unit that accepts payment cards (MasterCard, Visa, Discover, and American Express) as payment for goods or services. Merchant also includes any University-affiliated party that directly or indirectly accepts funds from payment cards under the University’s Merchant Account managed by University Payment Card Services and has agreed to abide by this policy and associated procedures.

  • Merchant Account:

    A unique identification number assigned to a merchant by MasterCard/Visa/Discover and American Express which binds the Merchant to Payment Card Rules and Regulations.

  • Payment Card:

    Credit cards and debit cards linked to the cardholder’s account at a financial institution, e.g., an individual or an employer’s business account.

  • Payment Card Industry (PCI) Data Security Standards (DSS):

    A robust security framework consisting of 12 baseline requirements for technical and operational controls pertaining to the protection of cardholder data. An annual attestation of compliance with the PCI-DSS is required for all entities involved in payment card processing.

  • Qualified Security Assessor (QSA):

    An individual who has been certified by the Payment Card Industry Security Standards Council to validate a merchant’s or service provider’s adherence to the Payment Card Industry Data Security Standards.

  • Report on Compliance (ROC):

    A survey tool used annually by eligible merchants and service providers to evaluate their compliance with the Payment Card Industry Data Security Standards.

  • Self-Assessment Questionnaire (SAQ):

    A survey tool used annually by eligible merchants and service providers to evaluate their compliance with the Payment Card Industry Data Security Standards.

  • Service Provider:

    An entity, other than a card brand, that is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This includes entities that provide services that could impact the security of cardholder data.

  • University Payment Card Services (UPCS):

    An administrative unit within UVAFinance that oversees payment card activity for the Academic Division, the College at Wise, and University-Affiliated Parties.

  • University-Affiliated Party:

    An entity other than a unit of the Academic Division, the Medical Center, or the College at Wise authorized to collect funds to support the University’s activities, units, or mission and that has agreed to comply with the terms of this policy. This may include but is not limited to University-Related Foundations, contract vendors, and student organizations.

Policy Statement:

The use of payment cards to collect funds, whether received directly or through a third-party, requires review and approval by the appropriate University administrative offices before contracts are signed, merchant accounts are obtained, or revenue resulting from payment card processing is received. Additionally, any University-affiliated party authorized to collect funds on behalf of the University must abide by the requirements of this policy.

  1. Contract Review:
    All contracts, including click-through end user license agreements (EULAs), with service providers that accept payment card payments on behalf of University units or activities must be signed by an Authorized Signatory as described in university policy FIN-036, Signatory Authority for Executing University Contracts, and handled in accordance with FIN-030, Purchases of Goods and Services for the Academic Division and the College at Wise. This requirement applies whether or not the University is being charged for the service.

    New or renewal contracts, including purchase orders, that currently include payment card processing or could include payment card processing by a unit of the Academic Division or the College at Wise or by a contracted third-party must include the latest version of the “Data Protection Addendum.”

    As part of the contract review process, the Procurement and Supplier Diversity Services “Buyer” (i.e., contract negotiator) will assure that the contract terms have been reviewed and approved by the University administrative office(s) responsible for Payment Card Industry Data Security Standards (PCI-DSS) compliance and information security.

  2. Business Process Approval and Merchant Requirements:
    All activities, equipment, and software used by a merchant that are related to payment card processing must be approved by University Payment Card Services (UPCS). Any subsequent addition or change to approved processes or equipment must also be reviewed and approved.

    Merchants must comply with PCI-DSS, including but not limited to, completing an annual Self-Assessment Questionnaire (SAQ), Attestation of compliance (AOC), or Report on Compliance (ROC) as appropriate. These requirements are a contractual obligation for any entity involved in payment card processing or who might receive revenue from payment card transactions.

    New or expanded revenue generating activities must be approved in accordance with University policy FIN-049, Revenue Generating Activities before payment cards are accepted or revenue received.

    All costs for transaction fees, website development (except as noted below), equipment, or operations associated with conducting these transactions will be borne by the Merchant. In addition, the Merchant will pay any fees and penalties associated with failure to comply with related University policies, standards, procedures, or the PCI-DSS.

    The Merchant is responsible for collecting, reporting and remitting Virginia Sales Tax in accordance with University policy FIN-032, Collecting, Reporting, and Remitting Virginia Sales Tax.

    Payment cards may be accepted only using methods authorized by UPCS.

    Note: Mobile payment processes through Class III personal devices (such as smart phones, tablets, PDAs, etc.) coupled with payment application (apps) or attached hardware (i.e.: Square®, Mobile Pay®, MobileMerchant ®, etc.) are not authorized for use at this time.

  3. Information Security Requirements:
    Cardholder data are considered highly sensitive data and must be protected in accordance with all related University policies, standards, and procedures in addition to the PCI-DSS.

    Websites that include a payment processing component, pass cardholder data through to a payment page, or receive cardholder data that are returned from a payment page must be structured such that all website content resides on a PCI-DSS compliant web server. This requirement applies to UVA-hosted or managed web servers and to web servers hosted and managed by a contracted third-party.

    The only UVA-managed PCI-DSS compliant webserver currently available to units in the Academic Division, the College at Wise, and University-affiliated parties is the Acquia webserver managed by Information Technology Services – Custom Applications & Consulting Services (ITS-CACS).

    Note: UVAFinance centrally funds ITS-CACS to develop basic payment pages for merchants in the Academic Division and College at Wise. Merchants may use the basic pages provided or contract directly with ITS-CACS for custom page or site development services.

  4. University-Affiliated Parties:
    Requests to accept payment cards by University-affiliated parties may be authorized by UPCS provided they agree to abide by the requirements of this policy and associated procedures.

  5. Compliance with Policy:
    Failure to comply with the PCI-DSS may result in suspension of the University’s ability to accept payment cards as well as fines, penalties, and reputational damage. The University reserves the right to suspend or terminate a merchant number and/or a merchant’s ability to process payment cards, to confirm compliance with University policy and the PCI-DSS, or if the merchant creates significant institutional risk that is not appropriately mitigated.

    The authority to suspend or terminate merchant activities resides with UPCS for the Academic Division, College at Wise, and University-affiliated parties.

    Failure to comply with the requirements of this policy may result in disciplinary action up to and including termination or expulsion in accordance with relevant University policies.

    Questions about this policy should be directed to the Contact Office.

Procedures:

Application Process for a Payment Card Merchant Account (Academic Division, College at Wise, and University-Affiliated Parties)

[Links to be added:]
Application process for a one-time event conducted by a University unit
Approval for a Third-Party Process – revenue collected on a unit’s behalf
PCI Compliance at the department level

Related Information:

FIN-036: Signatory Authority for Executing University Contracts
IRM-xxx: [links to be added]
Acceptable Use
Data Protection
Information Security
Privacy and Confidentiality

Medical Center Policy #0335, Use of Payment Cards at the Medical Center

Health System Policy HSG-002, Fundraising

Policy Background:

This is the first version of this policy.

Major Category: Finance and Business Operations
Category Cross Reference: Governance
Next Scheduled Review: 08/03/2017
Approved by, Date: Executive Vice President & Chief Operating Officer, 08/03/2017