Business Policies and Procedures Manual
Chapter 30: Finance

BPPM 30.62

For more information contact:
   Treasury Management
    509-335-8154

---

Overview

University units that accept credit or debit card payments are responsible for observing the following requirements regarding transactions involving card acceptance.

Acceptance

In Person

The card must be swiped through the card-processing terminal. Follow the prompts given by the terminal. Do not retain any card information after the transaction has completed.

Telephone

The card information can be keyed into the card-processing terminal. Follow the prompts given by the terminal. If any card information is written down while performing the transaction, that information must be shredded after the transaction is completed.

E-Mail

Card information must never be accepted through e-mail. If a customer sends card information through e-mail, delete the e-mail message and notify the customer that the University does not accept card information through e-mail. Provide the customer with a list of acceptable alternative methods for sending card information, e.g., fax, mail, telephone.

If the University card processor replies to the original e-mail, he or she is to ensure that card information is removed before sending the reply.

Fax Messages

Most PC-based fax software does not provide a secure repository for storing incoming fax messages; therefore, the best method to accept card information is by using a standalone fax machine in a controlled location. Treat a fax message in the same manner as cash.

The card information can be keyed into the card-processing terminal. Follow the prompts given by the terminal. Once the transaction is complete, the part of the fax containing card information must be rendered unreadable. If the entire fax message must be retained, mark out the card information with a secure redacting marker.

Mail

The card information can be keyed into the card-processing terminal. Follow the prompts given by the terminal. Once the transaction is complete, the part of the mailed form containing card information must be rendered unreadable or shredded. Shredding is preferable, but marking out the card information with a secure redacting marker is acceptable.

Note: A card verification number must never be mailed. This number is the three- or four-digit code printed on the front or back of the card, and is often described as a CVV, CVV2, CID, or CVC2 code.

Form Design

When designing a form that includes card data fields, place those fields at the bottom of the form. Card information required to process a mail order transaction includes cardholder name, billing address, card number, and card expiration date.

After the payment has been processed, remove the data by cutting or tearing the applicable fields from the form bottom. If the form is to be scanned or otherwise imaged, remove the card data prior to processing. Shred all paper card information prior to disposal.

Note: A card verification number must never be written down in conjunction with the card number and expiration date.

Processing Delay

It is preferable to only accept card information when it can be processed immediately. If a delay is required and card information must be stored, do not store it in electronic format. Treat paper documents containing card information as if they were cash.

_______________________
Revisions:  May 2014 – new policy (Rev. 431).