Business Policies and Procedures Manual
Chapter 30: Finance
Credit or Debit Card Acceptance
For more information contact:
University units that accept credit or debit card payments are responsible for observing the following requirements regarding transactions involving card acceptance.
The card must be swiped through the card-processing terminal. Follow the prompts given by the terminal. Do not retain any card information after the transaction has completed.
The card information can be keyed into the card-processing terminal. Follow the prompts given by the terminal. If any card information is written down while performing the transaction, that information must be shredded after the transaction is completed.
Card information must never be accepted through e-mail. If a customer sends card information through e-mail, delete the e-mail message and notify the customer that the University does not accept card information through e-mail. Provide the customer with a list of acceptable alternative methods for sending card information, e.g., fax, mail, telephone.
If the University card processor replies to the original e-mail, he or she is to ensure that card information is removed before sending the reply.
Most PC-based fax software does not provide a secure repository for storing incoming fax messages; therefore, the best method to accept card information is by using a standalone fax machine in a controlled location. Treat a fax message in the same manner as cash.
The card information can be keyed into the card-processing terminal. Follow the prompts given by the terminal. Once the transaction is complete, the part of the fax containing card information must be rendered unreadable. If the entire fax message must be retained, mark out the card information with a secure redacting marker.
The card information can be keyed into the card-processing terminal. Follow the prompts given by the terminal. Once the transaction is complete, the part of the mailed form containing card information must be rendered unreadable or shredded. Shredding is preferable, but marking out the card information with a secure redacting marker is acceptable.
Note: A card verification number must never be mailed. This number is the three- or four-digit code printed on the front or back of the card, and is often described as a CVV, CVV2, CID, or CVC2 code.
When designing a form that includes card data fields, place those fields at the bottom of the form. Card information required to process a mail order transaction includes cardholder name, billing address, card number, and card expiration date.
After the payment has been processed, remove the data by cutting or tearing the applicable fields from the form bottom. If the form is to be scanned or otherwise imaged, remove the card data prior to processing. Shred all paper card information prior to disposal.
Note: A card verification number must never be written down in conjunction with the card number and expiration date.
It is preferable to only accept card information when it can be processed immediately. If a delay is required and card information must be stored, do not store it in electronic format. Treat paper documents containing card information as if they were cash.
Revisions: May 2014 – new policy (Rev. 431).