Policy: Payment Card Acceptance

PURPOSE

This document addresses payment card acceptance at the Michigan State University Police Department (Department). These procedures are put into place to comply with the Payment Card Industry Data Security Standards (PCI DSS).

POLICY

It is the policy of this Department that all rules, regulations, statutes and ordinances are followed in accepting payment cards; and that all procedures follow University requirements in this regard.

PROCEDURES

In person transactions

Payment cards will only be accepted if the person making the payment is the cardholder.

If a person presents a corporate card, then the name of the person on the card must match the person present.

Employees will first ask to see a photo identification card of the cardholder.

Employees will process the payment through the swipe machine, resulting in merchant and customer receipts of the transaction.

Customers will sign the merchant receipt.

Employees will verify the signature on the signed merchant receipt with that on the payment card.

If a PIN is used, the customer signature does not have to be verified.

Telephone transactions

Telephone payments may be accepted as payment of amount due to release towed vehicles or pay for Special Transportation (SpecTran) passes.

Credit card payments can only be processed over the phone during Parking Office business hours.

This payment method will be used only when the customer cannot pay in person.

The phone operator must type the credit card numbers directly into the swipe machine when processing the payment. The credit card number must not be written down on anything.

The phone operator must inform the customer of all related fees and provide the customer with a total amount due before entering the payment into the swipe machine.

The phone operator will ring up the transaction while on the phone with the customer so that nothing is written down.

Once the payment has been processed, the phone operator will put a note in Flex stating that the towing fee has been paid, if the payment received was for a towed vehicle.

The phone operator must attach the receipt from the credit card swipe machine to the towing slip so that the person releasing the vehicle knows that payment has been made.

The receipt from the credit card swipe machine must be given to the customer when they come in to have their vehicle released.

Email transactions

Payments using payment cards through email are strictly prohibited.

If a customer sends their payment card data within an email to the Department, an employee receiving this information will contact the customer to suggest alternate methods of payment.

The employee will not reply to the email without first deleting the card data.

Employees will then delete the original email from both their email inbox and their trash/deletions folders.

Mail-in Transactions

Payments using payment cards sent using the U.S. Postal Service are strictly prohibited.

If a customer sends their credit card data through the U.S. Mail to the Department, an employee shall contact the customer to suggest alternate methods of payment.

The employee will then cross-cut shred the payment card data received through the U.S. Mail without making any copies of it.

Other methods

Any other methods of payment using a payment card are expressly prohibited.

Storage

The Department will never store cardholder data electronically on desktop computers or servers.

The Department will never store any cardholder data in paper files.

The Department will never store any card security codes, i.e., Card Verification Value codes (CV2 or CVV codes).

The Department will never solicit or send card numbers by email, by fax or by other unsecured options.

Restrict Access

The Department limits access to cardholder data on a “need to know” basis.

Need to know access is granted to employees responsible for responding to inquiry and chargeback requests.

Any other access would be considered on a case-by-case basis.

The Department restricts physical access to the card swipe machine.

Access to payment card related systems or data are removed immediately when employees no longer perform duties related to payment cards.

Use of any non-approved Payment Card Industry (PCI) wireless communication to access any part of the payment card process is strictly prohibited.

Cardholder data may not be stored or retained in any manner.

Responsibility

General payment card data security in the office is every staff member’s responsibility, while overall responsibility belongs with the manager.

The supervisors are responsible for creating, distributing, and enforcing security policies and procedures.

All employees are responsible for controlling general access to payment card data, while the lead workers and supervisors monitor and control access to payment card data.

Awareness Program

All Department employees shall be properly trained about cardholder data security at inception of duties involving cardholder data and updated at least annually.

All Department employees are required to acknowledge in writing that they understand the Department’s payment card data security policies and procedures, and reassert that understanding annually.

Breach Reporting

In the event or suspicion of a breach, the Department employee will immediately alert their supervisor.

The supervisor will notify the Management Services Bureau, Deputy Director or designee, who will in turn report the breach to the PCI Compliance Office.

If the Deputy Director or designee cannot be reached, the suspected incident will be reported directly to the MSU PCI Compliance Office or the MSU Office of the Controller.

A breach must be reported if the cardholder data is stored in an environment that was compromised.

It is not required that the Department know whether the cardholder data was compromised, only that the environment was compromised.