University Policies
Policy Contact
Financial Services Email 401-863-2531

Accepting and Handling Payment Cards Policy

Policy No. Issue Date Effective Date
07.55.05

1.0 Policy Purpose

The purpose of this policy is to ensure that all Payment Card transactions are accepted and handled in compliance with Payment Card Industry Data Security Standards (PCI DSS). This policy also serves to protect and prevent the loss or disclosure of cardholder data (CHD).

2.0 To Whom the Policy Applies

This policy applies to all University departments that accept Payment Cards as a form of payment for any goods, services, or contributions whether accepted via phone, mail, point of sale (POS), eCommerce, or any other appropriate channel. This policy also applies to all employees involved in Payment Card handling, including the transmission, storage, and/or processing of Payment Card numbers or associated tokens.

3.0 Policy Statement

Any use of Payment Card business at Brown University must be consistent with the mission and business of the University and conform with University rules, policies, and procedures relating to and regulating the conduct of commercial transactions. Payment Cards may be accepted only when there is a valid business need and only for goods, services, and contributions to the University (e.g., conferences, tickets, student events, donations, etc.).

3.1 Authorization to Establish Payment Card Business

A department seeking to accept payment card transactions must submit a New Merchant Request Form and receive written approval from Financial Services and the University Commerce Committee.

3.2 Acceptable Payment Cards & Digital Wallet

Brown currently has negotiated contracts with and accepts Visa, MasterCard, Discover (including Discover network cards), and American Express. In addition, various digital equivalents are accepted (e.g., GPay, ApplePay, Venmo, PayPal). For the purpose of this policy, digital equivalents are included in the term “Payment Card.” Departments may not negotiate their own contracts with Payment Card or digital wallet financial companies.

3.3 Authorized Third Party Service Providers (TPSPs)

Departments engaging in Payment Card business must either use an authorized TPSP or provide evidence to the University Commerce Committee that existing authorized TPSPs cannot meet the business needs of the department, and that an alternative TPSP meets University requirements for security and for integrating transaction information into Brown’s financial system. The University Commerce Committee has the authority to approve or deny a department’s request for an exception to the existing process or authorized TPSPs.

3.3.1 Payment Card Processing

Brown University has contracted with Heartland Payment Systems and FiServ as the primary third-party Payment Card payment processors/acquirers to facilitate the financial authorization and settlement of all Payment Card transactions.

3.3.2 Storefront Services

Brown University uses TouchNet Information Systems, Inc. to provide Marketplace as the preferred storefront (shopping cart) option available for all e-commerce applications authorized by the University. Any other storefront services considered must be compatible with TouchNet’s Payment Gateway and meet PCI DSS and adhere to applicable policies and procedures.

3.3.3 Payment Gateway Services

All online storefronts must connect to the TouchNet Payment Gateway for processing Payment Card information. TouchNet serves as the central link between a storefront and the card payment processor. The gateway provides secure payment connectivity over the Internet between buyers, sellers, and the financial networks that move money between them. TouchNet partners with software vendors to create a validated, PCI DSS compliant interface for payment processing.

3.4 Engagement in Commerce

Departments may engage in commerce only with the approval of the department head, Financial Services, and the University Commerce Committee. When engaging in commerce activities, the department must:

3.5 Authorized Payment Card Devices

Only Payment Card devices and locations that have been approved and tracked by Financial Services may be used for Payment Card processing.

  • The purchase, rental, and/or use of Payment Card devices, including mobile applications, must be coordinated through Financial Services and must meet PCI DSS standards.
  • All card payment devices and solutions must be listed as a PCI Council validated Point-to Point Encrypted (P2PE) product and solution.
  • The department is responsible for ensuring only authorized staff have access to the device and are properly trained.
  • Devices must be inventoried with Financial Services and must be maintained in a secure location.
  • Sharing or transfer of Payment Card devices between departments is not allowed without proper advance, written approval from Financial Services.
  • The department is responsible for working with Financial Services to ensure that Payment Card device software is kept up-to-date.

3.6 Payment Card Industry Data Security Standards (PCI DSS) Compliance

In order to protect cardholder data and maintain the University’s PCI DSS Compliance, all departments accepting and handling cardholder data, Financial Services, and the Office of Information Technology must maintain the following requirements.

  1. Maintain compliance with PCI DSS for each merchant.
  2. Build and Maintain a Secure Network and Systems: Card payment processing applications are not allowed to utilize any of Brown University Wi-Fi networks, unless they leverage a PCI SSC listed validated P2PE solution and device. Brown Wi-Fi networks are blocked by firewalls from all access to the cardholder data environment (CDE).
  3. Protect Cardholder Account Data:

    Brown University does not allow card payment via fax, email or other end-user messaging technologies (i.e. instant messaging, SMS/text, chat).

    For departments accepting cardholder data via paper form, transactions must be processed immediately. Cardholder data must be stored in a secure locked space and not be retained beyond four business days. Cardholder data must be destroyed after processing by a cross- shredder or incinerator so that cardholder data cannot be reconstructed.

    The primary account number (PAN) must be masked, showing only the last four digits wherever it is stored.

    For department merchants, and any other TPSPs involved with payment card processing, sensitive authentication data must never be stored after authorization. This includes the card verification code (CVV), personal identification number (PIN), and PIN block.

  4. Maintain a Vulnerability Management System:
    1. Protect All Systems and Networks from Malicious Software: All workstations and servers involved in PCI operations utilize current generation anti-malware software capable of detecting, removing, and protecting against known malicious software.

      All antivirus settings must be configured so as to be unalterable by end-users, and update automatically.

    2. Develop and Maintain Secure Systems and Software:

      For web servers that host a page that provides the URL of the TPSP’s payment page/form:

      • Security vulnerabilities are identified and addressed in accordance to their risk rating;
      • All system components are protected from known vulnerabilities by installing critical or high-security patches/updates within one month of release; and
      • For page scripts that are loaded and executed in the consumer’s browser:
        • A method is implemented to confirm script is authorized and to assure the integrity of each script and
        • An inventory of all scripts is maintained with written justification
  5. Implement and Maintain Strong Access Control Measures:
    1. User access to system components:
      • User access is managed through Brown University Office of Information Technology.
      • Access to systems components and data is assigned to users based on job classification and function with the least privileges necessary to perform job responsibilities; access is approved by authorized University personnel.
      • User access to system components is authenticated via at least a password/passphrase, token, or biometric element.
      • Passwords/passphrases must be set to a unique value for first time use and upon reset and user must be forced to change the password after first use.
      • Passwords/passphrases must be a minimum of 12 characters (or if the system does not support 12 characters, a minimum of eight characters) and contain both numeric and alphabetic characters.
      • Passwords/passphrases must be different than the last four used.
      • Passwords are changed every 90 days.
      • All users will be assigned a unique ID before access to system components or cardholder data is allowed.
      • Group, shared, or generic accounts, or other shared authentication credentials are not allowed.
      • Inactive user accounts will be removed or disabled within 90 days of inactivity and access for terminated users will be immediately revoked.
    2. Card payment (Point-of-interaction (POI)) devices are protected from tampering and unauthorized substitution:
      • An inventory of all card payment devices, including the make, model, location of device, and serial number is maintained by Financial Services.
      • Upon hire and/or before use of card payment devices, staff are trained to follow standards established by the PCI DSS Council, University policies, and the operational procedures. In addition, staff is also trained to be aware of methods in which devices can be tampered or replaced.
      • Routine inspection of card payment devices for tampering and substitution is completed according to the department’s standards and logged.
      • Do not alter or attempt to troubleshoot issues with card payment devices; support is provided by Financial Services.
      • Sharing or transfer of payment card terminals between departments is not allowed without proper prior approval from Financial Services.
      • Departments may rent card payment terminals on a temporary basis to accept in- person credit card payments at specified times as agreed upon via a rental agreement with Financial Services. Rented terminals will follow Financial Services standards.
  6. Regularly Monitor and Test Networks:

    External vulnerability scans are performed by a PCI SSC Approved Scanning Vendor (ASV) quarterly. Scan results are reviewed by OIT Information Security Group and vulnerabilities are mitigated. Rescans are performed as needed to confirm that vulnerabilities are resolved and are performed after significant changes.

    For web servers that host a page that provides the URL of the TPSP’s payment page/form a change and tamper detection mechanism must be deployed to alert personnel to unauthorized modifications.

  7. Maintain an Information Security Policy:
    1. Security Awareness education is ongoing: All personnel who utilize or support the processing of payment cards must have completed “Protecting Brown’s Information” security training and PCI DSS training prior to receiving access to system components that could impact the security of cardholder data. PCI DSS training is required on an annual basis.
    2. Risk to information assets associated with TPSP relationships is managed:

      Prior to implementation, third party service provider’s (TPSP’s) securities, processes, and procedures will be evaluated by the Commerce Committee, Financial Services, and the Office of Information Technology. A written agreement with each TPSP with which account data is shared or that could affect the security of the card data environment is required and agreements will include an acknowledgment from the TPSP that they are responsible for the security of account data that the TPSP’s possess or otherwise store, process, or transmit on behalf of the University or to the extent that the TPSP could impact the security of the University’s card data environment.

      A list, including descriptions of services provided, of all TPSP with which account data is shared or that could affect the security of account data is maintained by Financial Services.

      Each TPSP must meet and maintain PCI DSS compliance and be willing and able to provide a valid annual PCI DSS Attestation of Compliance (AOC) to Brown University Financial Services.

  8. Suspected and confirmed security incidents that could impact cardholder data are responded to immediately: In the event of a security incident or suspected breach of security, the department must immediately follow the Brown University PCI DSS Incident Response Plan.

3.7 Unrelated Business Income Tax and Sales Tax

Any department that sells goods and services, irrespective of the method of payment, must evaluate whether the sale requires the collection of sales tax and/or the reporting of unrelated business income tax (UBIT).

3.8. Settlement and Payment Card Fees

3.8.1 Settlement

Payment Card device must be settled no less than daily. It may be prudent, given the level of activity, to settle batches on a more frequent basis. A transaction will not be processed and charged to the cardholder until the batch is settled. Card payment transaction revenue will be posted in gross to the department’s cost center approximately 2-5 days following batch close, depending on the acquirer’s settlement process.

3.8.2 Reconciliation

Departments must establish and maintain appropriate segregation of duties between Payment Card processing, processing of refunds, and the reconciliation of credit card transactions. Each department is responsible to reconcile sales transactions to their general ledger no less than monthly. The department must maintain documentation of reconciliation [in accordance with the Records Retention Policy] and be prepared to provide it in an audit.

3.8.3 Fees

The University is charged a discount rate and other related fees for all Payment Card transactions. The rates may be different based on card payment processor, payment card type, and/or transaction type. Fees for each department’s merchant account will be posted to the department’s cost center on a monthly basis.

3.9 Cardholder Disputes and Chargebacks

The card payment processor/acquirer will notify Financial Services of a disputed charge. Financial Services reviews all disputes and then contacts the department for written authorization/documentation of the transaction. Failure to respond to these requests will result in a chargeback to the department’s account. Prompt attention to these matters is a priority. It is the department’s responsibility to develop appropriate internal controls to mitigate risks related to chargebacks.

3.10 Commerce Committee

The Commerce Committee is a standing committee composed of representatives from Finance and Administrative Services, Office of Information Technology, and Internal Audit.

The Committee will perform the following functions:

  • Establish registration requirements for commerce approval;
  • Review and approve/deny requests for establishment of commerce presence;
  • Advise Senior Officers on commerce policy, process, vendors, dissemination/publication of commerce information, and commerce matters in general; and
  • Evaluate and exercise due diligence of vendor relationships, including monitoring service providers’ PCI DSS compliance on an annual basis.

4.0 Definitions

For the purpose of this policy, the terms below have the following definitions:

Authentication: The process of verifying identity of an individual, device, or process.

Cardholder Data: Consists of the full primary account number (PAN), at a minimum. Cardholder Data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.

CAV2/CVC2/CVV2/CID: The Card Security Code is the 3-digit security code on the back of the credit or debit card. Visa: CVV, MasterCard: CVC2, JCB: CAV2, American Express: CID or 4DBC and is 4-digits on the front of the card.

Cardholder Data Environment (CDE): The system components, people, and processes that store, process, or transmit cardholder data and/or sensitive authentication data, and system components that may not store, process, or transmit CHD/SAD but have unrestricted connectivity to system components that store, process, or transmit CHD/SAD.

Chargeback: When the card issuer returns funds to the account holder due to a disputed charge. Charges can be disputed for many reasons, such as: a cardholder being charged by a merchant for items they never received; a merchant duplicating a charge by mistake; or mistaken charges caused by a technical issue.

Department: All University units across all areas of the University, including student groups and affiliates.

Digital Wallet: An application or online service that stores payment information and allows for individuals to securely make purchases without carrying cash or payment cards.

Media: Sources containing Cardholder Data, including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes.

Merchant: For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any PCI SSC Participating Payment Brand as payment for goods and/or services.

Payment Card: For purposes of PCI DSS, any payment card that bears the logo of the founding members of PCI SSC, which are American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or VISA, Inc. Payment cards include physical payment cards as well as devices with functionality that emulate a payment card to initiate a payment transaction (such as smartphones, smartwatches, fitness bands, key tags, etc). For the purpose of this policy, digital equivalents are included in the term “Payment Card” (e.g., GPay, ApplePay, Venmo, PayPal, etc).

Payment Card Industry Data Security Standards (PCI DSS): Technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. These standards are a set of mandated requirements agreed upon by the five major payment card companies: VISA, MasterCard, Discover, American Express, and JCB. The PCI DSS applies to all entities that store, process, and/or transmit cardholder data and/or sensitive authentication data (SAD) or could impact the security of the cardholder data and/or SAD.

Payment Card Processor: Third-party service that provides processing services for credit and debit card financial authorization and settlement of all card transactions.

Payment Gateway: A technology platform that acts as an intermediary in electronic financial transactions.

Personal Identification Number (PIN): A secret numeric password shared between a user and a system that can be used to authenticate the user to the system. PINs are most commonly used for automated teller machines (ATMs), but are increasingly used at the point of sale for payment cards.

Primary Account Number (PAN): A unique identifier for a payment card. A series of digits (usually 12-19) embossed or encoded on the card. PAN identifies the issuer and the cardholder account.

Sensitive Authentication Data (SAD): Security-related information used to authenticate cardholders and/or authorize payment card transactions. SAD includes, but is not limited to, card verification codes, full track date (from the magnetic stripe or chip) and PINs/PIN blocks.

Settlement: In credit card processing refers to the final stage of a credit card transaction where funds are transferred from the cardholder's account to the merchant's account. It involves the reconciliation, verification, and transfer of funds to complete the transaction to the University’s bank account.

System Components: Any network devices, servers, computing devices, virtual components, or software included in or connected to the CDE, or that could impact the security of cardholder data and/or SAD.

Storefront Services: Online interface that customers interact with to browse and purchase products and/or services.

Third Party Service Provider (TPSP): Any third party acting as a service provider on behalf of an entity. A service provider is a business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This includes payment gateways, payment service providers (PSPs), and independent sales organizations (ISOs). This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS, and other services as well as hosting providers and other entities.

If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services). A multi-tenant service provider is a type of Third-Party Service Provider that offers various shared services to merchants and other service providers, where customers share system resources (such as physical or virtual servers), infrastructure, applications (including Software as a Service (SaaS)), and/or databases. Services may include, but are not limited to, hosting multiple entities on a single shared server, providing e-commerce and/or “shopping cart” services, web-based hosting services, payment applications, various cloud applications and services, and connections to payment gateways and processors.

Token: In the context of authentication and access control, a token is a value provided by hardware or software that works with an authentication server or VPN to perform dynamic or multi-factor authentication.

5.0 Responsibilities

All individuals to whom this policy applies are responsible for becoming familiar with and following this policy. University supervisors and employees with student oversight duties are responsible for promoting the understanding of this policy and for taking appropriate steps to help ensure and enforce compliance with it.

6.0 Consequences for Violating this Policy

Failure to comply with this and related policies is subject to disciplinary action, up to and including suspension without pay, or termination of employment or association with the University, in accordance with applicable (e.g., staff, faculty, student) disciplinary procedures.

Failure to meet the requirements outlined in this policy may result in suspension of the physical, and if applicable, electronic payment capability with payment cards for the affected department(s). Additionally, if applicable, any fines and assessments which may have been imposed by the affected payment card company and/or cardholders will be the responsibility of the impacted department.

Persons in violation of this policy are subject to discipline, including loss of computer or network access privileges.

7.0 Related Information

Brown University is a community in which individuals are encouraged to share concerns with University leadership. Additionally, Brown’s Anonymous Reporting Hotline allows anonymous and confidential reporting on matters of concern online or by phone (877-318-9184).

The following information complements and supplements this document. The information is intended to help explain this policy and is not an all-inclusive list of policies, procedures, laws and requirements.

7.2 Related Procedures

N/A

7.3 Related Forms

  • New Merchant Request Form

7.4 Frequently Asked Questions

N/A

7.5 Other Related Information

N/A

Policy Owner and Contact(s)

Policy Owner: Vice President for Finance and Administrative Services & Chief Financial Officer

Policy Approved by: Vice President for Finance and Administrative Services & Chief Financial Officer

Contact Information:

Financial Services Email 401-863-2531

Policy History

Policy Issue Date:

Policy Effective Date:

Policy Update/Review Summary:

Required annual review according to PCI DSS and updates for PCI DSS v4.0.

Previous policy version(s) superseded by this policy:

  • Accepting and Handling Payment Cards to Conduct University Business, Last updated March 2020