Payment Card Processing Policy

All University Departments that process Payment Card transactions for goods and services are deemed to be Merchants under the Payment Card Industry Data Security Standards (PCI DSS).  Prior to accepting Payment Cards, Departments must:
1.) Receive approval from the Business Office for the creation of a Merchant Account,
2.) Receive approval from ITS of Security Assessment and Payment Card Equipment. Trinity University uses Touchnet as the Third Party Payment Processor or Payment Gateway for all Payment Card transactions. No other Third Party Payment Processor or Payment Gateway may be used without approval of the University.
Best practice is to accept online Payment Card transactions through the University’s approved Service Provider/Payment Gateway, Touchnet, as opposed to in-person transactions. This reduces the University’s scope as it pertains to PCI DSS. Only Merchant Departments are able to process Payment Card transactions on behalf of the University. Third parties that are approved by ITS for Payment Card transaction processing on campus may only process outside of the Trinity network on their own mobile Wi-Fi hotspot. Third parties approved to accept Payment Card transactions on campus and Service Providers who accept Payment Card transactions on behalf of Trinity University must contractually agree to:
1.) Represent and warrant that it is compliant with current Payment Card Industry Data Security Standards (PCI DSS) and shall remain compliant during the Term of the Agreement, ensuring that the environment for the processing of transactions is done in compliance with current PCI DSS standards; 
2.) Promptly notify Trinity University of its non-compliance status should become PCI DSS non-compliant during the Term;                                                                                                                                                                                3.) Provide Trinity University with a copy of its PCI DSS Certificate of Compliance prior to performance of services and annually thereafter;
4.) Be liable for the security of the Cardholder Data; and
5.) Notify Trinity University of any real or suspected breaches of Cardholder Data immediately upon discovery. 

RESPONSIBILITIES OF MERCHANT DEPARTMENTS PCI DSS Standards:  Merchant Departments approved to accept Payment Cards must adhere to current PCI DSS Standards and the policies, guidelines and procedures established by Risk Management with support of the Business Office and ITS, and have the following responsibilities:
Background Check: All Trinity individuals that process Payment Card transactions on behalf of the University must have a criminal background check through Human Resources. 
Training: All Trinity individuals that process Payment Card transactions on behalf of the University must complete PCI DSS online training prior to processing and subsequently at least annually.
Point of Contact: Designate a point of contact responsible for the effective implementation and ongoing maintenance for PCI DSS compliance.
Annual Updates by Merchant Department Point of Contact: Update the Office Procedures document annually, have each individual that processes Payment Card transactions on behalf of the Merchant Department sign, and upload to the shared PCI DSS Compliance drive.
Payment Card Equipment: Approval must be received prior to acquiring Payment Card Equipment or entering into a Contract with a Service Provider, Third Party Payment Processor or Payment Gateway. The Merchant Department maintains a list of updates and periodically inspects Payment Card Equipment/devices for tampering.  Any evidence of tampering must be reported to the University Information Security Administrator at adeloss1@trinity.edu or 210-999-7459 immediately upon discovery. 
Payments/Transactions: If payments are taken other than online, the Payment Card Equipment/devices used must be approved by ITS for Payment Card transaction processing. 
Record Retention: In accordance with Trinity University Record Retention Policy, allowable Cardholder Data should be checked quarterly for expiration and retained for no longer than 18 months. 
Disposal: All Cardholder Data (any information contained on a Third Party’s Payment Card) shall be immediately cross-cut shredded or disposed of in secure bins through Cintas after payment processing. Order forms with demographic and order information may be retained for legitimate business purposes, but the Cardholder Data shall be redacted and cross-cut shredded.
Security Breach: If/when a security breach is discovered or suspected, the Merchant Department must immediately contact the University Information Security Administrator at adeloss1@trinity.edu or 210-999-7459.