Fayetteville Policies and Procedures 309.0
Payment Card Processing
Any office engaged in any form of payment card processing (e.g., POS/swipe or e-commerce) must have the approval of the Office of Financial Affairs (Credit Card Operations and Cash Management) prior to engaging in commerce activity. No university department may enter into any contracts or otherwise arrange for payment transaction processing or obtain any related equipment, software or services without the involvement and approval of Credit Card Operations and Cash Management.
All payment activity must be established within the centralized university banking and accounting environment with receipts deposited into designated University of Arkansas bank accounts, unless an exception is approved by the associate vice chancellor for financial affairs.
The University of Arkansas official online payment system is CASHNet. All departments wishing to accept online payment card transactions must use CASHNet unless a waiver by Credit Card Operations is granted to that department. (See Payment Card Usage section below for additional information.)
The purpose of this policy is to outline the payment card acceptance methods suitable for university business and the usage restrictions for payment card transactions. Credit Card Operations is responsible for campus compliance with payment card processing and security regulations and is granted authority to take appropriate action to ensure conformity with university policies and procedures. Appropriate action up to and including immediate termination of payment card processing activities will be imposed for any University of Arkansas department that violates provisions outlined in the Fayetteville Policies and Procedures (FPP) 309.0 through 309.3 policies related to payment card processing, security and incident reporting.
All terms mentioned in this policy are defined in FPP 309.3 Payment Card Policies Glossary. All campus users of payment card information are required to know and fully understand all terms associated with the FPP 309.0 through 309.3 policies.
The University of Arkansas accepts American Express, Discover, MasterCard and Visa payment cards for university business. (Debit card transactions that require a PIN number are acceptable payment options for walk-in payments.) The University of Arkansas accepts payment ONLY via telephone, walk-in traffic or an online portal approved by Credit Card Operations. Acceptance via email, fax or other end-user messaging technologies is prohibited. Telephone and walk-in payments are to be processed on counter-top terminal devices supplied by the Office of Financial Affairs. The use of CASHNet is for customer-facing e-commerce sites only.
If a department has a specific business operational need that the approved, official university processing methods cannot meet, the department can apply for a system usage waiver. Departments initiate the waiver request by submitting written justification to Credit Card Operations that explains their need and why CASHNet or other approved methods cannot adequately support the operation. Waiver requests must be submitted annually to Credit Card Operations and are evaluated on a case-by-case basis. As part of the waiver application process, Credit Card Operations will conduct a full evaluation of proposed equipment, network structure and remote access privilege use.
In addition, departments applying for a system usage waiver must achieve and maintain full compliance with FPP 309.0 through 309.3 policies, as well as the legal and industry regulations. A full list of requirements is available in the system usage waiver supplement document provided by Credit Card Operations. Any department granted a waiver is responsible for the fiscal costs associated with payment card security as detailed in FPP 309.0 through 309.3 policies. These costs will include the purchase and implementation of the most current Payment Application Data Security Standard (PA DSS) validated software upgrade versions as older versions are removed from validation.
The Office of Financial Affairs provides all technology/devices for telephone and walk-in payments in the form of counter-top payment terminals. Departments pay a monthly leasing fee to the Office of Financial Affairs for use of the technology. Payment processing devices must be configured and implemented as instructed by Credit Card Operations, including limiting access on the device to only applications needed for payment processing.
Technology usage for system waiver environments is evaluated on a case-by-case basis. Payment card processing must be completed only on devices approved or provided by Credit Card Operations.
All departments MUST supply Credit Card Operations with a device inventory of all equipment to be used in the processing environment prior to authorization and implementation of the system. The inventory shall include: the physical location of the device, a description of the device, the model number, operating system or firmware information, and a DNS/IP address, if applicable. Reports available in the university’s Asset Inventory Management System (AIMS) are acceptable. Departments must notify Credit Card Operations within seven days of any changes in processing equipment.
Departments are responsible for the physical security of all devices used in payment card processing within the department. Requirements for physical security of devices can be found on the Credit Card Operations website. Processing devices must be secured from tampering and/or attended at all times. This requirement also includes access to network jacks that are dedicated to any of the secure commerce networks. Departmental users may not plug a non-commerce device into a network jack on the secure commerce networks or in any other way modify those networks without first gaining approval from Credit Card Operations and involving the IT Services Network Engineering Team.
The use of wireless technology for payment card processing is prohibited. If a department requires a mobile processing terminal, the Office of Financial Affairs will provide a cellular terminal to the department. Applicable fees will be assessed to the department. Any wireless capable equipment used in the processing environment MUST have the wireless radio disabled while processing transactions.
As a convenience to customers, departments are permitted to maintain self-service kiosk stations, limited to accessing only the Web-based payment application, for customer use while in the department. Credit Card Operations must approve the kiosk technology and equipment prior to use within the payment processing environment. The kiosk is never to be used for web surfing, email use or any general university applications that do not directly relate to payment processing.
User Access to Processing Environments
Departments authorized to accept payment card transactions will have one or more payment card merchant accounts established by the Office of Financial Affairs/Credit Card Operations. All payment card transactions for the department will flow through this account. As a condition of merchant account assignment, all requirements detailed in the FPP 309.0 through 309.3 policies MUST be met.
Access to the cardholder data environment will be restricted by job duties of each individual. Every user must be assigned a unique user ID and password to access the cardholder data environment, where applicable. Departments are responsible for ensuring staff are validated to handle payment information prior to assignment of job duties involving cardholder data. System IDs and shared IDs are not permitted for staff use. Passwords for users MUST be changed every 90 days. User accounts must also be locked after a maximum of three failed login attempts and remain locked out for either 30 minutes or until an administrator verifies the user’s identity and re-activates the account. Accounts inactive for at least 90 days must be removed or locked. Credentials for automated services and service accounts must have a password change every 90 days. Departments are required to submit an Access Control List (ACL) to Credit Card Operations semi-annually on May 15 and November 15. The ACL must include all accounts in the payment processing system, including sponsored/service accounts.
Vendors that require access to the department processing environment must be granted access by Credit Card Operations before modifying any campus equipment. Depending on the access requested, this may require the vendor to install software to make a secure connection through the commerce firewall environment. Vendor accounts for this type of connection are managed by Credit Card Operations and are only enabled for one business day upon request. Departmental staff are responsible for monitoring the activity of the vendor while handling campus equipment.
All payment card processing departments must display a refund notification for customers. The refund notification must state that all refunds will be processed back to the card used during the sale. (In-store credit/gift card is permitted for campus retail operations.) Departmental refund notification must be displayed at point-of-sale locations or on the departmental website (for e-commerce applications). Credit Card Operations will provide guidance on creating this notification.
All departments engaged in any form of payment card processing must comply with the procedures listed below for the department payment acceptance method. Each department will assign refund approval duties to a responsible party.
- Refunds must be processed on the same Merchant ID account as the original sale.
- Refunds cannot exceed the original sale amount.
- Refunds must be processed back to the same card used in the original sale.
- Departments will account for refunds for processing terminals and third-party systems per the Treasurer’s Office departmental deposit requirements.
- Refund requests for CASHNet transactions will be submitted via the AskCommerce portal and processed by the Treasurer’s Office.
Each department is responsible for the costs incurred by the university to process its transactions, plus setup fees for any new merchant account. Processing fees will be deducted monthly from a BASIS cost center. A current fee schedule can be obtained from Credit Card Operations.
In addition, each department is responsible for any hardware, software, setup and/or maintenance costs to maintain the processing environment, including the cost of required security scans, if applicable. Departments may also be required to pay for training and background checks as required by Fayetteville Policies and Procedures.