Payment Card Merchant Policy: ACG0025
Effective Date: 03/17/04
Last Revision Date: 06/27/16

Payment Card Merchant Policy

(Policy ACG0025)

I. Purpose of the Policy

This policy outlines the requirements and condition under which a department or program obtains authorization to operate as a payment card merchant and how the payment card operation is expected to be established and managed. It also outlines requirements related to accepting payment card purchases made through an in-house managed or hosted internet payment gateway.

This policy incorporates provisions from a number of UC policies. In cases where a comprehensive reference is needed, the pertinent UC policy should be consulted. Where conflicts exist between this policy and UC policies, UC policies shall take precedence.

Please refer to Section Ill for the definitions of important terms used in this policy.

II. Detailed Policy Statement

A. General Provisions

A department or program seeking to function as a UCSC payment card merchant must meet the following eligibility requirements:

1. Self-Sustaining Activity. Activity must be primarily self-sustaining.

This means the business activity for which the department wishes to accept payment cards must generate net revenue. Activities may include such things as admission to events and facilities, the sale of merchandise, and the acceptance of payment of certain fees. The requesting department must specify the activities for which it wishes to accept payment cards as payment.

2. Sales Volume. Activity must have a significant sales volume.

This means that the business activity for which the department wishes to accept payment cards must generate a significant amount of sales. In the absence of special circumstances, such as the activity projecting low annual sales volume but providing an unusually substantial benefit to the campus, the requesting department must be able to show that combined sales from payment cards will exceed $10,000 annually.

3. Benefit to Campus. The acceptance of payment cards must provide a benefit to the campus that exceeds the added cost of accepting payment cards. Factors for consideration include the following:

a. Increasing revenue. The requesting department must be able to demonstrate that the additional net revenue (revenue less all costs) generated from payment card sales exceeds the additional cost incurred by accepting them. All departments requesting to become a credit card merchant must meet this requirement.

b. Assuring payment. A requesting department may justify accepting payment cards on the basis that doing so reduces the amount of bad debt in an amount that exceeds the additional cost of accepting credit cards.

c. Automating payment collection. A requesting department may justify accepting payment cards on the basis that doing so reduces the bad debt in an amount that exceeds the additional cost of them.

d. Providing customer service convenience. A requesting department may justify accepting payment cards on the basis that doing so provides customers with a substantially improved level of service.

B. E-Commerce Responsibilities

A payment card merchant seeking to engage in e-commerce must satisfy all of the following requirements:

1. Accountability.

Appoint a PCI Security Coordinator who is responsible for ensuring the merchant remains in compliance with operating requirements established by the Campus Controller.

a. The PCI Security Coordinator must meet all of the competency and training requirements established by the Campus Controller.

2. UC Business and Finance Bulletin IS-3 Electronic Information Security standards compliance.

Full compliance with all applicable standards, including the following key requirements:

a. Maintaining an understanding of e-commerce environment, including an inventory of people, system and network components and related classification

b. Performing periodic risk assessments and developing a security plan for the merchant e-commerce environment

c. Establishing, maintaining, monitoring and testing technical, administrative, and physical security controls

d. Establishing and deploying a departmental IT system policy and related training program for all personnel

e. Establishing appropriate agreements and demonstrating compliance status of thirdparty service providers

f. Protecting customer/cardholder data, electronic and/or paper, at all times

3. Payment card industry data security standards compliance.

As applicable, merchants and/or service providers contracted by the merchant must regularly and timely attest to full compliance at all times with applicable provisions of the current PCI data security standard (PCl-DSS}, including, but not limited to the following:

a. Secure processing and transmittal of customer/cardholder data

b. Secure storage of customer/cardholder data

The payment card merchant is responsible for reviewing and implementing all PCI DSS requirements.

C. Cash Hendling Responsibilites

A merchant must be able to demonstrate that every staff member involved in the cash handling and accounting processes can be held individually accountable for his or her work and that the process includes adequate financial controls, which includes the following:

1. Competency: Each individual engaged in a cash handling or accounting duty must be competent and qualified to perform it

a. A criminal background check must be performed on each employee responsible for processing payment card transactions prior to the employee being given this responsibility.

b. Knowledge and understanding of all applicable campus and departmental information technology security controls and procedures.

2. Accountability: Processing practices must ensure that for every transaction a specific individual can be identified as being responsible for performing each activity of the process.

3. Separation of duties: There must be adequate separation of duties between individuals handling payment processing, voids, refunds, charge-backs, reconciliations, accounting, transaction monitoring, ledger management, and record management duties.

4. Physical security: Equipment used to process payment and debit card transactions must be secured from unauthorized use or tampering.

5. Information security: Card holder data must be safeguarded from unauthorized access at all times.

6. Payment card processing: A merchant must process payment and debit card transactions through a processor selected by the University.

7. Depository bank account: The depository bank account designated by the Regents must be used for the direct and timely deposit of all payment and debit card receipts.

a. An intermediary bank may be used to accept deposits under certain, unavoidable circumstances and only with the written approval of the Campus Controller.

8. Accounting: The accounting for and reconciliation of payment and debit card transactions must be accurate and timely.

D. Records Management Responsibilities

A merchant must comply with all pertinent UC, UCSC, payment card, and PCl-DSS requirements, including the following:

1. A merchant must retain pertinent paper-based and electronic payment and debit card transaction data and related supporting information for the period of time required by UC document retention policies and all applicable payment card company agreement(s).

2. All service providers used by a merchant must timely certify that the handling, storage, and transmission of cardholder data is fully PCI DSS-compliant.

E. Other Operational Responsibilities

A merchant must comply with following, pertinent operational requirements:

1. Collaborate closely with the Campus Payment Card Coordinator (Financial Affairs) to establish the relationship with a UC-approved acquiring bank ("merchant bank").

2. Acquire equipment that collects, transmits or stores cardholder data that is approved by the Campus Controller, or his or her authorized designee

3. Adhere fully to the terms and conditions of all pertinent UC payment card company contract and service agreements

4. Assume responsibility for the full payment of all costs associated with maintaining a merchant and/or e-commerce operation, including, but not limited to,

a. Bank charges and discount fees

b. Equipment purchase, rental, and maintenance fees

c. Contracted third-party internet payment portal and payment gateway services

d. PCI security compliance-related services

e. Campus payment card merchant support services

f. Customer data breach remediation costs, including fines

F. Review and Audit Responsibilities

A payment card merchant operation is subject to review at any time by the Office of Internal Audit and Advisory Services or an office of Financial Affairs. In addition, an operation subject to PCl-DSS requirements may be reviewed and/or monitored at any time by Information Technology Services,in a manner consistent with the applicable provisions of the UCSC implementation of the UC Electronic Communications Policy. The Campus Controller may suspend or revoke the ability of a UCSC merchant to accept payment cards as a form of payment and/or the ability to engage in ecommerce activities should the merchant fail to comply with any of the requirements described in this policy.

III. Definitions

American Express Card - a charge card issued by American Express directly to the cardholder.

Bank card - a Visa or MasterCard charge card issued by a bank that is a member of the Visa or MasterCard Association.

Card processor - a bank that processes credit card transactions on behalf of a merchant. UCSC merchants use the card processor selected by the University.

Cardholder data - any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.

Cash handling - the process, internal controls, and physical security measures used to accept, process, and account for cash and payment card receipt transactions.

Credit card - Bank, American Express, or Discover card.

Debit card - A card issued by a bank allowing the holder to transfer money electronically to another bank account when making a purchase.

Discount fees - the fees paid by the UCSC merchant accepting a credit or debit card for payment. For Visa and MasterCard, the largest component of the discount fee is interchange, which is charged by the Visa or MasterCard Associations. Interchange rates are not negotiable, as they are determined by the Associations and are based on qualification requirements of each transaction. The bank that issues a credit card to an individual receives the interchange fees.

Discover Cards - a charge card issued by Discover directly to the cardholder.

Electronic check (e-check) - an electronic transfer of money from one bank account to another through the internet or other computer-based system.

Electronic commerce (e-commerce) - business which is conducted electronically, such as on the Internet.

E-commerce environment - the people, processes and technologies that operate together to store, process or transmit cardholder data or sensitive authentication data.

Fee, convenience - a fee charged to a customer for the convenience of paying via an automated payment channel. A UCSC credit card merchant may not assess a convenience fee.

Fee, flat - a flat dollar amount charged to a customer, regardless of payment amount. A UCSC credit card merchant may not assess a flat fee or surcharge.

Fee, variable rate - a fee that varies based on the amount paid. May be percentage based or tiered. A UCSC credit card merchant may not assess a variable rate fee.

Merchant - see payment card merchant.

Merchant bank - see card processor.

Payment card - a credit, charge or debit card; also includes an electronic check.

Payment card merchant - a UCSC department or program accepting payment cards, debit cards, and/or electronic checks through any payment channel, including an in-house- or externally-managed electronic commerce ("e-commerce") operation.

Payment channel - the way in which a payment is received. Mail (including drop boxes), inperson/over-the-counter, and telephone (interaction with a live person) are traditional payment channels. Interactive voice response (IVR), internet/web, and kiosk (web access provided on-site) are "convenient" automated payment channels.

Payment gateway - a service provided by an e-commerce application service provider that authorizes a customer's payment. This service is triggered when a customer clicks on the "buy" or "purchase" button on a payment portal webpage.

Payment portal - a webpage where a customer begins the payment process. A payment portal webpage may be hosted by a department or by a third-party through a contract.

Payment type - cash, paper check, Automated Clearing House (ACH) debit (sometimes referred to as electronic check), ATM debit card, or credit card.

PCI - DSS {Payment Card Industry Data Security Standard) - set of requirements designed to ensure that all organizations that process, store or transmit credit card information maintain a secure environment.

Qualified Security Assessor {QSA) - individual or firm certified by the PCI Security Standards Council to audit merchants for PCl-DSS compliance.

Service provider - anything, including a software application that stores, processes, or transmits card data electronically. Examples include point of sale systems and website e-commerce shopping carts.

Surcharge - a fee charged to the cardholder for paying with a credit or debit card, whether charged separately or reflected in a higher price that is not charged to someone paying via another payment type such as cash or check. A UCSC payment card merchant may not assess a surcharge.

IV. Roles and Responsibilities

The Department Head is responsible for the ensuring departmental payment and debit card merchant and e-commerce operations comply with all of the requirements of this policy and for implementing and maintaining adequate financial, information technology, and records management controls. This responsibility cannot be delegated. However, the responsibility for implementing procedures governing the operation of a department's payment card and e-commerce operation can be assigned to qualified individuals.

The Campus Payment Card and PCI Security Coordinator is responsible for assisting departments in implementing payment and debit card, and e-commerce operations and serving as liaison between campus credit ca.rd merchants, the UC-contracted credit and debit card processor, the UC-contracted Qualified Security Assessor firm, and the UC Office of the President Banking Services Group.

The Campus Controller (Assistant Vice Chancellor - Financial Affairs) is responsible for authorizing, suspending, or revoking a campus department's ability to operate as a payment card merchant.

The PCI Security Coordinator (for merchants engaged in e-commerce) is officially designated by the department head to be responsible for ensuring the unit remains in full compliance with e-commercerelated operating requirements.

The PCl-DSS Compliance Committee, composed of representatives from Financial Affairs, Information Technology Services, and the Office of Internal Audit and Advisory Services, is responsible for monitoring campus payment and debit card merchants, including those engaged in e-commerce, and advising the Campus Controller on PCl-DSS-related compliance issues.

V. Getting Help

The Campus Payment Card and PCI Security Coordinator provides assistance to campus payment card merchants. Please consult the UCSC directory or UCSC Financial Affairs website for contact information.

VI. Applicability and Authority

This policy applies to any department or program seeking to engage or is engaged in operating as a UCSC payment card merchant. The Payment Card Merchant Policy dated, 06/27/2016, supersedes the Credit Card Merchant Policy, dated 03/17 /04 and revised 04/19/11.

The Vice Chancellor for the Division of Finance, Operations and Administration (FOA) is the campus authority for the Payment Card Merchant Policy, with implementation authority delegated to the Campus Controller.

This policy was reviewed and approved by Campus Provost/Executive Vice Chancellor Galloway on 06/27/2016. This policy will be reviewed every five years.

VI. Related Policies/References for More Information

References

UC Accounting Manual

• Accounting Manual Section C-173-85 Cash: Credit and Debit Card Program

http://policy.ucop.edu/manuals/accounting-manual.html

Business and Finance Bulletin

• BUS-49 Policy for Handling Cash and Cash Equivalents

http://policy.ucop.edu/doc/3420337/BFB-BUS-49

• IS-3 Electronic Information Security

http://policy.ucop.edu/doc/7000543

• RMP-7 Privacy and Access to Information Responsibilities

http://policy.ucop.edu/doc/7020462