Keeping Data Safe – Processing and Collection
Departments must document their processes by means of procedures placed in immediate proximity of the workstation/credit card terminal. These directives must be available for periodic review and include processing and collection, storage and destruction of payment information, as well as quarterly processes and annual processes.
Reason for Directive
Credit card merchants at the University of Florida are required to follow strict procedures to protect customers’ payment card data and attest compliance with the Payment Card Industry (PCI) Data Security Standards (DSS). Failure to protect such information may result in financial loss for customers and the University, suspension of credit card processing privileges, fines imposed on credit card merchants and damage to the institution’s reputation.
Who Must Comply?
All University departments whose personnel store, process, or transmit cardholder information. This also applies to units that outsource the processing of payment card information to third party vendors.
Collected cardholder data is restricted to only those users who require the data to perform their jobs.
- These users must take the UF Payment Card Security Awareness Training (TRM125) at hire and on an annual basis thereafter
- All equipment used to collect data is secured against unauthorized use or tampering in accordance with the PCI DSS
- Fax machines used to receive payment card information shall be analog connected standalone machines. Receipt or transmission of payment card data using a network connected or multi-function fax device is not permitted
- The following methods cannot be used to transmit or accept payment card information for processing:
- Text messaging
In the event that this does occur, disposal of such payment information is critical. If payment card data is received in an e-mail:
- Reply to the e-mail immediately by means of a separate message that “The University of Florida does not accept payment card data via e-mail as it is not a secure method to transmit cardholder data”
- Do not include in your response any of the payment card information that was provided in the original message (credit card number, expiration date, CVV code, etc.)
- The received e-mail will be securely destroyed
Separation of duties is a must between personnel handling credit card processing, refunds, and reconciliation.
- If transmitting transactions using a “swiping” terminal or Elavon Converge, settle the transactions daily before 9:30 pm (called “batching out”) in order to lower your merchant fees
- Enter the daily settlements as departmental deposits in myUFL within one business day after settlement
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data. [Back to Top]
05/01/2020: reviewed content
TRM125 – Payment Card Security Awareness Training
Treasury Management/Payment Card Operations: (352) 392-9057