Valley City State University allows departments to accept credit cards for purchases of goods or services only in accordance with the procedures outlined in this document.
The University recognizes that accepting credit cards as payment for goods or services has become a common practice that improves customer service, brings certain efficiencies to VCSU's cash collection process, and may increase the sales volume of some types of transactions. In addition, the use of technology, such as the World Wide Web, provides easy access for many, and the use of credit cards is essential when sales are conducted electronically.
This policy applies to all VCSU faculty, staff, students, organizations, and individuals who on behalf of the University handle electronic financial transactions and payments such as credit/debit card transactions, and electronic fund transactions (EFT).
Many departments on campus process credit card transactions, either infrequently or in the course of daily business. It is the University's responsibility to protect the privacy of its customers, as well as maintain compliance with the Gramm Leach Bliley (GLB) Act, Payment Card Industry (PCI) Standards and Red Flag Rules.
Departments that transact business by accepting credit cards for goods or services are expected to adhere to the attached procedures to help ensure the integrity and security of all credit card transactions. Failure to follow the procedures may result in the revocation of departmental authorization to accept credit cards and departmental responsibility for paying all related penalties.
Credit card payments for student accounts receivable accepted are online via Campus Connection.
The University is required to process credit card transactions through the Bank of North Dakota. Any exceptions must be approved, in writing, by the Bank of North Dakota.
Credit card types that departments may request to be accepted within the department for goods and services include MasterCard, VISA, Discover, and American Express.
The University is charged fees on all credit card transactions. The fees vary and are based on the card type accepted and the method of acceptance (swiped versus manually entered). In addition to a percentage on the amount of the transaction, a "per transaction" fee and a monthly merchant account fee is charged.
Merchant fees are charged to the designated funding sources on a monthly basis.
The credit card merchant fee is considered a cost of doing business. Departments cannot assess an additional fee to the customer if the customer pays via a credit card.
If a department suspects that credit card records may have been compromised in any way, whether through malicious intent or due to a weakness in the handling and processing of credit card transactions, they are to notify their supervisor immediately.
All security incidents will follow the VCSU Incident Response Policy (to be developed). The document 'What to do if Compromised', VISA USA Fraud Investigations and Incident Management Procedures will be utilized as a reference for any security incident.
The Office of Human Resources and Payroll performs criminal background checks on all potential employees prior to their date of hire.
Departments must obtain prior approval from the Controller to accept and/or process credit card transactions within the department. Requests should be made via e-mail to the Controller. If approved, the Controller will provide the department with procedures that must be followed when processing credit card deposits. If a department has not obtained approval to accept credit card payments, they should not be accepting credit card information.
To minimize the risk of attacks from internal sources, all VCSU employees who work with electronic financial transactions and the personal data associated with it will:
There are five accepted methods for processing credit card transactions:
Credit card information cannot be requested or sent via electronic messaging. If a cardholder sends credit card information via electronic messaging, departments are required to reply to the cardholder with the following verbiage without including the credit card information that was received:
Departments must attach a copy of the response to the merchant copy of the transaction being processed and retain in accordance with the records retention policy.
When issuing credits to customers, the credit should be processed in the same payment method as the original charge. If a cash refund is necessary, it should be approved by the departmental head/manager on a case-by-case basis. Refunds processed thru Student Accounts Receivable (all methods) must be processed by the Accounts Receivable Specialist or a non-cashiering Business Office employee.
Department must not store any credit card information, including CVV codes or PIN numbers, in a customer database or electronic spreadsheet. All CVV codes, PIN numbers, and other documents containing credit card information, must be shredded immediately after the transaction has been processed.
When an item or service is purchased using a credit card, and a refund is necessary, the refund should be credited to the credit card from which the purchase was made. If a cash refund is necessary, it should be approved by the departmental head/manager on a case-by case basis. Refunds processed thru Student Accounts Receivable (all methods) must be processed by the Accounts Receivable Specialist or a non-cashiering Business Office employee.
Occasionally, the Bank of North Dakota will send notification to the University indicating a disputed charge. The Controller will provide all requested information in response to the notification by the due date indicated.
When submitting deposits to the Business Office, include the following:
Documents supporting the credit card transaction must be retained by the department according to the University's Records Retention Policy.
Departments are considered to be the originating department and should retain the following documents for receipts processed with a Tender Type of Credit Card:
The Business Office retains the following documents for receipts processed with a Tender Type of Credit Card:
All transaction documents, as stated above, must be secured by the department, for example, in a locked cabinet/room with limited access.
The Controller is required to complete a PCI Self Assessment Survey on an annual basis and submit to the Bank of North Dakota. The Controller is required to submit a revised survey if there have been any changes since the last survey or if requested by the Bank of North Dakota.
Sponsored by: Vice President for Business Affairs
Effective: May 1, 2009
Revised: August 2016