Credit Card Payment Processing and PCI Security
This Practice Directive sets forth the guidelines and best practices for protecting credit card payment information as required by merchant banks and controls recommend by the Payment Card Industry Security Standards Council.
Purpose & Scope
SF State is committed to limiting the proliferation of sensitive data and maintaining the security of customer information, including payment cardholder information such as payment card account number, expiration date, and payment cardholder verification number. To uphold this commitment, SF State follows the best practices for protecting payment card information as required by merchant banks and controls recommend by the Payment Card Industry Security Standards Council.
To limit the proliferation of sensitive payment information that could be misused for unauthorized transactions or used to execute identity theft, the Information Security Office and Fiscal Affairs requires that:
- SF State entities accepting credit cards on line, in person or over the phone obtain pre-approval by the Bursar’s Office, Procurement and the Information Security Office before accepting transactions. All merchant accounts for processing credit cards or using EBPP (Electronic Payment Processing Service) formerly known as EPOS) must be registered with SF State Fiscal Affairs, Bursar’s Office. This is to ensure that all requirements for credit card processing systems, including but not limited to, establishing a new merchant account, setting up credit card equipment, and processing transactions, etc. are properly handled. Also, this will ensure that all depository requirements and interfaces are satisfactorily met.
SF State currently contracts with Tier Technologies for EBPP.
- In order to support this service, a convenience fee of 2.5% for credit card transactions or $0.50 for electronic check transactions will be added to the total payment amount.
- Authentication should use SF State credentials (SF State ID and password) and the existing login landing page.
- Outsourcing credit card processing services to any other processing agents must be coordinated with the Bursar’s Office, Procurement and the Information Security Office.
The university merchant must ensure any credit card equipment purchased, leased or supplied from vendors is PCI compliant and approved or otherwise endorsed by their merchant bank and/or payment processor. This may involve maintaining copies of merchant bank contracts and supplementary communications detailing PCI or credit card processing terms and correspondence by or from the merchant bank or payment processor regarding the use of compliant software and hardware.