Keeping Data Safe – Processing and Collection

Directive Statement

Departments must document their processes by means of procedures placed in immediate proximity of the workstation/credit card terminal.  These directives must be available for periodic review and include processing and collection, storage and destruction of payment information, as well as quarterly processes and annual processes.

Reason for Directive

Credit card merchants at the University of Florida are required to follow strict procedures to protect customers’ payment card data and attest compliance with the Payment Card Industry Data Security Standard (PCI DSS).  Failure to protect such information may result in financial loss for customers and the University, suspension of credit card processing privileges, fines imposed on credit card merchants and damage to the institution’s reputation.

Who Must Comply?

All University departments whose personnel store, process, or transmit cardholder information. This also applies to units that outsource the processing of payment card information to third party vendors.

Collecting Data

Collected cardholder data is restricted to only those users who require the data to perform their jobs.

  1. These users must take the UF Payment Card Security Awareness Training (TRM125) at hire and on an annual basis thereafter
  2. All equipment used to collect data is secured against unauthorized use or tampering in accordance with the PCI DSS
  3. Fax machines used to receive payment card information shall be analog connected standalone machines. Receipt or transmission of payment card data using a network connected or multi-function fax device is not permitted
  4. The following methods cannot be used to transmit or accept payment card information for processing:
    • E-mail
    • Text messaging
    • Chat
    • Networked telephone systems (VoIP)

In the event that this does occur, disposal of such payment information is critical.  If payment card data is received in an e-mail:

  • Reply to the e-mail immediately by means of a separate message that “The University of Florida does not accept payment card data via e-mail as it is not a secure method to transmit cardholder data”
  • Do not include in your response any of the payment card information that was provided in the original message (credit card number, expiration date, CVV code, etc.)
  • The received e-mail will be securely destroyed

Processing Data

Separation of duties is a must between personnel handling credit card processing, refunds, and reconciliation.

  1. If transmitting transactions using a “swiping” terminal or Elavon Converge, settle the transactions daily before 9:30 pm (called “batching out”) in order to lower your merchant fees
  2. Enter the daily settlements as departmental deposits in myUFL within one business day after settlement

Resources

Credit Card Equipment

Deposits – Credit Card Settlements

Internal Controls Checklist

PCI Security Standards Council

UF Credit Card Merchant Policy

Training

TRM125 – Payment Card Security Awareness Training

Contacts

Banking & Merchant Services: (352) 392-9057

Treasury-creditcards@ad.ufl.edu

Still have a question?

View our FAQs

Page Contents