Collecting Data
Collected cardholder data is restricted to only those users who require the data to perform their jobs.
- These users must take the UF Payment Card Security Awareness Training (TRM125) at hire and on an annual basis thereafter
- All equipment used to collect data is secured against unauthorized use or tampering in accordance with the PCI DSS
- Fax machines used to receive payment card information shall be analog connected standalone machines. Receipt or transmission of payment card data using a network connected or multi-function fax device is not permitted
- The following methods cannot be used to transmit or accept payment card information for processing:
- E-mail
- Text messaging
- Chat
- Networked telephone systems (VoIP)
In the event that this does occur, disposal of such payment information is critical. If payment card data is received in an e-mail:
- Reply to the e-mail immediately by means of a separate message that “The University of Florida does not accept payment card data via e-mail as it is not a secure method to transmit cardholder data”
- Do not include in your response any of the payment card information that was provided in the original message (credit card number, expiration date, CVV code, etc.)
- The received e-mail will be securely destroyed
Processing Data
Separation of duties is a must between personnel handling credit card processing, refunds, and reconciliation.
- If transmitting transactions using a “swiping” terminal or Elavon Converge, settle the transactions daily before 9:30 pm (called “batching out”) in order to lower your merchant fees
- Enter the daily settlements as departmental deposits in myUFL within one business day after settlement
Resources
Credit Card Equipment
Deposits – Credit Card Settlements
Internal Controls Checklist
PCI Security Standards Council
UF Credit Card Merchant Policy
Training
TRM125 – Payment Card Security Awareness Training
Banking & Merchant Services: (352) 392-9057
Treasury-creditcards@ad.ufl.edu