Credit/Debit Card Security Policies
Departments that accept payments by credit or debit card are responsible for safeguarding the cardholder’s information and for reconciling, recording, and submitting cash journals. All staff must comply with the university’s credit/debit card policy and receive annual Payment Card Industry Data Security Standards (“PCI DSS” or “PCI”) compliance training.
For more information on the University’s overall PCI compliance program, please view a recording of the latest PCI Compliance Town Hall.
Please be advised that a representative from each department working with credit cards must complete the PCI compliance-required Self-Assessment Questionnaire (SAQ) annually in the CampusGuard Central Portal. To gain access to the portal, please send an to email firstname.lastname@example.org and include your NetID, Department, and Merchant ID(s). Once granted access, you can follow these login instructions.
Failure to submit the relevant SAQ will result in the termination of the department’s ability to accept credit cards (merchant IDs will be suspended) until the SAQ has been submitted. SAQ walkthrough videos are available for those with Rutgers NetID access.
Each merchant department must also maintain
- an incident response plan;
- data flow diagram(s); and
- local procedures for credit card security.
For any questions about PCI compliance, contact email@example.com.
Please do not
- Accept credit/debit card transactions without a valid business reason and the expressed consent of University Treasury
- Establish accounts on person-to-person platforms such as PayPal, Venmo, etc. to accept payments for university business without explicit approval from Treasury
- Send credit card numbers/information via fax machine or email
- Store cardholder information electronically
- Leave credit card machines unattended
- Contact Treasury to apply for a merchant IDs and obtain credit card machines
- Batch out credit card processes daily
- Submit cash journals no later than the day after the transaction date, unless the accounting is automated
- Periodically inspect card readers for signs of tampering
- Store credit card machine in a secure location when not in use
- Inspect stored machines prior to reconnection to verify that no machine-compromising devices were attached during the storage period
- Destroy cardholder data that is written on a piece of paper promptly through cross-cut shredding, incineration, or through an approved secure shredding and disposal service provided by Institution Planning & Operations