Rutgers logo
University Finance and Administration

Credit/Debit Card Security Policies  

Departments that accept payments by credit or debit card are responsible for safeguarding the cardholder’s information and for reconciling the credit card revenue received. All staff must comply with the university’s credit/debit card policy and receive annual Payment Card Industry Data Security Standards (“PCI DSS” or “PCI”) compliance training.

For more information on the University’s overall PCI compliance program, please view a recording of the latest PCI Compliance Town Hall.

Please be advised that a representative from each department working with credit cards must complete the PCI compliance-required Self-Assessment Questionnaire (SAQ) annually in the CampusGuard Central PortalTo gain access to the portal, please send an to email pci-compliance@finance.rutgers.edu and include your NetID, Department, and Merchant ID(s).  Once granted access, you can follow these login instructions.

Failure to submit the relevant SAQ will result in the termination of the department’s ability to accept credit cards (merchant IDs will be suspended) until the SAQ has been submitted. SAQ walkthrough videos are available for those with Rutgers NetID access. 

Each merchant department must also maintain 

  • a listing and inspection log of all credit card terminals and related equipment;
  • local procedures for credit card security;
  • an incident response plan; and 
  • data flow diagram(s)

For any questions about PCI compliance, contact pci-compliance@finance.rutgers.edu.

 

Please do not

Please do

  • Accept credit/debit card transactions without a valid business reason and the expressed consent of University Treasury 
  • Contact Treasury to apply for a merchant ID and obtain credit card machines
  • Establish accounts on person-to-person platforms such as PayPal, Venmo, etc. to accept payments for university business without explicit approval from Treasury
  • Batch out credit card processes daily
  • Send credit card numbers/information via fax machine or email 
  • Submit cash journals no later than the day after the transaction date, unless the accounting is automated
  • Store cardholder information electronically
  • Periodically inspect card readers for signs of tampering 
  • Leave credit card machines unattended 
  • Store credit card machine in a secure location when not in use 
 
  • Inspect stored machines prior to reconnection to verify that no machine-compromising devices were attached during the storage period
 
  • Destroy cardholder data that is written on a piece of paper promptly through cross-cut shredding, incineration, or through an approved secure shredding and disposal service provided by Institution Planning & Operations