The Bursar Office oversees all credit card merchant accounts for the campus. The designated University Payment Card Coordinator in the Bursar's Office is charged with acting as the liaison between the university, the merchant bank, credit card processors, vendors and campus merchants. The University Payment Card Coordinator has delegated authority to approve and establish accounts with the campus' merchant bank and with internet and gateway providers on behalf of the University. The primary policy source for the handling of payment cards is University Policy 3610: Accepting and Handling Payment Card Transactions.

Accepting credit cards for payment provides a service to your customer by offering a convenient method to pay for goods and services. However, if your department is currently evaluating the decision to become a credit card merchant, there are several factors to consider. Accepting credit cards for payment involves risk of loss, processing fees, and requires compliance with data security requirements. Departments accepting payment cards are responsible for all expenses associated with payment card merchant accounts, including but not limited to equipment costs, banking fees, and cost(s) of compliance with the Payment Card Industry Data Security Standards. Campus departments should become familiar with all of these factors before making the decision to become a merchant.

The University Payment Card Coordinator is the best source of information for the requirements involved in accepting credit cards. Before making any arrangements or purchases related to credit card acceptance services and equipment, departments must consult and receive approval from the Payment Card Coordinator. The Payment Card Coordinator will review departmental needs and recommend the most efficient and cost effective method available.

To reduce their losses due to credit card fraud, five members of the payment card industry, Visa, Inc., MasterCard Worldwide, American Express, Discover Financial Services, and JCB International (Japan Credit Bureau), banded together to develop security standards for any organization that accepts, captures, stores, transmits, and/or processes payment card information either manually or through an automated system. This set of standards is referred to as the Payment Card Industry's Data Security Standard, or PCI DSS. The PCI DSS is an evolving set of comprehensive requirements designed to enhance payment account data security. The PCI DSS contains six categories of requirements. These include building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy.

The university is committed to complying with the PCI DSS by ensuring the secure handling of payment card information. All university merchants accepting payment cards are required to comply with the PCI DSS and validate their PCI DSS compliance annually by completion of PCI Self Assessment Questionnaire (SAQ). The University Payment Card Coordinator will coordinate the annual validation with all university merchants.

PCIDSS Standards & Documents are available at the Council Website.

Upon hire and at least annually, all employees who are involved with the acceptance, processing or reconciling of payment card transactions are required to complete Payment Card Training offered by the university and complete a Payment Card Security Agreement, confirming their understanding and adherence to this policy. University merchants must maintain records of employees' training.

"Securing the Human" Online Awareness Training

Online cyber awareness training is now being offered to Virginia Tech by the IT Security Office. This training represents an excellent opportunity for departments to ensure their staff is aware of cyber issues. The training is about 60 minutes long, self-paced and provides progress reporting. If you are interested in this training for your department or yourself, please contact Brad Tilley.

Introduction to Payment Cards Training

Provided by the University Bursar Office, this training provides an introduction to payment cards and the security standards. The training is approximately 15 minutes long and includes an assessment tool to document understanding of the information provided. This training can be accessed via Canvas and requires that you Adobe Flash Player. In order to view the tutorial, you must be signed into Canvas and need to add the "Accepting Payment Cards on Campus" worksite.

If you have not joined the "Accepting Payment Cards on Campus" worksite, follow these instructions