The acceptance of credit cards is a decision that confronts every business at one time or another. If you are considering becoming an NKU merchant, here are some things to consider as you make your decision.
If you are considering accepting credit card payments as a university merchant, please contact Becky Bishop (bishopr4@nku.edu) in the Comptroller's Office to ensure that all applicable university policies and procedures are observed.
PCI DDS version 4.0 is in effect. Read the latest blog from the PCI Security Council.
Check out the latest compliance tweets from the PCI DSS council.
Payment Card Industry Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information.
Initially created by aligning Visa's Account Information Security (AIS) / Cardholder Information Security (CISP) programs with MasterCard's Site Data Protection (SDP) program, the PCI-DSS provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents.
The updated version -- version 1.1 -- developed by the founding members of the PCI Security Standards Council, became effective with the launch of the PCI Security Standards Council in 2006. There are 12 principles and requirements by which all merchants need to abide. PCI-DSS is an ongoing process not an end goal due to the advancement of technology. A newer version of PCI-DSS is always under development. We are currently under PCI DSS version 3.1.
For more information, see https://www.pcisecuritystandards.org/
PA-DSS (Payment Application Data Security Standard) is a subset of PCI-DSS that addresses software applications that process credit card payments.
The PA-DSS requirements have been derived from the PCI-DSS Requirements to define what a payment application must support to facilitate a customer’s PCI DSS compliance. If a payment application is being considered by an NKU merchant, it must be listed on the following links:
PABP or Payment Application Best Practices program was developed by VISA (which leads the PCI-DSS Council) to provide software vendors guidance in developing payment applications that help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) and support overall compliance with the PCI-Data Security Standard (PCI-DSS).
Since 2005, 254 vendors independently validated 555 products against the PABP through a Qualified Security Assessor (QSA) trained in the PABP. In 2008, the PCI Security Standards Council (PCI SSC) adopted Visa’s PABP and released the standard as the Payment Application Data Security Standard (PA-DSS).
The PA-DSS now replaces PABP for the purpose of Visa’s compliance program.
Chargeback- a formal dispute initiated by a customer against a merchant claiming fraud, services not rendered, etc. requiring the merchant to provide documentation to prove charge is valid. Specific documentation must be presented by alotted time otherwise customer automatically wins depute and is refunded.
Customer- individual or entity that is purchasing a good or service from a merchant
Interchange- fees charged by the various card companies (Visa, Mastercard, Discover, American Express) based on what type of card, how that card is processed and how much the transaction is.
Merchant- any business that accepts credit cards as payment for goods or services.
POS - point-of-sale, the device used to capture credit card information for payment. This may be a standalone terminal similar to those made by Verifone, Hypercom or any of the several manufacturers. The card is swiped through the magnetic reader slot and all information is captured and stored in the terminal until transmitted to the processor for settlement. Dial terminals present the most secure means of gathering and transmitting credit card data.
Processor- any number of corporations/banks that receive credit card transactions from merchants and orchestrate the transfer of funds between issuers, acquirers, the Federal Reserve, merchants and customers. A few of these processors include: PNC Merchant Services (current processor of NKU), Chase Paymentech, Elavon, First Data Merchant Services (FDMS), Global Payments, East Processing Platform, Heartland Payment Systems, WorldPay, Vantiv and TSYS Acquiring Solutions.
Sending Credit Card Information over Email
Why is it a bad idea to accept credit card information over email?
Transmission of Card-Holder Data via email is explicitly prohibited per PCI DSS requirement 4.2. It states that credit card information must not be captured, transmitted, or stored via email. More important to understand is that email is transmitted and stored unprotected in clear text and leaves a trail of copies (in inboxes, sent folders, drafts folders, email trash, web browser caches, computer recycle bins, etc.).
What constitutes Card-Holder Data (CHD)?
CHD consists of one or more of the following: full credit card number, expiration date, and the code (CVC) on the back of a credit card.
My customers send me credit card information over email. What should I do?
As an institution of higher education, we should educate our customers about the dangers of using email to conduct financial transactions. As merchants, we should discourage the sending of credit card information to the point of not processing credit card transactions when the information has been provided over email. Furthermore, never respond to your customers by including their original email (without deleting or truncating
credit card numbers and deleting CVC codes) as you are exacerbating the problem by doing so.
I mailed a form/application or posted a form/application on my website accepting credit cards as payment, but my
customers email the form. What should I do?
First, remove the credit card number field from your form along with your email address from any form/application or website that mentions paying by card.
Second, add the following (or similar) text in a very visible fashion to your form/application or website, discouraging the sending of credit card information over email: For your protection, (Your Institution) does not accept and will not process credit card information provided via email or text messages. Please contact us at (859) 572-xxxx or drop by our office, and we will gladly assist you.
I’ve received credit card information over email in the past. How do I delete these emails and the trails that they leave?
Delete email containing credit card information from your inbox, sent folder, drafts folder, and any other folders that you may have created. Once that is done, empty your email trash, empty your web browser cache (temporary browser files), and empty your computer’s recycle bin or trash.
I conduct a large volume of business with some of my customers. Is there a way to protect our email conversations so that we can transfer credit card information safely over email?
PCI DSS requirement 4.2 does allow for the use of email to transmit credit card information. Furthermore, acceptance of CHD is prohibited by the NKU Credit Card Processing and Incident Response Policy.
