Processing Credit Cards

The university supports the acceptance of credit cards as payment for goods and services to improve customer service, bring efficiencies to Cornell’s cash collection process, and increase the sales volume of certain types of transactions. In addition, the university must support unit compliance with industry standards governing credit card transaction processing, specifically Payment Card Industry Data Security Standard (PCI DSS).

All units must familiarize themselves with and adhere to the procedures set forth in Cornell university policies 3.17 Accepting Credit Cards to Conduct University Business and 5.4.2, Reporting Security Incidents, the university's PCI Incident Response Plan (PDF, 642 KB) and the PCI DSS requirements.

Unit Requirements for Accepting Credit Cards to Conduct University Business

• Contact Cornell Credit Card Payment Processing to establish a merchant ID (MID) and begin the setup process
• Contact Cornell Credit Card Payment Processing to make changes to a merchant setup
• Perform quarterly scans for IP-enabled processes
• Complete an annual Self Assessment Questionnaire (SAQ). You may need to complete more than one SAQ, depending on the credit card environment.
• Complete annual training for all staff members handling credit card data
• Obtain an annual Attestation of Compliance when using a third-party vendor
• Create and maintain business process and technical documentation for credit card processing

What is the Payment Card Industry Data Security Standard (PCI DSS)?

The Payment Card Industry Data Security Standard (PCI DSS) is a multifaceted security standard that include requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. The comprehensive standard is intended to help organizations proactively protect customer account data by providing a 12-requirement structure for securing cardholder data that is stored, processed and/or processed and/or transmitted by merchants and other organizations. The standard was developed by the PCI Security Standards Council, a global organization founded by the five major credit card companies with the intent of producing, maintaining, and educating merchants on standard practices and procedures to transact credit card business securely.

Non-Compliance Risks

For the University

At worst, Cornell may be prohibited from accepting credit cards as payment.

For the Merchant

The financial repercussions of non-compliance can be significant, especially in the event of a breach, and can have a domino effect on your business. Merchants who are compromised or found not to be in compliance risk incurring a number of fiscal and intangible costs, including, but not limited to, the following:

• Paying...
  • to provide credit watch services to affected customers
  • a call center to assist compromised customers with questions or concerns about the breach of information
  • to notify all customers that are potentially at risk of having their credit card information compromised/stolen
  • a firm to annually audit Cornell's credit card environment, which is required for companies who have suffered a breach
  • fines levied by the credit card issuers and/or the acquiring entity
• Having money held in escrow against future incursions
• Recovering from damage to the company's brand
• Losing the confidence of and good relations with customers, donors, parents, and students

For the Cardholder (your customer)

Customers can endure significant consequences when merchants fail to comply with accepted standards, including, but not limited to, the following:

• Having their account blocked during reissuance process
• Having their identity stolen, which may lead to significant financial losses