Questions about credit card equipment, reconciliations, etc.? Contact Cornell Credit Card Payment Processing.
Departments accepting credit cards are required to create and maintain business processes and technical documentation for credit card processing. To ensure business continuity, the unit should have multiple people who know how to process credit cards. Every department that takes credit cards must keep its PCI compliance program documentation readily available, outlining steps for credit card processing.
Units must meet and maintain Payment Card Industry PCI) Compliance standards.
For information about getting set up to accept credit cards, see Getting Started.
The following rules are applicable to Ithaca, Geneva, and at Cornell Tech locations, where Cornell University is the Merchant of Record.
Cardholder data (CHD) is any information associated with a payment card, including the primary account number, cardholder name, expiration date, service code, etc.
Merchants at Cornell (the unit or department that accepts credit cards as a payment method) must only accept credit cards using one of the acceptable data collection methods below.
For more definitions and information about credit card processing, see our PCI Compliance Glossary and University Policy 3.17, Accepting Credit Cards to Conduct University Business.
Cornell only accepts in-person payments through EMV-enabled and point-to-point encrypted devices. EMV-enabled devices are those that use Europay, Mastercard, and Visa security standards. These devices should also accept NFC-enabled cards or electronic payment methods like Apple Pay, Google Pay, and Samsung Pay.
Outsource payment processing completely. This keeps you PCI compliant and avoids quarterly vulnerability scans. Use a third-party processor like a shopping cart or gateway. Customers will enter some data on an external site and then go to the payment page to complete their payment.
If a third-party processor won’t work for your area, like when the merchant uses a CardConnect hosted payment page, send the link to the customer. You can share it by email, text, or print it on an invoice or another document.
Don't put direct links to payment pages on any Cornell website. This includes using embedded links or iFrames. A payment page contains fields for CHD entry. Any Cornell website with a direct link to a payment page or an iFrame view must undergo quarterly vulnerability scans.
One-time-use credit cards, also known as virtual or disposable credit cards, do not hold sensitive cardholder data (CHD). This means merchants can receive these card numbers via email and they should process the data promptly.
Cornell prohibits collecting cardholder data by these methods because they do not meet security compliance standards.
By postal or campus mail or fax: Open to theft and prone to error when manually entered.
By phone: Cornell uses RingCentral for its phone system. This system uses VoIP technology. It converts your voice into digital data packets and insecurely transmits cardholder data over the internet. If you must use a phone, use PCI Pal for calls above 10 per month. If you have fewer calls, redirect callers to an eCommerce solution or use flip phones with no Wi-Fi. For information about getting a flip phone, visit the Cell Phones page on the Procurement website.
By email: If a customer sends cardholder data, permanently delete the email and tell the customer to use an acceptable payment channel.