Processing Credit Cards

The university supports the acceptance of credit cards as payment for goods and services to improve customer service, bring efficiencies to Cornell’s cash collection process, and increase the sales volume of certain types of transactions. In addition, the university must support unit compliance with industry standards governing credit card transaction processing, specifically Payment Card Industry Data Security Standards (PCI DSS).

All units must familiarize themselves with and adhere to the procedures set forth in Cornell University Policy 3.17 Accepting Credit Cards to Conduct University Business, the university's PCI Incident Response Plan (PDF, 642 KB) and the PCI DSS requirements.

Unit Requirements for Accepting Credit Cards to Conduct University Business

• Contact Cash Management to establish a merchant ID (MID) and begin the setup process
• Contact Cash Management to make changes to a merchant setup
• Perform quarterly scans for IP-enabled processes
• Complete an annual Self Assessment Questionnaire (SAQ)
• Complete annual training for all staff members handling credit card data
• Submit an annual Report on Compliance when using a third-party vendor
• Create and maintain business process and technical documentation for credit card processing

What are Payment Card Industry Data Security Standards (PCI DSS)?

The Payment Card Industry Data Security Standards (PCI DSS) are multifaceted security standards that include requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. These comprehensive standards are intended to help organizations proactively protect customer account data by providing a 12-requirement structure for securing cardholder data that is stored, processed and/or processed and/or transmitted by merchants and other organizations. These standards were developed by the PCI Security Standards Council, a global organization founded by the five major credit card companies with the intent of producing, maintaining, and educating merchants on standard practices and procedures to transact credit card business securely.

Non-Compliance Risks

For the University

Cornell’s merchant status would be revoked by the acquirer, a mandate from the card issuers.

For the Merchant

The financial repercussions of non-compliance can be significant, especially in the event of a breach, and can have a domino effect on your business. Merchants who are compromised or found not to be in compliance risk incurring a number of fiscal and intangible costs, including, but not limited to, the following:

• Paying...
  • to provide credit watch services to affected customers
  • a call center to assist compromised customers with questions or concerns about the breach of information
  • to notify all customers that are potentially at risk of having their credit card information compromised/stolen
  • a firm to perform a forensic exam, which can stall operations
  • fines levied by the credit card issuers and/or the acquiring entity
• Having money held in escrow against future incursions
• Recovering from damage to the company's brand
• Losing the confidence of and good relations with customers, donors, parents, and students

For the Cardholder (your customer)

Customers can endure significant consequences when merchants fail to comply with accepted standards, including, but not limited to, the following:

• Having his or her account blocked during reissuance process
• Having his or her identity stolen