MSU PCI Policy
Introduction and Purpose: The university accepts credit cards for payments made to the university and its departments. This policy sets forth the requirements for the approval and the responsibilities of the departments approved to accept credit card payments for university related charges.
Approval: Any university employee, department or other unit of the university that propose to collect credit card payments or collect or transmit cardholder data, for university related programs or activities must be approved in advance by the University Business Services office. The application can be found on University Business Services Forms web page.
Responsibilities: Any university employee, department or unit of the university approved to collect credit card payments, or collect or transmit cardholder data is responsible for compliance with the accounting procedures, training requirements and security standards set by the university and the Payment Card Industry Data Security Standard (PCI DSS). University Business Services is responsible to approve requests for credit card payments, set accounting and security standards and monitor the credit card acceptance program at MSU.
Compliance: Failure to follow university policies or a lapse in identity security may result in the suspension or revocation of the approval to accept credit card payments and cardholder information.
MSU Credit Card Merchant Procedure
The MSU Credit Card Merchant Procedure informs current and potential MSU credit card merchants about responsibilities with respect to safeguarding customer data, receipting payments, and adhering to the Payment Card Industry Data Security Standard (PCI DSS). Improper protection of merchant card data, whether in electronic or paper form, could lead to a security breach that may result in regulatory notification requirements, loss of reputation, loss of customers and donors, fines, legal fees and litigation.
MSU's procedure presents options available to current and potential MSU credit card merchants. Additionally, the procedure lists the responsibilities of University Business Services office in maintaining effective internal control processes concerning the acceptance of credit card payments and in providing regular training of credit card merchants in proper safeguarding procedures.
PCI Incident Response Plan
The MSU PCI Incident Response Plan (IRP) streamlines MSU's response to an actual/suspected credit card data breach and fraud. This document defines those responsible, the classification and handling of, and the reporting/notification requirements for the IRP at Montana State University.
Procurement and PCI
If your department or operation is considering the purchase or upgrade of a system that will accept, process, transmit or store credit card information, such as online credit card payments or a similar process, you first need to review Payment Card Industry Data Security Program and Standard in the Related Documents section below.
Any contract or purchase, at any cost, that involves software, hardware, equipment or services dealing with credit card payments on behalf of the university must be in accordance with PCI DSS Policy and must have prior approval from the PCI Working Team (PCI@montana.edu). Please supply the PCI Working Team with the vendor’s most recent attestation of compliance (AoC). Third party software applications must be configured to utilize Nelnet’s Payment Gateway.
All faculty, staff and students handling cardholder data on behalf of Montana State University must complete annual PCI training. If you need to be registered for this mandatory training, please email firstname.lastname@example.org.