Policies
Welcome to Farmingdale State College’s Policy Library. This library is the official repository for all institutional policies and procedures and is intended to be a resource for faculty, staff and students seeking information related to the policies that govern the institution. This library does not contain department-specific policies and procedures. Please contact the department for specific departmental policies and procedures.
Please direct all questions regarding policy content to the Responsible Office listed on the respective policy.
If you wish to propose or amend an institutional policy, please review the Policy for Developing Institutional Policies and complete the Policy Proposal Form.
For assistance with drafting and amending policies, please refer to the Policy Writing Guidance and/or contact the Risk and Compliance Office at 934-420-5365.
Farmingdale State College's Payment Card Policy
Policy Purpose
The purpose of this policy is to establish processes and procedures for accepting payment cards at Farmingdale State College while complying with the Payment Card Industry Data Security Standards (PCI-DSS). Every organization that accepts credit and debit card payments is required to comply with PCI-DSS, which is a proprietary information security standard for protecting payment card data and intended to minimize the risk of exposing cardholder data.
Persons Affected
Faculty, Staff, Students, Third-Parties
Policy Statement
Farmingdale State College is committed to protecting cardholder data, securing customer information, providing the greatest value and availability of services, and complying with PCI-DSS. Failure to protect such information or comply with PCI-DSS may result in financial loss for individuals and entities, suspension of payment card processing privileges, fines, and damage to the reputation of the College.
All faculty, staff, students, affiliated organizations, contractors, or consultants that accept, handle, or process card payments and or cardholder data on behalf of the College are required to participate in necessary trainings, follow the procedures outlined in this policy, and comply with PCI-DSS to ensure that the processing and transmission of payment card information takes place in a secure environment.
Only devices and online platforms approved by the Finance Office can be used to accept card payments. All third parties used for processing payment cards must be preapproved by the Finance Office and Information Technology. Agreements and contracts with third parties providing payment card services must acknowledge that their services are PCI compliant in any contracts or agreements. Department heads utilizing third parties for such services must request an annual Attestation of Compliance (AOC) from the third party and submit it to the PCI Committee as part of the PCI compliance process.
Card payments and cardholder data must never be collected or transmitted through mail, email, fax, text message, or over the phone. Cardholder data must not be stored electronically, on paper, or in any other manner.
Faculty, staff, students, and third parties are prohibited from manually entering credit card information for customers using Farmingdale’s IT network (both wired and wireless connections) and/or College-issued workstations (desktop, laptop, tablet, mobile device).
All faculty, staff and students are responsible for abiding by the FSC Credit Card Security Incident Response Plan and reporting any suspected or detected tampering of payment card devices. Such reports should be made to a member of the Response Team as indicated in the FSC Credit Card Security Incident Response Plan. College affiliates using third parties for their payment card device(s) must also follow procedures outlined in their agreements.Procedures
- To request authorization to collect card payments, College department heads must contact the Finance Office.
- Based on the request, the Finance Office will determine the best method for collecting card payments. The two primary methods include an online platform (i.e., Marketplace) and in-person point of sale (POS) machine.
- Once approved to accept payment cards, whether in person or online, each department must create departmental procedures for collecting card payments. Departments may adopt the procedural templates provided in this document or create their own. These procedures must be submitted annually through the PCI Compliance process.
- Access to process card payments and other aspects of the processing environment should be limited to only personnel who have a business need. This includes access to devices and approved online platforms.
- It is the department head’s responsibility to ensure all appropriate personnel are trained as required by PCI-DSS. The following personnel are required to complete training provided by the PCI Committee, upon hire and annually:
- Anyone processing a payment card transaction
- Managers with oversight of any payment card processing activities
- All those with access to cardholder data
- All those who have access to the processing environment, including those accepting payment cards through approved online platforms
- The following steps must be taken for processing in-person payments through a payment card device:
- Department heads will be responsible for the security of the payment devices and must review the Guidance on Inspecting Payment Card Devices
- Department supervisors must maintain a list of all POS devices and personnel authorized to use them
- Credit card terminal passwords must be kept in a secure location and should never be displayed
- A PCI Payment Card Device Log must be completed on a regular basis to check for tampering of the device
- Devices should be kept in a secure location when not in use
- Credit Cards with a Chip must be processed using the Chip Reader. If the Chip does not work, the card number may not be entered directly in the device. The customer must use a different card or another method of payment.
- Someone other than the cardholder may not authorize payment
- Picture ID is required if the card is not signed
- Customers should be provided with a receipt for the transaction
- Transaction documentation and merchant receipt should be stored in a secure (locked) area
- Student Accounts and third-party credit card machine batch out procedures must be followed
- The Finance Office or third party will provide access to approved online platforms.
- Card payments and cardholder data must never be collected or transmitted through mail, email, fax, text message, or over the phone. If payment card information is submitted by these means, do not process the payment, or transmit it by any means. Respond to the mail, email, fax, caller, or text by clearly stating the policy of not taking card payments via these methods. Identify steps to delete or dispose of the cardholder data as soon as possible.
- The department heads of all areas processing payment card transactions must complete an annual PCI Compliance Form to ensure compliance with PCI-DSS. The form will require the following:
- A listing of staff who process payment card transactions, have access to cardholder data, and those with access to the processing environment
- Acknowledgement that all appropriate staff have completed PCI-DSS training
- Indicate methods of collecting card payments
- Submit department specific procedures for collecting and processing card payments and cardholder data
- Submit PCI Device Inspection Logs, if applicable
- Attest that cardholder data is not being stored in any manner
- Attestation of Compliance for Third Parties, if applicable
- Other information necessary to assist the PCI Committee in completing the Self-Assessment Questionnaire (SAQ)
Definitions
Processing Environment - the processing environment includes processing a payment card transaction by means of a payment card device, referring customers to make online payments, virtual access to online platforms utilized for processing transactions, and the physical access to payment card devices and other related documentation.
Payment card – any payment card/device that bears the logo of American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or Visa, Inc
Cardholder Data - Elements of payment card information that must be protected, including primary account number (PAN), cardholder name, expiration date, and the service code.
Payment Card Industry Data Security Standards (PCI DSS) - The security requirements defined by the Payment Card Industry Data Security Standards Council and the major credit card brands including Visa, MasterCard, Discover, American Express, and JCB.
Related Documents
Payment Card Industry Data Security Standards (PCI DSS)
Departmental Procedure Template for Accepting Payment Cards
Guidance on Inspecting Payment Card Devices
FSC Credit Card Security Incident Response Plan
Responsible Office
Risk and Compliance
Policy History
Approval Date: 7,12,2022
Policies
Categories
- Academic Integrity Policy
- Amnesty Policy
- Aviation Flight Center Safety Policy
- Campus Policy For Preferred First Name
- Campus Policy for Animals Care and Use for Research
- Campus Policy for Assignment of Credit Hours
- Campus Policy for Credit‐By‐Evaluation
- Campus Policy for Transfer Credit
- Captioned Media Policy
- Faculty Compensation and Load Credit for Credit‐Bearing Internships
- General Education Requirements
- Grade Grievance Procedure
- Guidelines for Academic Standing for Matriculated Undergraduate Students
- Plagiarism Detection and the Family Education Rights and Privacy Act (FERPA)
- Planning & Conducting Distance Learning
- Policies for Academic Standing for Non-Matriculated Students
- Policy and Procedure Guide For Faculty Led Study Abroad Programs
- Policy for Recording Classroom Instruction
- Professional Licensure Student Location Policy
- Research Integrity Policy
- Specially Designated Course Policy
- Student Attendance Policy
- Syllabus-Guide
- Writing-Intensive Requirement
- Acceptable Use Policy for Computer Facilities
- Additional Sick Leave Request Guidelines(a.k.a. Presidential Sick Leave)
- Affirmative Action Search Waivers Policy
- Also Receives Policy
- Alternate Work Arrangements Policy
- Alternate Work Location Policy
- Background Investigation Policy
- Chosen Identity Policy
- Civility and Bullying Policy
- Discrimination and Sexual Harassment Complaint Policy & Procedure
- Discrimination and Sexual Harassment Complaint Procedure for Title IX Sex Discrimnation and Sex-Based Harassment
- Domestic Violence and the Workplace Policy
- Drug and Alcohol Free Workplace Policy
- Extra Service Processing Procedure
- Farmingdale State College Consensual Relationship Policy
- Gender-Based Violence and the Workplace Policy
- Informal Resolution Policy
- Internal Promotion Policy
- Nepotism Policy
- New Position Justification
- Part Time Recruiting and Hiring Policy
- Reasonable Accomodations for State Employees
- Reimbursement of Moving Expenses Policy
- Religious Accomodations Policy
- Sexual Harassment Response and Prevention Policy Statement
- Telecommuting Policy
- Tobacco Use Policy
- Volunteer Policy
- Workplace Violence Prevention Policy
- Acceptable Use Policy for Computer Facilities
- Banner Security Policy
- College Email Policy
- Copyright Guidelines
- Cyber Security Awareness and Education Policy
- Data Communication Network Security Policy
- Farmingdale Information Security Policy
- Farmingdale State College Privacy Policy
- GDPR Privacy Notice
- Guidelines for the use of Digital Material
- Retiree Email Policy
- Wired or Wireless Network Policy
- Child Protection Policy
- Discrimination and Sexual Harassment Complaint Policy & Procedure
- Discrimination and Sexual Harassment Complaint Procedure for Title IX Sex Discrimnation and Sex-Based Harassment
- Fraud and Irregularities Policy
- Mandatory Reporting and Prevention of Child Sexual Abuse
- Records Retention and Management Policy
- Chosen Identity Policy
- Discrimination and Sexual Harassment Complaint Procedure for Title IX Sex Discrimnation and Sex-Based Harassment
- Farmingdale State College Consensual Relationship Policy
- Farmingdale State College Student Alcohol Policy
- Grievance Procedure for Sex-Based Harassment Complaints for Students (including NYS 129B requirements)
- Informal Resolution Policy
- Involuntary Leave of Absence Policy
- Personal Transportation Device Policy
- Policy and Procedures on Students Rights and Assembly
- Refund Policy
- Request and Grievance Policy for Student Disability Related Accommodations
- Sexual Harassment Response and Prevention Policy Statement
- Student Immunization Policy