Payment Card Acceptance

The University of Portland accepts credit and debit cards as payment for certain goods and services. This information is intended to provide guidance to departments who are processing these types of payments.

Credit card data is protected by state and federal laws, and the University of Portland has a legal obligation to protect that information. The University is committed to the protection of its customers’ private data, and departments must comply with the policies outlined in this document. Departments accepting credit and debit cards must do so in compliance with the Payment Card Industry Data and Security Standards (PCI DSS). The risks of noncompliance include substantial fines and penalties imposed on the University by the card associations. The University is liable for all financial losses incurred as a result of a security failure, and may result in the loss of the University’s ability to process credit card transactions.

The following responsibilities have been developed to assure the University
of Portland is in compliance with PCI regulations:

• Credit card merchant sites (whether online, in person, by mail, or by phone) must be established and maintained through the Controller’s Office.
• Departments who would like to accept credit and debit card payments must submit a request to the Controller’s Office. Departments may not begin accepting payment cards until the request has been approved.
• Only authorized and properly trained employees may accept and/or access credit and debit card information.
• Credit card information can be accepted in person, by phone, mail and secure website.
• Credit card information should never be accepted or communicated
  via email! Any email received which includes credit card information
  should be immediately deleted.
• Credit card information should never be stored on a University
  computer or server.
• All paper documents containing credit card numbers should be processed as soon as possible. Documents should be stored in a secure location such as a locked file cabinet or desk. After processing the transaction(s) the credit card number must be removed or destroyed.
• All transactions must be processed using a University owned PCI compliant terminal, or processed through the secured website using a University owned computer. No personal computers or mobile devices are allowed.
• Credit card receipts may only display the last 4 digits of the card number.

• All departments accepting credit and debit card payments are required to reconcile their batches on a daily basis. This includes preparing a deposit slip, and recording the daily activities with the Cashier in Waldschmidt Hall, first floor.
• Departments must notify the Controller’s Office of any changes in personnel who have access to process credit and debit card information.
• Processing of University of Portland Wells Fargo Purchasing cards is prohibited! Payments for University sponsored events should be completed on an Inter-Department Transfer Request form, or should be paid for using personal funds.
• The Controller’s Office reserves the right to audit any department processing credit and debit cards to ensure compliance of all items outlined above.