FI0311 – Procedures for Fiscal Policy FI0311 Credit Card Processing

Objective

This procedure provides the various obligations and processes involved for departments processing payment cards.

Scope

This procedure applies to all departments and University employees subject to FI0311.

Procedure

  1. Merchant Approval Process: The Merchant Approval Process (see attachment) for all credit card processing activities shall be as follows:
    1. The department or unit will contact the Merchant Services Coordinator in the Treasurer’s Office to discuss credit card processing options and obtain Point of Sale and Internet Sales Approval Form for Departments internal procedure template.
    2. If it is determined that a third-party vendor is to be part of the payment solution then the vendor must provide and Attestation of Compliance as it relates to Payment Card Industry Data Security Standard (PCI DSS). If a vendor is unable to provide one the vendor will no longer be considered.
    3. Treasurer’s Office will verify that any proposed card present point of sale equipment is part of a point-to-point encryption solution (P2PE). If it is not part of a P2PE solution, the equipment will not be approved for use.
    4. The department or unit submits the Point-of-Sale and Internet Sales Approval Form for Departments to accept credit/debit card payments to the CIO and the CBO.
    5. If the applicable CBO and applicable CIO approve, the department will forward the form to the Treasurer’s Office.
    6. The Treasurer’s Office will review the approved form and notify the submitting department that the form is acceptable.
    7. After the department completes appropriate training, completes the appropriate PCI DSS Self-Assessment Questionnaire, completes Revenue Questionnaire, and obtains all necessary approvals, the Treasurer’s Office will request a merchant number from the appropriate credit card processor and notify the department accordingly.
  2. Responsibilities of University Departments/Merchants: University departments that accept payment cards must:
    1. Transmit all credit or debit card deposit information to the campus central cashier as specified in FI0310.
    2. Complete PCI training annually, staying informed of responsibilities.
    3. Provide a list of all PCI systems and devices in their department to the applicable Chief Information Officer (CIO), once the University System Office of the Treasurer approves the merchant account.
    4. Notify the applicable CIO when the department is aware of changes to the department’s PCI resources.
    5. Reconcile and verify credit card transactions in the normal accounting reconciliation process.
    6. Notify the CIO and the Treasurer immediately of any suspected security breaches.
    7. Notify Treasurer’s Office of any proposed changes to the approved credit card transaction processes.
    8. Notify the Treasurer’s Office of any personnel changes as it relates to merchant services and PCI compliance.
    9. Complete appropriate PCI SAQ annually.
    10. Maintain PCI DSS compliance at all times.
  3. Responsibilities of Chief Information Officer for each Campus, Institute, or Unit: The CIO must:
    1. Review annual PCI SAQs for technical accuracy before the SAQs are submitted to the appropriate Chief Business Officer (CBO).
    2. Provide hardware, software, and other PCI-compliant technical guidance.
    3. Support departments/merchants in securing systems processing and transmitting payment data.
    4. Maintain lists of all systems and devices that handle, process, or store credit card numbers.
    5. Notify University of Tennessee System Administration Information Security Office (UTSA ISO) immediately of any suspected security breaches before making any changes to system(s).
    6. Notify UTSA ISO of any significant changes requiring an additional internal vulnerability scan.
    7. CIOs may designate the appropriate personnel to execute the above responsibilities. If the CIO names a personnel member as a designee, the CIO remains responsible for the above tasks.
  4. Responsibilities of the applicable Chief Business Officer: The applicable Chief Business Officer (CBO) must:
    1. Approve the business need for each department and unit requesting to accept credit cards, recognizing the inherent costs associated with PCI DSS compliance.
    2. Review the accuracy of PCI SAQs annually submitted by each department/merchant, accepting risks on behalf of that campus/institute by the approval of the SAQs once they are submitted to the Treasurer’s Office.
    3. Monitor the compliance with PCI DSS and this policy of campus payment processing activities conducted by University departments/merchants to ensure they are compliant.
    4. Note: CBO can designate the appropriate personnel to execute the above responsibilities.
  5. Responsibilities of University of Tennessee System Administration (UTSA) Information Security Office (ISO):
    The UTSA ISO must:
    1. Provide advice and guidance to enable applicable entities to understand and comply with the PCI DSS and industry best practices so that payment information can be safeguarded against theft, inadvertent disclosure, and other types of breaches.
    2. Review all proposed technology implementations associated with payment processing prior to applicable entities entering into contracts or equipment/software purchases.
    3. Provide on-site compliance assessments to review PCI processes and accuracy of PCI SAQs as required following a risk-based sampling method that complies with Payment Card Industry Data Security Standards.
    4. Investigate suspected security breaches and notify the Treasurer’s Office, who contacts the payment card processor as necessary.
    5. Coordinate quarterly external PCI scans on applicable PCI systems.
    6. Select PCI forensic investigators, when needed. Departments will be responsible for all costs that the University incurs when engaging with PCI forensic investigators.
  6. Responsibilities of Treasurer’s Office: The Treasurer’s Office must:
    1. Initiate and manage all communication with the University’s merchants.
    2. Approve outsourced electronic payment processors.
    3. Approve each department and unit that has submitted a request to accept credit cards
    4. Request the merchant number for the department from the appropriate processor.
    5. Oversee credit card accounting for each approved department and unit.
    6. Maintain and validate the PCI DSS compliance documentation.
    7. Initiate and manage all communication with the University’s credit card processor.
    8. Assist with yearly site compliance assessments and review the adequacy of merchant PCI processes and accuracy of PCI SAQs
    9. Manage annual PCI SAQ reporting process.

Penalties/Disciplinary Action for Non-Compliance

If a department fails to comply with these procedures, the University may reject a department’s request for a merchant terminal. Credit card companies may impose substantial monetary fines on departments if a department fails to comply with applicable laws and regulations. Departments are responsible for fines that credit card processors impose.

Responsible Official & Additional Contacts

Subject Matter

Office Name

Telephone Number

Email/Web Address

Policy Clarification

and Interpretation

Justin Holt,

Office of the

Treasurer

865-974-4100

Holt@tennessee.edu

Related Policies/Guidance Documents

FI0310—Receiving and Depositing Money

FI0330—Unrelated Business Taxable Income

FI0331—Sales and Use Tax

FI0405—Procurement

FI0420—Contracts

FI0311 – Procedures for Fiscal Policy FI0311 Credit Card Processing
Version: 1 // Effective: 12/20/2025
PDF icon Downloadable PDF

Related Policies: