UH System Policies and Procedures
- Board of Regents Policies
- Executive Policies
- + 1. General Provisions
- + 2. Administration
- + 3. Organization
- + 4. Planning
- + 5. Academic Affairs
- + 6. Tuition, Financial Assistance, and Fees
- + 7. Student Affairs
- + 8. Business and Finance
- + 9. Personnel
- + 10. Land and Physical Facilities
- + 11. Miscellaneous
- + 12. Research
- Abolished Procedures (Post Oct. 2014)
- Archived AP
UH‐Related Laws and Rules
- Hawaiʻi Revised Statutes (HRS) 304A
- Hawaiʻi Administrative Rules (HAR) Title 20
Administrative Procedure 8.710 Administrative Procedure 8.710
Credit Card Administration
Administrative Procedure Chapter 8, Business and Finance
Administrative Procedure AP 8.710, Credit Card Administration
Effective Date: September 2021
Prior Dates Amended: June 1992, July 2001, April 2005, March 2015, January 2020
Responsible Office: Office of the Vice President for Budget and Finance/Chief Financial Officer
Governing Board and/or Executive Policy: EP 1.102, Authority to Manage and Control the Operations of the Campus
Review Date: September 2023
This policy applies to credit card payments processed by the University designated as the merchant of record. The purpose of this policy is to outline the responsibilities of departments that accept credit card payments and to provide procedures for these departments to follow.
To safeguard the University’s information technology resources and to protect the confidentiality of cardholder data, adequate security measures must be taken. Credit card data stored, processed, or transmitted by the University merchant accounts must be protected and must conform to the Payment Card Industry Data Security Standard (PCI DSS).
The University requires that all departments that accept credit card payments comply with applicable PCI DSS requirements and related University policies and procedures.
Departments that fail to comply with PCI DSS and University policies and procedures may have their ability to accept credit cards suspended or revoked. In addition, they may face penalties, fines, or restrictions.
III. Administrative Procedure
Goal - Maintain an Information Security Policy
Consistent policies and procedures are required to be practiced and followed at all times.
All employees should be aware of the sensitivity of data and their responsibilities for protecting it. The University’s information security policy and procedures apply to all employees (full-time, part-time, casual hires, student employees) and others (i.e. volunteers) that work within the University’s cardholder data environment.
If cardholder data is shared with a 3rd party Service Provider:
• A list of such Service Providers must be maintained.
• There shall be a written agreement with the Service Provider.
• The Service Provider shall be monitored for PCI DSS compliance.
If a merchant department believes it may have a breach of cardholder information or of systems related to the PCI environment, refer to Appendix C for University’s PCI Incident Response Plan Guidelines.
IV. Delegation of Authority
There is no administrative specific delegation of authority.
V. Contact Information
Treasury Office, 956-7638, or firstname.lastname@example.org
PCI Security Standards Council: https://www.pcisecuritystandards.org/pci_security/
PCI DSS validated payment applications: https://www.pcisecuritystandards.org/assessors_and_solutions/payment_applications?agree=true.
Visa Global Registry of Service Providers: https://www.visa.com/splisting/searchGrsp.do
ITS Minimum Security Standards: https://www.hawaii.edu/infosec/minimum-standards/
VII. Exhibits and Appendices
Appendix A – UH PCI Technical Guidelines
Appendix B - Credit Card Administration – Participation and Change Request Form
Appendix C – UH PCI Incident Response Plan Guidelines
Vice Pres for Budget & Fin/CFO
November 02, 2021
TopicsCredit Card ; Confidentiality ; Security ; Data