An in-depth review of this policy will occur in FY25.

Policy Statement

Harvard University accepts credit cards as payment from external parties for certain goods, services, or gifts. Harvard mandates that all credit card-accepting local units, called “merchants,” investigate the following options before requesting a new merchant account:

• Central Accounts Receivable, web-based billing and collection system for local units wishing to invoice “external” customers
• TouchNet uStores, ecommerce storefront for event tickets, conference registrations, subscriptions, merchandise, and fees.
• Review eCommerce Payment Decision Tool to determine which payment product matches your needs.

Reason for Policy

Credit card data is high risk confidential information that is protected by state and federal law and Harvard has a legal obligation to protect it. Credit card associations require all merchants to follow protocols titled Payment Card Industry Data Security Standards (“PCI DSS”), designed to prevent cardholder fraud and identity theft. All merchants must comply with PCI DSS before accepting credit cards and must also certify their compliance annually. The risks of non-compliance include substantial fines and penalties imposed on the University by the card associations, University liability for all financial losses incurred as a result of a security failure, and damage to the University’s reputation.

Who Must Comply

All Harvard University schools, tubs, local units, Affiliate Institutions, Allied Institutions and University-wide Initiatives that process, store or transmit cardholder data or plan to outsource the process, storage or transmission of cardholder data.

Procedures (see links in Related Resources section)

1. Determine the scope of credit card needs. While accepting credit cards is a well-accepted method of payment for customers, it entails legal/financial risk for merchants and requires substantial compliance activities. Local units should consider the risks and responsibilities associated with accepting credit cards, as well as credit card payment alternatives, before requesting a merchant account.Review Appendix B, Summary of the Harvard University Credit Card Merchant Handbook, to understand the types of compliance activities required of merchants
   1. Review eCommerce Payment Decision Tool to determine which payment product matches your needs.
   2. Prepare to consult with CMO about your needs
      1. Review TouchNet Marketplace eCommerce Tool for detailed information about online payment acceptance options.  When using TouchNet uStores, an ecommerce storefront, departments can leverage the tub’s central finance merchant account to minimize PCI Compliance responsibilities. 
      2. Ready a list of any questions.
      3. Prepare a rough estimate of monthly dollar and transaction volumes.
      4. Review Appendix B, Summary of the Harvard University Credit Card Merchant Handbook, to understand the types of compliance activities required of merchants.
      5. Review Appendix A, New Credit Card Merchant Account Request, to understand the types of information required for merchant set up.
          
2. Contact the CMO at PCI_Compliance@harvard.edu. The CMO will provide additional guidance to units considering merchant set up. CMO can also offer alternative payment suggestions to units for whom merchant set up and maintenance is not suitable.
    
3. Read the full Harvard University Credit Card Merchant Handbook, for a complete discussion of the requirements and procedures surrounding the acceptance of credit cards at the University before submitting a request for merchant set up.
    
4. Request merchant set up.
   1. Tub financial deans or equivalent must request merchant accounts on behalf of their departments.
   2. To establish a new merchant account, complete and submit the following forms to the CMO:
      1. New Merchant Request Form
      2. Harvard Credit Card Merchant Agreement
   3. Allow sufficient time for merchant set up. Depending on the complexity of the request, setting up a new credit card merchant account can take several weeks after the CMO has received and approved all of the appropriate documentation. Due to the time requirements for setup, departments should request credit card merchant accounts as soon as possible after determining one is needed.
       
5. Plan for appropriate use.
   1. Intercompany transactions: to minimize costs and also ensure accurate accounting, in most cases, Harvard merchants must not accept University purchasing cards (PCards) or University corporate cards for payment of University business purchases. See the Internal Billing and Purchasing Card policies.
   2. Acceptable cards: Harvard merchants may accept VISA, MasterCard, Discover and American Express.
       
6. Perform annual PCI compliance activities. These include annual certifications, reconciliations, and audits where appropriate. See the full Harvard University Credit Card Merchant Handbook for details.
    
7. Annually, review existing merchant accounts and close unnecessary ones.

Responsibilities and Contacts

Financial deans or equivalent tub financial officers are responsible for ensuring that local units abide by this policy and the accompanying procedures.

Cash Management Office (CMO) within the Office of Treasury Management, is responsible for maintaining this policy and the Credit Card Merchant Handbook, answering related questions, and managing and reporting the University’s compliance status. Contact: PCI_Compliance@harvard.edu

Harvard University Information Technology IT Security (HUIT IT Security) provides technical assistance to the Cash Management Office and schools/units and ensures that all merchants are in compliance with University high risk confidential information (HRCI) policies and PCI DSS requirement. Contact: https://security.harvard.edu/report-incident.

Risk Management & Audit Services (RMAS) performs periodic merchant audits and evaluates the security levels of credit card server locations.Contact: http://rmas.fad.harvard.edu/people

Definitions

Customer: An individual or other external entity that makes a payment to the University for goods, services or gifts. 
Merchant: A local unit that accepts credit and/or debit cards as a method of payment for goods, services or gifts.
Merchant account: An account established with the University’s credit card processor to uniquely identify the local units credit/debit cards sales and processing fees.

Revision History

6/30/2013: updated format, added appendices
6/1/2013.01M: revised 04/22/2024 corrections to dated information links and  contact information.
Appendices

Appendix A: New Credit Card Merchant Account Request
Appendix B: Summary of the University Credit Card Merchant Handbook