Policy Statement

Harvard University accepts credit cards as payment from external parties for certain goods, services, or gifts. Harvard mandates that all credit card-accepting local units, called “merchants,” do the following:

1. For one-time sales, use the University’s approved credit card processing vendor.
2. For ongoing sales, request set up through the central Cash Management office and comply with the credit card industry standards, University guidelines and annual certifications as set forth in the University's Credit Card Merchant Handbook.

Reason for Policy

Credit card data is high risk confidential information that is protected by state and federal law and Harvard has a legal obligation to protect it. Credit card associations require all merchants to follow protocols titled Payment Card Industry Data Security Standards (“PCI DSS”), designed to prevent cardholder fraud and identity theft. All merchants must comply with PCI DSS before accepting credit cards and must also certify their compliance annually. The risks of non-compliance include substantial fines and penalties imposed on the University by the card associations, University liability for all financial losses incurred as a result of a security failure, and damage to the University’s reputation.

Who Must Comply

All Harvard University schools, tubs, local units, Affiliate Institutions, Allied Institutions and University-wide Initiatives that process, store or transmit cardholder data or plan to outsource the process, storage or transmission of cardholder data.

Procedures (see links in Related Resources section)

1. Determine the scope of credit card needs. While accepting credit cards is a convenience for customers, it also entails legal/financial risk for merchants and requires substantial compliance activities. Local units should consider the risks and responsibilities associated with accepting credit cards, as well as credit card payment alternatives, before requesting a merchant account.
   1. All sales: prepare to consult with CMO about your needs.
      1. Review Appendix A, New Credit Card Merchant Account Request, to understand the types of information required for merchant set up.
      2. Review Appendix B, Summary of the Harvard University Credit Card Merchant Handbook, to understand the types of compliance activities required of merchants.
      3. Prepare a rough estimate of monthly dollar and transaction volumes.
      4. Ready a list of any questions.
          
2. Contact the CMO at PCI_Compliance@harvard.edu. The CMO will provide additional guidance to units considering merchant set up. CMO can also offer alternative payment suggestions to units for whom merchant set up and maintenance is not suitable.
    
3. Read the full Harvard University Credit Card Merchant Handbook, for a complete discussion of the requirements and procedures surrounding the acceptance of credit cards at the University before submitting a request for merchant set up.
    
4. Request merchant set up.
   1. Tub financial deans or equivalent must request merchant accounts on behalf of their departments.
   2. To establish a new merchant account, complete and submit the following forms to the CMO:
      1. New Merchant Request Form
      2. Harvard Credit Card Merchant Agreement
   3. Allow sufficient time for merchant set up. Depending on the complexity of the request, setting up a new credit card merchant account can take several weeks after the CMO has received and approved all of the appropriate documentation. Due to the time requirements for setup, departments should request credit card merchant accounts as soon as possible after determining one is needed.
       
5. Plan for appropriate use.
   1. Intercompany transactions: to minimize costs and also ensure accurate accounting, in most cases, Harvard merchants must not accept University purchasing cards (PCards) or University corporate cards for payment of University business purchases. See the Internal Billing and Purchasing Card policies.
   2. Acceptable cards: Harvard merchants may accept VISA, MasterCard, Discover and American Express.
       
6. Perform annual PCI compliance activities. These include annual certifications, reconciliations, and audits where appropriate. See the full Harvard University Credit Card Merchant Handbook for details.
    
7. Annually, review existing merchant accounts and close unnecessary ones.

Responsibilities and Contacts

Financial deans or equivalent tub financial officers are responsible for ensuring that local units abide by this policy and the accompanying procedures.

Cash Management Office (CMO) within the Office of Treasury Management, is responsible for maintaining this policy and the Credit Card Merchant Handbook, answering related questions, and managing and reporting the University’s compliance status. Contact: PCI_Compliance@harvard.edu

Harvard University Information Technology IT Security (HUIT IT Security) provides technical assistance to the Cash Management Office and schools/units and ensures that all merchants are in compliance with University high risk confidential information (HRCI) policies and PCI DSS requirement. Contact: Information Security and Privacy

Risk Management & Audit Services (RMAS) performs periodic merchant audits and evaluates the security levels of credit card server locations. Contact: Risk Management & Audit Services

Definitions

Customer: An individual or other external entity that makes a payment to the University for goods, services or gifts. 
Merchant: A local unit that accepts credit and/or debit cards as a method of payment for goods, services or gifts.
Merchant account: An account established with the University’s credit card processor to uniquely identify the local units credit/debit cards sales and processing fees.

Revision History

6/30/2013: updated format, added appendices

Appendices

Appendix A: New Credit Card Merchant Account Request
Appendix B: Summary of the University Credit Card Merchant Handbook