Office of the Bursar

Payment Card Industry Data Security Standards (PCI DSS) Compliance, Policy on

Title: Payment Card Industry Data Security Standards (PCI DSS) Compliance, Policy on
Policy Owner: Office of the Bursar Cash Operations, UConn Information Security Office
Applies to: Workforce Members
Campus Applicability: All UConn Campuses, except UConn Health
Approval Date: June 17, 2026
Effective Date: July 1, 2026
For More Information, Contact: Director of Cash Management & University Bursar, Chief Information Security Officer
Contact Information: cashoperations@uconn.edu
Official Website: https://bursar.uconn.edu/departments/cash-operations/

PURPOSE

To provide requirements for safeguarding Customers’ payment card data and cardholder information. Failure to protect this information may result in financial loss for Customers, suspension of credit card processing privileges, fines, and damage to the reputation of the University.

APPLIES TO

Workforce members involved with payment card handling which includes but is not limited to collection, processing, transmission, or storage of payment card data in any form on behalf of the University.

DEFINITIONS

Attestation of Compliance (AOC): A formal document certifying an organization’s compliance with Payment Card Industry Data Security Standards (PCI DSS).

Cardholder Data (CHD): Elements of payment card information that must be protected, including the primary account number (PAN), cardholder name, expiration date, and security code.

Customer: Any individual or entity conducting a financial transaction with the University that involves the collection, processing, transmission, or storage of their payment card data.

Department: A University unit approved by the PCI Team to accept payment cards without maintaining a designated unique merchant identification number.

Merchant: A department or unit approved by the PCI Team in accordance with University policy to be assigned a designated unique merchant identification number for payment card acceptance.

Payment Card Industry Data Security Standards (PCI DSS): Technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder data. The standards globally govern all merchants and organizations that store, process, or transmit this data. Compliance with the PCI set of standards is mandatory and enforced by the major payment card brands who established the Council.

Payment Card Industry Security Standards Council (PCI SSC): A global forum that brings together industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.

PCI Responsibility Matrix: A framework that clearly defines and allocates specific PCI DSS tasks and requirements among different parties, such as a merchant and its service providers. It maps each PCI DSS requirement to the responsible party, which can be the merchant, a service provider, or a shared responsibility.

PCI Team: Group composed of representatives from Office of the Bursar Cash Operations and the UConn Information Security Office.

PCI Violation: Any action, inaction, or condition that results in non-compliance with PCI DSS requirements.

Point of Interaction (POI) Devices: Any hardware used to capture payment card data (e.g., card readers, PIN pads, kiosks)

Point-to-Point-Encryption (P2PE): A PCI-listed solution that cryptographically protects cardholder account data from the point where a merchant accepts the payment card to the secure point of decryption.

Point-to-Point Encryption Self-Assessment Questionnaire (P2PE SAQ): Reporting tool used to document self-assessment results from an entity’s PCI DSS assessment specific to PCI-validated Point-to-Point Encryption (P2PE) solutions. The P2PE self-assessment document is maintained by the PCI Security Standards Counsel.

Self-Assessment Question (SAQ): Validation tool to assist merchants report the results of their self-assessed PCI DSS compliance.

Third Party Service Providers: Business entities that are not a payment brand, directly involved in the processing, storage, or transmission of cardholder data and/or sensitive authentication data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data.

POLICY STATEMENT

The University of Connecticut is committed to protecting Cardholder Data (CHD) and maintaining compliance with the Payment Card Industry Data Security Standards (PCI DSS). All payment card activities conducted on behalf of the University must be performed in a manner that minimizes risk to cardholders and the institution, limits the handling of Cardholder Data, and ensures consistent compliance with PCI DSS requirements.

Storing of CHD

University workforce members must never record or store Cardholder Data in any physical or electronic format, including paper or electronic documents.

Appropriate Use of Payment Channels

Electronic Payments

Customers must be directed to complete electronic payments online using their own device and must not be directed to use a University device to enter CHD.  CHD must not be entered by staff on University computers or workstations.

In-Person Payments

The cardholder must always maintain their physical card when making payment in-person.  University workforce members must never take possession of the Customer’s physical card.

Mail Order Payments

Usage of mail order forms is prohibited unless otherwise approved by the PCI Team.  If usage of mail order forms is approved, all CHD must be physically destroyed in a manner that renders the data un-recoverable immediately after processing such as cross-cut shredding.  The remaining portion of the mail order form must be retained in compliance with University retention requirements.

Telephone Payments

Accepting card payment over the phone is prohibited unless otherwise approved by the PCI Team.  If acceptance of phone payments is approved, they must be taken over a physical phone only and cannot be accepted via Voice Over IP (VOIP) software.

Email

Receiving and processing CHD via email is prohibited. If CHD is received via email, the CHD must be deleted immediately from all Outlook folders including the deleted folder and the card payment must not be processed.

Point of Interaction (POI) Devices

All in-person, mail order, and telephone payment card transactions must be processed exclusively through PCI-validated Point-to-Point Encryption (P2PE) Point of Interaction Devices. POI Devices must be listed on the PCI Security Standards Council (PCI SSC) list of validated P2PE solutions.

Exceptions must be approved by the PCI Team and will only be granted for Merchants who have a business need to use a vendor that does not offer P2PE POI Devices.

Merchants and Departments, using POI Devices must meet the requirements outlined in the current Point-to-Point Encryption Self-Assessment Questionnaire (P2PE SAQ), including but not limited to:

  • restricting physical access;
  • provide training for awareness of POI Device tampering;
  • following POI Device log procedures; and
  • completing POI Device inspections, with frequency of inspection determined by a targeted risk assessment of the device environment.

Annual Self-Assessment Questionnaire (SAQ) Submission

All Merchants must submit an SAQ annually.  The SAQ type must align with the Merchant’s payment processing method(s) and business environment.  The PCI Team will coordinate with Merchants on the completion and submission of the annual SAQ.

Third Party Service Providers

Merchants and Departments may have a need to use Third Party Service Providers to provide functionality for processes such as event registration, non-credit programming, ticketing, and other services that cannot be accommodated through the University’s centralized e-commerce platform.

Using a Third-Party Service Provider does not transfer PCI DSS responsibility from the University. All Third-Party Service Providers must:

  • be contracted through the University’s procurement process;
  • be approved by the PCI Team;
  • demonstrate PCI DSS compliance through vetting and monitoring;
  • provide a PCI Responsibility Matrix and a current Attestation of Compliance (AOC).

Merchants and Departments must request the AOC annually as part of ongoing service provider management. The AOC must be submitted to the PCI Team for the annual SAQ submission.

Annual Training

Workforce members involved with the acceptance and processing of CHD must complete annual training on PCI DSS compliance and information security awareness in accordance with University policy.  The PCI Team is responsible for providing training to required workforce members.

Annual Policy & Procedure Review

Merchants and Departments must review all payment card processing policies and procedures on an annual basis.

Incident Response Reporting

Any actual or suspected unauthorized access or disclosure of  Cardholder Data must be reported immediately to the PCI Team by emailing security@uconn.edu and cashoperations@uconn.edu.   The UConn Information Security Office shall assess all reported events and when appropriate activate the University Incident Response Plan.

ENFORCEMENT

Failure to meet the requirements outlined in this policy may result in suspension of the physical and, if appropriate, electronic payment capability for the responsible Department(s) or Merchant(s). In the event of a PCI Violation, the payment card brands may assess penalties to the University’s merchant services bank, which may be passed on to the University. The responsible Department or Merchant will be financially accountable for any such penalties assessed and passed on to the University.

Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.

PROCEDURES/FORMS

POI Device Inspection Procedures

REFERENCES

Data Classification Policy
Incident Response Plan
Opening a Merchant Account for Credit Card Acceptance
PCI SSC Validated P2PE Solution Listing
P2PE SAQ
Records Management Policy
Security Awareness Training Policy

POLICY HISTORY

Policy created: June 17, 2026 (Approved by the University Senior Policy Council and President)

Short Term Advances ("Change Funds")

Title: Short Term Advances (“Change Funds”)
Policy Owner: Office of the Bursar
Applies to: Faculty, Staff
Campus Applicability: Storrs and Regional Campuses
Approval Date: August 8, 2025
Effective Date: August 8, 2025
For More Information, Contact: Office of the Bursar
Contact Information: cashoperations@uconn.edu
Official Website: https://bursar.uconn.edu/departments/cash-operations/

PURPOSE

To establish a uniform controls for providing Short Term Advances to departments in conjunction with University events to ensure safeguard University assets.

APPLIES TO

This policy applies to departments seeking a Short Term Advance.

DEFINITIONS

Short Term Advance: An advance of funds issued for a period of two weeks or less for the purpose of making change for cash payments for a specified University event

POLICY STATEMENT

The Office of the Bursar has sole responsibility for issuing Short Term Advances to departments.  University departments who receive Short Term Advances are responsible for returning the funds no later than two weeks after the date of receipt of the funds.  Any department who receives a Short Term Advance is required to adhere to controls and reconciliation processes established by the Office of the Bursar.

ENFORCEMENT

Any department that does not comply with this policy shall be ineligible to receive future Short Term Advances.  Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, and applicable collective bargaining agreements.

PROCEDURES

Short Term Advances must be requested through the Office of the Bursar Cash Operations webform.  Departments must follow the procedures for safeguarding and reconciling funds as outlined on the Office of the Bursar Cash Operations website.

REFERENCES

Office of the Bursar Cash Operations website

POLICY HISTORY

Policy created: 8/18/2014

Revisions: 08/08/2025 (Approved by Senior Policy Council)

 

Returned Check Policy

Title: Returned Check Policy
Policy Owner: Office of the Bursar
Applies to: Faculty, Staff, and Payors
Campus Applicability: Storrs and Regional Campuses
Approval Date: September 29, 2025
Effective Date: September 29, 2025
For More Information, Contact: Office of the Bursar
Contact Information: 860-486-4830
Official Website: https://bursar.uconn.edu/

PURPOSE

To ensure compliance with Section 4 of the State of Connecticut Office of the State Comptroller Accounting Manual for Receipts regarding processing and accounting for returned Checks.

APPLIES TO

This policy applies to all departments that receive check payments on behalf of the University, and to all payors, including students and external customers, who submit payments to the University for goods and/or services.

DEFINITIONS

Check: A personal paper check or a personal electronic check (“e-check”).

POLICY STATEMENT

Checks deposited by the University that are returned by the bank due to insufficient funds or other reasons are the responsibility of the depositing department to resolve, including the collection of funds still owed to the University.  The department or payor will be charged for the amount of the returned check, including any applicable bank fees.

For fee bill payments, the University’s payment processor may charge student payors a fee for any Check returned by the bank for insufficient funds. The Office of the Bursar reserves the right to block a student with returned Check payments from using that payment method in the future, requiring payment instead by money order, certified cashier’s check, credit card, or wire payment.

For all other returned Checks, the department has the discretion to accept or reject future Check payments from the payor.

ENFORCEMENT

Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.

PROCEDURES

The Office of the Bursar Cash Operations unit is notified by the bank if a Check is returned to the University. Cash Operations sends the notification to the appropriate depositing department. It is the department’s responsibility to submit the appropriate entry in the general ledger system to reflect the returned payment. Cash Operations approves the entry based on the debit to the University’s bank account.

REFERENCES

State of Connecticut Office of the Comptroller Accounting Manual, Receipts, Section 4

POLICY HISTORY

Policy created: 08/19/2014

Revisions:

01/24/2022 (Reviewed with updates only to the Procedures)

09/29/2025 (Approved by the University’s Senior Policy Council and President)

Opening a Merchant Account for Credit Card Acceptance

Title: Opening a Merchant Account for Credit Card Acceptance
Policy Owner: Office of the Bursar
Applies to: Faculty, Staff
Campus Applicability: Storrs and Regional Campuses
Approval Date: September 29, 2025
Effective Date: September 29, 2025
For More Information, Contact: Office of the Bursar Cash Operations
Contact Information: cashoperations@uconn.edu
Official Website: https://bursar.uconn.edu/departments/cash-operations/

PURPOSE

To ensure University compliance with the Payment Card Industry Data Security Standards (PCI DSS) found at www.pcisecuritystandards.org.

APPLIES TO

This policy applies to any department requesting a merchant account to accommodate customers who want to pay by credit or debit card, and the University’s centralized eCommerce system cannot meet their needs.

DEFINITIONS

Payment Card Industry Data Security Standards: PCI DSS are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder data. The standards globally govern all merchants and organizations that store, process, or transmit this data – with new requirements for software developers and manufacturers of applications and devices used in those transactions. Compliance with the PCI DSS is mandatory for their respective stakeholders, and is enforced by the major payment card brands who established the Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.

POLICY STATEMENT

Credit card transactions are monetary transactions and therefore are subject to the same control and reconciliation policies as cash transactions. No department may open a merchant account to accept credit card transactions without the approval of the Controller and Bursar.

New merchant accounts must be opened through Office of the Bursar and receive Controller approval.  Merchant accounts will only be approved if the University’s centralized eCommerce system cannot meet the needs of the requesting department.  All University approved accounts must adhere to the PCI DSS including the performance of the Self-Assessment Questionnaire (SAQ), annual attestation, and successful University computer and network scans, as applicable.

ENFORCEMENT

The Office of the Controller may at any time terminate the department’s merchant account for a policy/procedure violation. In addition, payment card industry compliance violations may result in fines from the payment brands (VISA, MasterCard, Discover, American Express, JCB, BC Card, DinaCard and Diner’s Club) to the acquiring bank, at their discretion, from $5,000 to $100,000 per month which may be charged back to the department in noncompliance. Fines are dependent on volume of credit cards breached and remediation efforts required.

Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University Laws and By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Conduct Code.

PROCEDURES/FORMS

Detailed procedures and resource documents may be found on the Office of the Bursar website at: https://bursar.uconn.edu/cash-operations/ .  

POLICY HISTORY

Created: 08/19/2014

Reviewed with no revisions: 01/14/2022

Revised: 09/29/2025 (Approved by the University’s Senior Policy Council and President)

Non-Student Receivables Invoicing Policy

Title: Non-Student Receivables Invoicing Policy
Policy Owner: Office of the Bursar
Applies to: Faculty, Staff
Campus Applicability: Storrs and Regional Campuses
Approval Date: August 8, 2025
Effective Date: August 8, 2025
For More Information, Contact: Office of the Bursar
Contact Information: 860-486-5995
Official Website: https://bursar.uconn.edu/departments/accounts-receivable/

PURPOSE

University departments provide goods and/or services to the general public and organizations world-wide.  In accordance with the State of Connecticut Office of the State Comptroller Management of Receivables, it is the responsibility of the University to invoice customers and notify them of their financial obligation to the University.

APPLIES TO

This policy applies to departments, faculty, and staff that provide goods and/or services to customers on credit.

POLICY STATEMENT

University departments and units must invoice customers at the time goods and/or services are rendered using the Kuali Financial System (KFS).  The Office of the Bursar may grant exceptions to this policy after assessing the department or unit’s alternative billing methods for adherence to proper internal control procedures.

ENFORCEMENT

Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University Laws and By-Laws, General Rules of Conduct for All University Employees, and applicable collective bargaining agreements.

PROCEDURES

For additional information, access the KFS Cash and Accounts Receivable Procedure Guide at: https://bursar.uconn.edu/departments/accounts-receivable/.

REFERENCES

State of Connecticut Office of the State Comptroller Management of Receivables

POLICY HISTORY

Policy created: 08/18/2014

Revisions:
08/08/2025 (Approved by the Senior Policy Council)
01/24/2022 (Editorial revision)

 

Cash Collection and Deposit

Title: Cash Collection and Deposit
Policy Owner: Office of the Bursar
Applies to: Faculty, Staff
Campus Applicability: Storrs and Regional Campuses
Approval Date: August 8, 2025
Effective Date: August 8, 2025
For More Information, Contact: Office of the Bursar
Contact Information: cashoperations@uconn.edu
Official Website: https://bursar.uconn.edu/departments/cash-operations/

PURPOSE

To ensure compliance with Title 4 Chapter 47 Section 4-32 of the Connecticut General Statutes for accounting and depositing of any Cash received by the University.

APPLIES TO

This policy applies to any University department receiving Cash.

DEFINITIONS

Cash: Includes currency, checks, money orders, electronic payments, and all other negotiable instruments.

POLICY STATEMENT

Any department or unit at the University receiving Cash must deposit funds within 24 hours of receipt if the total amount is $500 or more; lesser amounts may be held until total receipts reach $500 but not for a period of more than seven calendar days.  All cash must be deposited into a University bank account.  Funds must be accounted for daily in the University’s general ledger system, regardless of total amount collected.

Any missing funds must be immediately reported to the University Police Department and the Office of the Controller. The results of the investigation will determine the subsequent actions. See also the Policy on the Prevention and Reporting of Fraud and Fiscal Irregularities.

ENFORCEMENT

Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, and applicable collective bargaining agreements.

PROCEDURES

Consult the Cash Operations and Accounts Receivable procedures in KnowledgeBase for proper cash handling controls for your department. Additional information is available on the Office of the Bursar website.

REFERENCES

Connecticut General State Statute Title 4 Chapter 47 Section 4-32. State Revenue Accounting

POLICY HISTORY

Revisions:
08/08/2025 (Approved by the Senior Policy Council)
01/14/2022
08/19/2014