Merchant Services: Credit Card Policy and Security Standards

I. Policy

University of Iowa departments that accept credit cards as a form of payment for goods and/or services must receive approval from Treasury Operations and the University Controller BEFORE purchasing, or contracting for purchase, any systems involved in processing credit card transactions.  As a condition of approval, merchants must agree to comply with all requirements of the Payment Card Industry Data Security Standards (PCI-DSS), as well as the University specific controls outlined within this policy.

A.   Who Should Know This Policy

Any individual with responsibilities for managing credit card transactions and those employees entrusted with handling or processing credit card information.  This includes budget officers and systems managers.

II. Purpose

To establish guidelines and best practices for University entities engaging in the acceptance of credit cards. For the purpose of this policy, use of the term "credit cards" shall include the acceptance of cards bearing the logo of a credit card company, such as Visa, MasterCard, Discover, or American Express.  Only those units which have received approval from Treasury Operations and the University Controller will be permitted to accept credit cards for payment of goods or services.

The ability to accept credit cards comes with significant responsibilities to maintain cardholder security and to mitigate the risk of fraud. The University, and all of its merchants, have a fiduciary responsibility to protect customer credit card information, and thus must adhere to the strict security requirements established by the Payment Card Industry Security Standards Council or face significant financial penalties if a breach or fraud occurs. It is also noteworthy that any compromise of cardholder information undermines public confidence in the University’s ability to maintain appropriate stewardship over entrusted confidential information. Lack of compliance in a single area of the University could jeopardize the University’s ability as a whole to accept payment cards.


  1. Policy
  2. Purpose
  3. General Responsibilities
  4. Merchant Responsibilities
  5. New Merchant Accounts
  6. Established Merchant Accounts
  7. Universal Compliance Requirements
  8. Important Links for Merchants

APPENDIX A:  12 PRIMARY REQUIREMENTS OF PCI DATA SECURITY STANDARDS
APPENDIX B:  MERCHANT LEVELS DEFINED - COMPLIANCE VALIDATION REQUIREMENTS
APPENDIX C:  SAQ & TRUSTWAVE SCAN REQUIREMENTS

Revised: June 2016
Download PDF Version