Increasingly many Harvard units are accepting credit cards either over the web or via fax or telephone. Unfortunately that allows these units to beperfect targets for bankcard fraud. Scamsters are taking advantage of the fact that they can operate anonymously. They know that many of the credit card features that prevent fraud in the physical world do not apply in the card-not-present environment. We must understand that there is a greater need for protection against fraud exposure and associated losses. This is primarily because card-not-present merchants can be held financially responsible for a fraudulent transaction, even if the card Issuer has approved it. Below are guidelines Harvard has established for protecting credit card data and transactions. Both existing and new applications must conform to PCI standards.

• Schools and departments that are planning to accept credit cards must contact Cash Management at extension 5-4397. Cash Management will work with you to set up both the credit card merchant account and the bank account. Cash Management will also provide you with procedures to process your credit card transactions and help you develop procedures to manage these activities.
• Departments or schools that have existing applications that accept credit card data must be compliant with Payment Card Industry (PCI) Data Security Standards
• Departments and Schools that desire to start accepting online transactions should have the verification take place using Harvard's Credit Card Service. The server will be responsible for maintaining compliance with PCI data security requirements and with standards for fraud prevention established by Cash Management. Your application or web site will receive an authorization code or a rejection code. Please note that your local business practices and website that links to the server also must conform to PCI standards.
• Using this method means that Harvard University never actually retains the credit card information and does not have to deal with the security of this sensitive data. Customer charge backs can also be processed through the server.

• If you accept credit cards either over the phone, mail or via fax, you will need to do one of the following:
• Lease a point of sale terminal that allows you to enter credit card account numbers and expiration dates. The terminal uses the phone line or encrypted Internet connections to contact a service provider that will authorize the transaction. Work with cash management to use our preferred vendors.
• If you have a CyberSource account for use on a website you may use their virtual terminal
• Develop an application that your staff can use to enter transactions through the server described above. This is the preferred method because you don’t have to store credit card information electronically.

• Lease a point of sale terminal that allows you to enter credit card account numbers and expiration dates. The terminal uses the phone line or encrypted Internet connections to contact a service provider that will authorize the transaction. Work with cash management to use our preferred vendors.