Discussion

Harvard recognizes that accepting credit cards improves customer service and brings efficiencies to the cash collection process. In addition, the use of credit cards is essential when sales are conducted electronically via the Internet. Individual credit card information is confidential; failure to maintain strict controls over this information could result in unauthorized use of a credit card number and serious problems for both the customer and the merchant.

In addition, credit card associations have mandatory merchant programs, referred to as the Payment Card Industry Data Security Standards ("PCI"), geared toward preventing cardholder fraud and identity theft. These programs require that each merchant be certified to be in compliance with PCI before accepting credit cards. The risks of non-compliance include substantial fines and penalties imposed on the University by the card associations, as well as reputational risk and liability for all losses incurred as a result of a security failure.

This policy is designed to determine when it is appropriate for payment cards to be accepted and to mitigate the inherent risks by mandating compliance with relevant standards and regulations.

Possible security breaches that are known or suspected to involve credit or debit card information must be immediately reported to Gene Madden at Harvard Cash Management (617 496-6130) or cash_management@harvard.edu.  Detailed instructions about reporting credit card breaches may be found at http://vpf-web.harvard.edu/otm/cm/ under PCI Security Breach Process. In exceptional circumstances, a person with knowledge of a breach or possible breach may want to report anonymously. The University Anonymous Reporting Hotline can be used in these cases.

All Harvard University schools, tubs, local units, Affiliate Institutions, Allied Institutions and University-wide Initiatives that process, store or transmit cardholder data must comply with this policy.