V802.07.02 Mobile Electronic Financial Transactions Policy and Procedures

Policy Statement

Valley City State University allows departments to accept credit cards through mobile payment devices for purchases of goods or services only in accordance with the procedures outlined in this document.

Definitions:

Mobile Online Payment (MOP) Applications – Those applications which can be downloaded and activated on an electronic mobile device such as a data phone, iPad, tablet, and/or laptop, and used to electronically process credit card transactions.

Device Specifications and Procedures:

1. The device and associated hardware such as the dongle and or card swipe device must be assigned to a specific, full-time, benefitted employee.

2. A list of devices used for mobile payment processing, along with who has authorized use must be maintained by the business office.

3. All data devices that are used for online payment processing must be labeled with the owner and contact information.

4. The mobile device must be a VCSU-owned mobile device with a data plan used solely for the purpose of processing payments. Only the payment application and the operating system software are allowed on the device.

5. Only devices approved by the VCSU Controller for Vice President of Business Affairs will be permitted for the use of processing mobile online payments.

6. The device used must have the ability to be remotely wiped or “killed”, in the event the device is lost or stolen.

7. The device must be password-protected.

8. The device must have encryption capabilities.

9. The device must only use the data connection through a VCSU cellular data plan. Wireless connection is not permitted.

10. Bluetooth and wireless (WiFi) capabilities must be turned off or disabled.

11. The device used for mobile electronic credit card processing must only be used by those who are authorized by the VCSU Business Office and have completed the training requirements of NDUS Procedure 1202.1 Data Classification and Information Security Standard.

12. When the phone and dongle or card swipe device, and or signature pad is not being used for online financial transactions, the phone must be powered off, and stored in the VCSU Business Office vault.

MOP Application procedures:

1. The MOP application and card-reader used must be approved by the Bank of North Dakota (VCSU) or Acquiring bank (VCSU Foundation) for processing electronic payments securely.

2. The application must require authentication and authorization (e.g., login and password). The application must have the capability to purge transaction data after the required 90 day period when a charge can be disputed by the customer.

3. If an email address is required for using the application, the email address used on the phone device must be specific for payment-processing only. There will be one “owner” of this email account. The owner must be a full-time, benefited VCSU employee. This email address and accompanying account must be requested through the Technology Services department and approved by the VCSU IT Security Officer.

Lost or Stolen Phone Procedure:

1. Immediately activate the device to wipe or “Kill.”

2. Notify the following:

The VCSU Business Office
The cell phone carrier to request the device and associated data plan be cancelled and explain why.
Payment vendor
Acquiring bank
Valley City Police Department
VCSU IT Security Officer

Sponsor: Vice President for Business Affairs

Effective: August 2016