Handling Credit Card Responsibly
SEAS Information
Security Office
1
University Credit Cards
 Harvard University credit cards include:
 Purchasing Cards
 Corporate Cards
2
Credit Card Holder’s Responsibilities
 Protect the credit card from loss and theft.
 Do not allow others to make purchases using your University credit card.
 Do not share PCards among units.
3
Responsibilities – Cont’d
• Employees, students and non‐employees incurring expenses on behalf of the University are responsible for complying with University policy and procedures. • Individuals should exercise the same if not greater prudence and care in incurring expenses for the University as they would for their own personal expenses. • Individual cardholders are liable for all charges made on their card.
4
Credit Card Handling Procedures
• The cardholder is accountable for proper use and management of any credit card data.
• Units should not maintain sensitive credit card data such as credit card numbers, card type, expiration, PIN, and card‐validation codes. • Obtain and provide original receipts.
• Pcard holders need to review all transactions in the settlement system ‐ transactions are loaded daily.
• Upon termination of employment:
– Pay all outstanding charges
– Cancel recurring charges
– Transfer payments to another valid payment source if necessary
– Cancel and return card to administrator 5
Procedures – Cont’d
• No documents should be scanned with the complete credit card data visible.
• Scanned documents uploaded to a computer should have the credit card number redacted (blacked out so nothing other than the last 4 digits are visible).
• No Credit card information should be provided to any party, including any individuals claiming to be the owner of such data.
• Credit card numbers must always be submitted in a secure manner, using the Secure File Transfer.
• Use phone, if necessary.
6
Procedures – Cont’d
• iProcurement is the preferred method of purchasing at SEAS.
• When necessary use a University desktop to process purchases with credit cards.
• If you must use a laptop, avoid wireless (especially public) capability and use SEAS VPN (Information Security info on SEAS VPN)
• Credit Card data should NOT be maintained on a Harvard SEAS computer. • Do not keep a copy of credit card data on a portable media device (iPhones, laptops, etc.).
7
Example
• To store credit card information, you can use initials of the persons whose information it is and store it along with the first few digits of the number. • Store this information on a SEAS encrypted flash drive which may be obtained from the SEAS Information Security Office. • Store the last four digits of the credit card number on paper in a locked file cabinet. Re‐lock this cabinet after finished using the information.
8
Credit Card Sharing Incident
• Recently one University credit card number was stolen twice in six months.
• Card information was found posted on the wall for convenience of lab members.
• Lessons Learned: • Secure ALL credit card information and store in a safe place and encrypted.
• It is the cardholder’s responsibility to protect the card from loss and theft
9
Card Security Tips
• Always keep a copy of the receipt in case of over‐
charging or mishandled orders.
• Opt to receive monthly statements online.
• Never provide card information in response to an e‐mail requesting such information without confirming with actual company first.
• Review spending statements periodically. If you find a discrepancy, contact the vendor. If you see activity that you did not initiate, contact Citibank Fraud Department immediately, at 1‐800‐248‐
4553.
10
Using E-mail
 Never send emails with credit card numbers.  Never request credit card information via e‐mail – either call the customer or ask them to call you with the information.
 If email is the only option available, SEAS Secure File Transfer (Information Security info on SFT) should be used instead.
11
E-mail – Cont’d
 If a cardholder sends you credit card information via e‐mail for an individual purchase, then:
 Process the credit card information per your procedure.
 Delete all information (including the email) and store only the last four digits of the card  Respond back to the cardholder, deleting the credit card information in the body of your e‐mail, to request them not to send credit card data through email.
12
Credit Card Processing Through
Websites
 Look for “https://” and padlock symbol in URL.
 Print confirmation when finished.
13
In Case of Credit Card Incidents
 In case of loss or theft, notify:
 Citibank Customer Service, at 1‐800‐248‐
4553, and
 Your local card administrator.
 Transfer all standing orders/recurring transactions to a replacement card account.
 In case of a fraudulent charge, the cardholder must contact the Citibank Fraud Department immediately, at 1‐800‐248‐4553 .
14
Misuse of Credit Cards
• Improper use of the University credit cards may result in disciplinary action up to and including termination of employment. • Cardholders are responsible for the protection and proper use of cards. • Cards may only be used by the individual whose name appears on the card.
15
Resources and Links
• SEAS Secure VPN: https://intranet.seas.harvard.edu/information‐
security/information‐security‐tools/secure‐
collaboration‐tools/seas‐virtual‐private‐network‐
vpn/?searchterm=vpn
• Secure File Transfer: https://intranet.seas.harvard.edu/it/service‐
guide/secure‐file‐transfer/?searchterm=secure
16
Questions? Comments? Concerns?
Page 17