Home / Financial Policies / 2009 UPenn PCI DSS Policy: Over-the-Phone Payment Card Acceptance

2009 UPenn PCI DSS Policy: Over-the-Phone Payment Card Acceptance

Document purpose

This policy outlines the University of Pennsylvania's requirements for accepting payment card information over the phone to ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS). All departments accepting credit/debit card payments via telephone must adhere to this policy to protect cardholder data and minimize institutional risk.

effective

January, 2026

revised

January, 2026

Reviewed

January, 2026

Responsible Office

Comptroller

Approval

The Policy

I. Purpose and Scope
This policy outlines the University of Pennsylvania’s requirements for accepting payment card information over the phone to ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS). All departments accepting credit/debit card payments via telephone must adhere to this policy to protect cardholder data and minimize institutional risk.

II. Policy Requirements by Payment Volume
All departments accepting payments over the phone are categorized based on their annual transaction volume. Compliance requirements differ significantly by category.

Annual Over-the-Phone Payments
Department Category
Required Compliance Action
Less than 50 payments Low Volume Must cease taking payments over the phone or find an alternative, PCI-compliant solution (e.g., online payment portals, in-person terminals, mail).
50 payments or more High Volume Must transition to Sycurio (University approved VOIP Descoping Solution) to handle all over-the-phone transactions. This solution ensures cardholder data does not enter the departmental VOIP/IT environment.

 

III. Policy Details and Implementation

A. High Volume Departments (50+ Payments/Year)

  1. Mandatory Solution: Departments must implement and utilize Sycurio (a University-approved VOIP descoping solution) for all telephone-based payment card processing.
  2. Scope Reduction: The use of Sycurio is mandatory because it significantly reduces the department’s PCI DSS compliance scope by preventing sensitive cardholder data from being transmitted, processed, or stored within the university’s VOIP, network, and endpoint systems.

B. Low Volume Departments (< 50 Payments/Year)

  • 1. Cessation of Service: These departments must immediately plan to discontinue all over-the-phone payment card acceptance.
    2. Alternative Solutions: Departments must direct customers to secure, PCI-compliant alternative payment methods, such as:

    • UPenn’s centralized secure online payment portal.
    • In-person payments via an approved PCI-validated terminal.
      Mail-in check payments.

3. Prohibition: Department personnel are strictly prohibited from verbally collecting, writing down, or otherwise recording cardholder data (PAN, expiry, CVV) over the phone.

C. General Prohibition (Applies to All Departments)

Under no circumstances is the following allowed:

  • Recording: Recording (audio or video) of any conversations where cardholder data is exchanged.
  • Storage: Storing cardholder data (Primary Account Number – PAN, Expiration Date, CVV2) in any paper or electronic format (including spreadsheets, databases, local drives, or cloud storage).

IV. Compliance and Assistance

  • Non-Compliance: Failure to adhere to this policy may result in the revocation of payment acceptance privileges and potential departmental liability for any resulting security incidents or fines.
  • Contact Information: For official clarification, implementation guidance, assistance with Sycurio onboarding, or to discuss alternative payment solutions, departments must contact the Treasurer’s Office.

Please contact: dof-ccard@pobox.upenn.edu for additional information and next steps on compliance and implementation.