Billing & Payment Policy
The purpose of this policy is to establish business processes and procedures for accepting payment cards at ORO Organic that will minimize risk and provide the greatest value, security of data, and availability of services to each university merchant account within the rules and regulations established by the Payment Card Industry (PCI) and articulated in the PCI Data Security Standards (DSS). Additionally, these processes are intended to ensure that payment card acceptance procedures are appropriately integrated with the companies financial and other systems.
In response to increasing incidents of identity theft, the major payment card companies created the Payment Card Industry Data Security Standard (PCI DSS) to help prevent theft of customer data. PCI DSS applies to all businesses that accept payment cards to procure goods or services. Compliance with this Standard is enforced by the payment card companies and generally, noncompliance is discovered when an organization experiences a security breach that includes cardholder data.
The customer to whom a payment card has been issued or the individual authorized to use the card.
- Cardholder Data
All personally identifiable data about the cardholder (i.e., account number, expiration date, cardholder name.)
- Cashiering Services
ORO Organic that approves all third-party service providers and coordinates the policies and procedures for accepting payment cards.
The process of converting information into an unintelligible form to anyone except holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process against unauthorized disclosure.
- Merchant or Merchant Department
For the purposes of the PCI DSS and this policy, a merchant is defined as ORO Organic or other entity that accepts payment cards bearing the logos of any of the five members of the Payment Card Industry Security Standards Council (American Express, Discover, JCB, MasterCard orVISA) as payment for goods and/or services, or to accept donations.
- Merchant Department Responsible Person (MDRP)
A management employee within a department who has primary authority and responsibility for payment card and eCommerce transaction processing within that department.
- Payment Card
Any payment card/device that bears the logo of American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or VISA, Inc.
- Payment Card Account Change
Any change in the payment account including, but not limited to:
- the use of existing payment card accounts for new purposes;
- the alternation of business processes that involve payment card processing activities;
- the addition or alteration of payment systems;
- the addition or alternation of relationships with third-party payment card service providers, and
- the addition or alternation of payment card processing technologies or channel
- Payment Card Industry (PCI) Data Security Standard (DSS)
A multi-faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
- Sensitive Authentication Data
Security-related information (card validation codes/values, full magnetic-stripe data, or personal identification number (PIN)) used to authenticate cardholders, appearing in plain-text or otherwise unprotected form.
This policy applies to all ORO Organic employees, contractors, consultants or agents who, in the course of doing business on behalf of ORO Organic, accept, process, transmit, or otherwise handle cardholder information in physical or electronic format.
This policy applies to all ORO Organic departments and administrative areas which accept payment cards.
ACCEPTABLE PAYMENT CARDS
ORO Organic currently accepts all major credit cards to include VISA, MasterCard, Discover and American Express Card and has negotiated contracts for processing payment card transactions.
PROHIBITED PAYMENT CARD ACTIVITIES
ORO Organic prohibits certain credit card activities that include, but are not limited to:
- accepting payment cards for cash advances
- discounting a good or service based on the method of payment
- using a paper imprinting system
PAYMENT CARD FEES
Each payment card transaction will have an associated fee charged by the credit card company. Payment card fees will be allocated to by the Merchant Department.
When a good or service is purchased using a payment card and a refund is necessary, the refund must be credited back to the account that was originally charged. Refunds in excess of the original sale amount or cash refunds are prohibited.
- Departments and administration of ORO Organic are subject to the Payment Card Industry Data Security Standards (PCI DSS).
- ORO Organic prohibits the transmission of cardholder data or sensitive authentication data via email.
- ORO Organic requires that all external services providers that handle payment card information
be PCI compliant.
- ORO Organic restricts access to cardholder data to those with a business “need to know.”
- For electronic media, cardholder data shall not be stored on servers, local hard drives, or external (removable) media including floppy discs, CDs or thumb (flash) drives unless encrypted
and otherwise in full compliance with PCI DSS.
- For paper media, cardholder data shall not be stored unless approved for legitimate business
Merchant Department Responsible Persons (MDRPs) are responsible for:
- Executing on behalf of the relevant Merchant Department, Payment Card Account Acquisition or Change Procedures.
- Ensuring that all payment card data collected by the relevant Merchant Department in the course of performing ORO Organic business, regardless of whether the data is stored physically or electronically is secured. Data is considered to be secured:
- Only those with a "need-to-know" are granted access to payment card and electronic payment data;
- Email should not be used to transmit credit card or personal payment information. If it should be necessary to transmit credit card information via email only the last four digits of the credit card number can be displayed;
- Credit card or personal information is never downloaded onto any portable devices or media such as USB flash drives, compact disks, laptop computers or personal digital assistants;
- Fax transmissions (both sending and receiving) of credit card and electronic payment information occurs using only fax machines which are attended by those individuals who must have contact with payment card data to do their jobs;
- The processing and storage of personally identifiable credit card or payment information on ORO Organic computers and servers is prohibited;
- Only secure communication protocols and/or encrypted connections to the authorized vendor are used during the processing of eCommerce transactions;
- The three or four digit validation code printed on the payment card is never stored in any form;
- The full contents of any track data from the magnetic stripe are never stored in any form;
- The personal identification number (PIN) or encrypted PIN block are never stored in any form;
- The primary account number (PAN) is rendered unreadable anywhere it is stored;
- All but the last four digits of any credit card account number are masked when it is necessary to display credit card data;
- All media containing payment card or personal payment data is retained no longer than a maximum of six (6) months and then destroyed or rendered unreadable; and
- Notifying the ORO Organic Director, Information Security Management and Compliance
(800) 881-0561 in the event of suspected or confirmed loss of cardholder data. Details
of any suspected or confirmed breach should not be disclosed in any email
Information Technology Services shall regularly monitor and test the ORO Organic Network and coordinate the companies compliance with the PCI Standard’s technical requirements and verify the security controls of systems authorized to process credit cards.
The Director, Information Security Management and Compliance shall maintain currency with the
requirements of the PCI DSS and related requirements to ensure that this policy remains current and shall coordinate and lead any campus response to a security breach involving cardholder data.
Delivery charges will be shown at the time of order and we try to provide accurate pricing for this. ORO Organic however reserve the right to change delivery charges subsequent to your online order if we discover a mistake in our pricing, we do not deliver to your area, or other information comes to light that would affect our delivery costs. You will of course be informed in such circumstance.