Parent Policy: Technology Use Policy
All BYU employees are required to adhere to the following standard operating procedures when using Dining Services point-of-sale (POS) devices:
1. User Accounts on POS Devices
Employees must use their personal POS login whenever using a POS device. Employees that do not have a POS login are not authorized to use Dining Services POS devices.
2. Personal Accounts
a. Employees may not use a POS device to make a transaction to or from their personal accounts. When making a purchase, another employee must log in on the POS device and execute the transaction (e.g. to pay for personal services or make a BYU card deposit).
b. It is illegal to defraud a contract by transferring funds from a closed meal plan (i.e. carryover funds for a past plan) to an open plan or personal account.
3. POS Manual Input of BYU Card Numbers
a. Employees typically only accept BYU cards as payment when the card is present, using an HID or magstripe reader connected to the POS device.
b. Employees may type in the BYU card number manually into the POS interface if (1) the card is present and the employee reads the number from the card OR (2) the customer is using the BYU ID Card feature on the BYU app, and the employee reads the number from the customer device.
4. PCI Compliance
a. Employees must follow BYU and Dining's guidelines relating to PCI compliance, including BYU's Merchant Credit Card/E-Commerce Policy and associated procedures. It is essential that each employee understand the importance of Payment Card Industry (PCI) compliance. This ensures the safety of our customers' credit card information and maintains the integrity of our payment systems.
b. Employees may never write down, copy, or take pictures of any credit cardholder data (cardholder name, card number, or expiration date). If card information needs to be manually entered into a POS system, employees should enter all cardholder data directly into a validated and secured credit card terminal.
c. If taken over the phone, credit cardholder information must be taken using a physical phone on a non-recorded line.
d. Employees will complete BYU's PCI DSS Training before receiving POS access (or handling cardholder data) and annually thereafter.
5. Exceptions
a. VenueNext POS (used in Concessions) is exempted from procedure 1. General login codes are authorized for use by quasi-employees (e.g. subcontractors, volunteers) on VenueNext devices. These devices do not have a manual card entry option.
b. Food To-Go and Catering employees are exempted from procedure 4(b) when following these procedures approved by BYU Treasury Services for their area regarding orders taken over the phone:
- Cardholder data may only be stored for one authorized POS transaction and for no longer than one week.
- Cardholder data may not be stored digitally.
- If there is physical (paper) cardholder data that needs to be kept for any amount of time, it must be locked in a safe with access limited to only authorized individuals. When no longer needed, all hardcopy (paper) that contains cardholder information must be shredded using a crosscut shredder prior to disposal.
- A log must be kept for whenever stored cardholder data is accessed or destroyed.
- The office supervisor or manager is responsible for ensuring cardholder data is not stored longer than allowed by these procedures. Dining Technology will audit areas that store cardholder data quarterly to ensure these procedures are followed.
Disclaimer: By using a Dining Services POS device or handling customer cardholder data, employees are subject to these standard operating procedures. Dining Services reserves the right to modify these procedures at any time. Misuse of POS devices will be taken seriously.
