Regardless of the subject or the sponsor, coordinators for CME conferences very often follow the same procedures for recruiting participants to their activities. There is the conference brochure with a conference registration form attached. This brochure is often printed, but digital versions that are emailed to prospects are becoming more and more popular. Included on the form are instructions for paying the registration fee. Acceptable forms of payments are checks, money orders, and credit cards.
Did you know that The Ohio State University has a policy that applies to individuals that handle or manage credit card transactions? The University’s Payment Card Compliance Policy (http://busfin.osu.edu/FileStore/PDFs/515_CreditCard.pdf) is intended to protect customer cardholder data and the University from a cardholder breach (think Target, American Express, Home Depot, or Citibank).
Compliance with the Payment Card Policy means more than locking up payment card information. Compliance requires making major changes in the way credit card payments are accepted. The first step may be redesigning that registration form and limiting the number of individuals who handle that form once it is received. You never want that registration form to be a self-mailer, especially if it will have payment card information on it. And you never want that form to be faxed or emailed back to you with payment information. The simple reason for these restrictions is the potential for too many other individuals to access this information.
The ideal solution is for the cardholder to conduct the entire transaction without needing to reveal account numbers and PINs to an intermediate party. The Center for Continuing Medical Education has such a solution with its online registration and payment website, and all CME conference coordinators are encouraged to use this system. Still, mailed registration forms remain very common as are registrations received by telephone. And these both obligate the cardholder to provide payment card account information to that intermediate party – the individual or organization between the cardholder and the processing bank.
The University’s Payment Card Policy has requirements for individuals and organizations that act in this intermediate manner. This policy sets the requirements for the use of payment card terminals, including virtual terminals; requires individuals that conduct payment card transactions to complete the PCI Compliance computer based learning module; and defines how, and by whom, payment card information may be managed. If you are managing credit card payments, you must complete the PCI CBL and submit to an audit of your procedures for handling and securing credit card information. It is no longer an option for you to request CCME staff to process bank card payments. CCME staff will direct you or the registrant to the activity website to complete the payment process.
In short, the Payment Card Policy should make CCME’s conference registration system a far more practical and safer means of collecting payments from your registrants.