Payment Card Acceptance

Payment Card Acceptance

 

Getting Started:

Business Affairs provides credit card and eCheck payment processing services and assists campus merchants with Payment Card Industry rules compliance.

If your department would like accept credit card or echeck payments follow these steps:

  1. Read the UO Payment Card Acceptance Policy
  2. Select a Processing Method
  3. Complete the Payment Card Acceptance Request Form
  4. Before contracting with a third party for card processing services complete the Third Party Credit Card Processor Authorization Request Form.
  5. Before connecting a payment card terminal or other card processing device to the university network, provide the model and serial number, MAC address, building name, room number, jack number and IP to Network and Telecom Services.
  6. Participate in annual security awareness training.
  7. Establish and maintain merchant operating procedures
  8. Perform your annual PCI compliance self assessment (see Merchant Requirements)

Selecting a Processing Method:

  1. Customer online payments using QuikPAY. We highly recommend this method because:
    • No transaction fees (just merchant discount fees 2-3%)
    • Custom order form created and hosted by BAO at no charge
    • Real time online transaction reporting
    • Automatic daily Banner deposit
    • No merchant account application
    • Annual merchant self assessment performed by BAO
  2. Customer online using another vendor. You may wisht to contract with another vendor who provides features and functions not available with QuikPAY. Before executing a contract, your vendor must be approved by Business Affairs and complete the Third Party Credit Card Processor Authorization Request Form.  Look for your service provider on Visa's global registry of approved service providers.
  3. Payment Card Terminal. This method is safest for card present over the counter transactions or mail and telephone orders when a cash register is not needed. Terminals can be leased or purchased throught the Cashiers office. Wireless, battery powered, cellular connected terminals are available if portability is needed. Terminals connected using analog phone line or private cell network qualify for SAQ B. Card swipe terminals connected to ethernet must be reported to BAO and Information services.  They qualify for SAQ B-IP, must be placed by Information services on a PCI VLAN, and protected by a firewall.  They also require quarterly vulnerability scans performed by an approved scan vendor (ASV).  This must be requested through BAO.
  4. Point of Sale Solution. Operations such as food services that require a cash register, or parking which require unmanned kiosks, generally acquire and install a point of sale POS solution from a third party service provider. Before executing a contract, your vendor must be approved by Business Affairs and complete the Third Party Credit Card Processor Authorization Request Form.  Look for your solution on the PCI Council's list of PA-DSS validated payment applications,  US Bank offers a fully hosted, low cost, tablet based POS solution called talech retail.  If interested contact Business Affairs to arrange a demonstration.
  5. Mobile Payment Processing. Vendors now have sleeves and dongles and software that can be used with mobile phones to process customer credit cards. The PCI Security Standards Council (SSC) is slowly validating some of the most secure mobile solutions which encypt at the read head and prevent the phone's OS from accessing customer card data. US Bank offers a mobile payment solution called Virtual Merchant Mobile which encrypts at the read head. Unfortunately it is not yet validated by the PCI SSC. This solution is avialable to university merchants.

    University Merchant Requirements:

    University merchants must:

    1. Comply with the UO Payment Card Acceptance Policy
    2. Comply with the university merchant banking service agreement (Elavon/US Bank)
    3. Never store cardholder data on university computers or on portable devices and media.
    4. Never accept customer card information by email or on a multi-function printer/copier/fax machine.
    5. Self-assess and validate compliance with PCI Rules annually by March 31st.
    6. Ensure all employees involved in card processing participate annually in security awareness training.
    7. Before contracting with a third party for card processing services complete the Third Party Credit Card Processor Authorization Request Form.  Comply with PCI DSS requirement 12.8 by ensuring the required language is included in the contract, maintaining a list of service providers, obtaining a document that identifies which requirements the merchant and service provider are responsible for, and obtaining evidence each year from service providers that they remain compliant.
    8. Before connecting a payment card terminal or other card processing device to the university network, please provide the merchant ID number, model and serial number, MAC address, building name, room number, jack number and IP to Business Affairs and Network and Telecom Services.
    9. Develop, maintain and implement merchant operating procedures (see below)

    Merchant Operating Procedures

    To comply with PCI rules each campus merchant must maintain and implement their own set of unit operating procedures. Here are example procedures:

    1. Roles and Responsibilities for protection of cardholder data.
      1. Unit Security Officer is responsible for understanding and enforcing PCI rules and in the event of a data breach for following the university incident response procedure. Must participate in security awareness training annually.
      2. Cashier is responsible for processing card transactions, protecting and confidentially recycling paper records containing cardholder data. Must participate in security awareness training annually.
      3. Customer Service Representative (CSR) is responsible for processing card transactions, protecting and confidentially recycling paper records containing cardholder data. Must participate in security awareness training annually.
      4. Business Manager is responsible for understanding PCI rules, unit self assessment and attestation of compliance status each year to Business Affairs. Responsible for ensuring that contracts with third parties contain language holding them responsible for safegarding customer card data, and ensuring third party processers maintain PCI compliance status from year to year. Must participate in security awareness training annually.
      5. Accountant is responsible for recording deposit of revenue in Banner. Responsible for reconciling all revenue recorded Banner FIS with revenue reported in payment card transaction system.
    2. Methods cardholder data is accepted/not acceptedWe accept cardholder data in-person, by phone, fax, US mail, or e-commerce. Never by email or campus mail.
    3. How cardholder data is handled when received.
      1. Phone - transaction is processed on payment card terminal by Customer Service Representative (CSR) while the customer waits on the phone. No paper record is created.
      2. Fax - CSR retrieves document from fax machine as soon as it is received, and immediately processes the card transaction using payment card terminal. Immediately after processing, the card number is removed from the document (cut out or remove entire page) and confidentially recycled before filing.
      3. US Mail - When a letter is opened that contains cardholder data it is hand delivered to the CSR who will immediately processes the card transaction using payment card terminal. Immediately after processing, the card number is removed from the document (cut out or remove entire page) and confidentially recycled before filing.
      4. eCommerce - customer enters card data using their own device, in a web payment form fully hosted by a third party who immediately processes it on behalf of the university. University employees never have access to cardholder data.
      5. eMail, - If a customer sends their card number by email the message is deleted without processing, and customer card data is then using a secure method such as telephone.
    4. Step-by-step procedure on how to process a transaction.
      1. Payment card terminal - Detailed steps for evaluating the customer card and signature, processing a typical transaction using a specific make and model of card swipe device or cash register, and procedure for issuing a refund.
      2. eCommerce - customer enters card data using their own device, in a web payment form fully hosted by a third party who immediately processes it on behalf of the university. University employees never have access to cardholder data. Refunds are requested by sending an email to the university cashier cashiers@uoregon.edu with the transaction ID, amount, cardholder name and date.
    5. Security of paper records containing cardholder data. We avoid creating paper records that contain cardholder data. Records received by mail are that cannot be processed immediately are kept in a locked office or cabinet until they are processed. Immediately after processing the card data is removed from the document and confidentially recycled.
    6. Third party compliance.The unit business manager obtains approval from Business Affairs before contracting with any third party service provider for card processing services or applications. The unit business manager works with PCS to ensure that contracts contain acknowledgement that the service provider is responsible for the security of cardholder data possess, stores, processess or transmits on behalf of the university.  Unit business manager will verify that service provider remains PCI DSS compliant by obtaining some evidence such as an Attestation of Compliance or Report on Compliance.  Unit business manager will maintain a document that identifies which PCI requriements the merchant and service provider are each responsible for.
    7. Data breach response. In the event of a data incident where customer card data may have been exposed to unauthorized individuals, the unit security officer and business manager will execute the university Data Security Incident Response Plan (below).

    Payment Card Terminal Security

    Unit security officer, business manager will:

    1. Become familiar with the PCI Council Skimming Prevention Best Practices.
    2. Train all personnel who operate a point of sale terminal toinspect the terminal before first transaction of each day
    3. Report suspicious behavior, such as unexpected repair technicians, bribes, coercion and signs of device tampering or substitution to the university cashier.
    4. Take pictures of the body of the card swipe terminal, and all cables and connections to compare during inspections.
    5. When inspecting the terminal look for; damaged or altered seals, missing mfg labels, missing or damaged screws, incorrect keyboard overlays, external wires, damage to the housing, incorrect serial number, anything else out of the ordinary.
    6. Report all performance issues to the university cashier.
    7. Ensure wireless terminals are not Wi Fi enabled.
    8. Physically secure the payment terminal.Place payment terminals in a manner that offers the greatest level of security, observation and monitoring.When not in use lock in office or cabinet. When unattended for brief periods place behind public service counter. Where practical use cable locks to prevent the terminal from being replaced and secure terminal connections in conduit.
    9. Look out for hidden cameras installed in false ceilings or leaflet and charity boxes next to PIN pads.

    Payment Card Terminal Operaters will:

    1. Use the Payment Terminal Evaluation Forms (or something similar) to physically inspect all payment terminals before the first transaction each business day.
    2. Take a quick look for broken or discolored surfaces, changed serial number, ripped security labels, altered cables, and any other sign of tampering or swapping.
    3. Refer to Payment Terminal Skimming Prevention for images depicting tampering
    4. Contact the university cashier before updating, servicing, or returning a card terminal.

     

    SAQ Instructions

      SAQ Eligibility Requirements Instructions
      SAQP2PE  SAQ P2PE merchants do not have access to clear-text cardholder data on any computer system and only enter account data via hardware payment terminals from a PCI SSC-approved P2PE solution. 3,9,12 Instructions
      SAQA E-commerce, customer pays online using their own device and all card holder data functions outsourced. Merchant site does not host the payment form or send scripts that help render the payment form or transmit card data. Note: BAO will prepare this SAQ A on behalf of all departments using QuikPAY. 9,12 Instructions
      SAQA-EP E-commerce, customer pays online using their own device and all payment processing is outsourced. Merchant website creates the payment form and the payment data is delivered directly to the payment processor (Direct Post). Or merchant website delivers script that runs in customer browser which supports the creation of the payment page, or the transmission of data to payment processor. 1,2,3,4,5,6,7,8,9,10,11,12  
      SAQB Card swipe terminal connected via analog phone line or cell phone network, with no electronic cardholder data storage. 3,4,7,9,12 Instructions
      SAQB-IP Card swipe terminal connected via ethernet/IP, with no electronic cardholder data storage. 1,2,3,4,6,7,8,9,11,12  
      SAQC-VT Web-based virtual terminal, no electronic cardholder data storage. Typically a PC running a web browser to connect to a payment site hosted by a third party. Card data must be entered using the keyboard, not a magnetic strip reader. 1,2,3,4,5,6,7,9,12 Instructions
      SAQC Payment application systems connected to the internet, no electronic cardholder data storage. The payment application must be segmented from other devices on the university network. The physical location of the POS environment is not connected to other premises or locations. 1,2,3,4,5,6,7,8,9,11,12 Instructions
      SAQD All other payment processing methods and environments not not eligible for SAQ A thu C above. SAQ
      D contains all 12 PCI DSS requirements and all 200 sub requirements.
      1,2,3,4,5,6,7,8,9,10,11,12 Instructions

      References:

      Need a Merchant ID?

      To process customer credit cards a campus merchant must have a bank account for the deposit of settled funds. State law requires that public funds (university funds) be deposited directly into Treasury account. The university Cashier can assist campus merchants with requests for new merchant bank accounts or MIDs.

      Separate MIDs are required for separate physical business locations, separate DBA names, and for internet vs. card present transactions.

       

      The following information is needed to request a MID for internet payment processing:

      1. Department contact name, phone, fax, street address
      2. Business Name to appear on customer card statement (max 32 characters) example: U of O Public Safety
      3. Anticipated transaction volume per week
      4. Average transaction value $
      5. Description of product or service
      6. Phone number to appear on customer card statement
      7. Will you accept Discover Yes or No
      8. URL of web page containing:
        1. customer service phone number
        2. return and refund policy
        3. delivery method and time frame
        4. privacy statement (customize sample at https://ba.uoregon.edu/staff/electronic-commerce-privacy-statement)
        5. make payment page (must begin with https://)
      9. Tech support name, phone, fax

       

      The following information is needed to request a MID for card present transactions (Card swipe machine):

      Contact name, phone number & fax number.
      Street address you would like the terminal/software/materials delivered to (usually University Cashier).
      Mailing address.
      Doing Business As DBA Name to show on customer card statements. Max 24 characters example U of O School of Music
      Estimated start date.
      Sales volume expected: $ monthly, # transactions monthly.
      Percentage of transactions over the counter (card present), Percentage Mail/Telephone orders
      Average transaction dollar amount.
      Do you want pin debit options Yes or No?
      Product or service?
      Delay in shipping product policy (not applicable for services)
      Phone number to appear on customer card statement.
      Do you wish to accept Discover? Yes or No
      Do you wish to accept American Express? Yes or No
      1. Contact name, phone number & fax number.
      2. Street address you would like the terminal/software/materials delivered to (usually University Cashier).
      3. Mailing address.
      4. Doing Business As DBA Name to show on customer card statements. Max 24 characters example U of O School of Music
      5. Estimated start date.
      6. Sales volume expected: $ monthly, # transactions monthly.
      7. Percentage of transactions over the counter (card present), Percentage Mail/Telephone orders
      8. Average transaction dollar amount.
      9. Do you want pin debit options Yes or No?
      10. Product or service?
      11. Delay in shipping product policy (not applicable for services)
      12. Phone number to appear on customer card statement.
      13. Do you wish to accept Discover? Yes or No
      14. Do you wish to accept American Express? Yes or No

      On-line Order Form Required Elements

      The following items are required for any university credit card order form:

      1. Business name including UO affiliation
      2. Customer service telephone number and email address
      3. Warning stating the University of Oregon will not process card numbers submitted by email. Please do not send sensitive private data by email.
      4. Return and refund policy
      5. Delivery method and time frame (if applicable)
      6. Link to university privacy statement https://ba.uoregon.edu/staff/electronic-commerce-privacy-statement
      7. Listing of products and prices in US dollars.
      8. SSL encryption https://
      9. The domain must be registered to the merchant.
      10. English translation for foreign language sites

      Data Security Incident Response Plan

      Data security can be compromised in a variety of ways;

      • Malware infection allowing unauthorized remote access into the system or unauthorized retrieval of data.
      • Unintended disclosure on a public website or through physical or electronic mail.
      • Payment card fraud involving skimming devices at point of sale terminals
      • Lost or stolen paper documents or computing equipment (laptop, PC, or backup media).

      In the event that paper or electronic records containing sensitive data are potentially exposed to unauthorized persons, the following protocol shall be executed.

      Affected Unit:

      1. Immediately contain and limit the exposure of data. Isolate compromised systems from the network (e.g., unplug the cable). Preserve electronic evidence. Do not shut down, reboot, access or otherwise alter the machine.
      2. Alert the general counsel, the Information Services Security Team, and appropriate records custodian(s).
      3. Conduct a thorough investigation of the suspected exposure and maintain a log all actions taken.
      4. Provide the records custodian(s), Information Services Security Team and General Counsel with an incident report identifying all information at risk and the source and timeframe of the compromise.
      5. Notify affected customers if directed by General Counsel.
      6. Remediate as directed by Information Services Security Team and the Records Custodian(s).

       

      Information Services Security Team: (electronic records only)

      1. Gather information from affected unit to determine what sensitive data was exposed and when.
      2. Create incident ticket and alert the appropriate records custodian(s).
      3. Determine root cause. Forensics on cloned hard drive, system log review, analysis of systems running in memory.
      4. Determine data exfiltration. Network and system log review.
      5. Remediate and return system to operation. Recommend how affected unit should clean the system.
      6. Report all findings to Data Breach Response Team
      7. Review Information security program for adequacy of policy, standards and controls.

      Data Security Incident Response Team: (Dean/Dir of the affected unit, records custodian(s), CISO, VP Agent, General Counsel, Media Relations, Public Records, Chief Auditor and Public Safety)

      Consider evidence provided by the affected unit, the records custodian and CISO, and determine whether or not the following actions are warranted:

      1. Engage local law enforcement, FBI, CIA.
      2. Notify affected customers.
      3. Notify other third parties for breaches involving; credit cards, educational records, health records, research subject data, donor information, or other record.

      Records Custodian:

      Records Custodian
      Student records Registrar
      Employee records Chief Human Resources
      Credit card or bank account data AVP Business Affairs
      Personal health records Director Health Center
      Human Subject Data Director Human Research Protection Program
      1. Notify and report to other parties as required by rule or law.
      2. Work with Media Relations and General Counsel on customer notification text and scripts.
      3. Prepare a post mortem report with action log and remediation plan for affected unit.

      The Data Breach Response Team will evaluate and evolve the data breach response plan based on lessons learned in responding to potential breaches.

      Security Awareness Training

      Employees directly or indirectly (managers) involved in credit card payment acceptance (all methods) must participate in security awareness training.

      This training is also recommended for IT and Business professionals involved in PCI compliance and the annual and self assessment process.

      1. Security Awareness TrainingRegistration (Making Tracks)
      2. Security Awareness TrainingHandout

      Resources