Business Affairs provides credit card and eCheck payment processing services and assists campus merchants with Payment Card Industry rules compliance.

If your department would like accept credit card or echeck payments follow these steps:

1. Read the UO Payment Card Acceptance Policy
2. Select a Processing Method
3. Complete the Payment Card Acceptance Request Form
4. Before contracting with a third party for card processing services complete the Third Party Credit Card Processor Authorization Request Form.
5. Before connecting a payment card terminal or other card processing device to the university network, provide the model and serial number, MAC address, building name, room number, jack number and IP to Network and Telecom Services.
6. Participate in annual security awareness training.
7. Establish and maintain merchant operating procedures
8. Perform your annual PCI compliance self assessment (see Merchant Requirements)

1. Online payments using QuikPAY. We highly recommend this method because:
   • No transaction fees (just merchant processing fees 2-3%)
   • Custom order form created and hosted by BAO at no charge
   • Real time online transaction reporting
   • Automatic daily Banner deposit
   • No merchant account application
   • Annual merchant self assessment performed by BAO
2. 3rd party service provider other than QuikPAY. You may wish to contract with another payment vendor who provides features and functions not available with QuikPAY. Before executing a contract, your vendor must be approved by Business Affairs and complete the Third Party Credit Card Processor Authorization Request Form. 
3. Payment Card Terminal. This method is safest for card present over the counter transactions or mail and telephone orders when a cash register is not needed. Terminals can be borrowed or purchased throught the Cashiers office. Wireless, battery powered, cellular connected terminals are available if portability is needed. Terminals connected using analog phone line or private cell network qualify for SAQ B.  Terminals connected to Ethernet qualify for SAQ B-IP, must be placed by Information services on a PCI VLAN, and protected by a firewall.  They also require quarterly vulnerability scans performed by an approved scan vendor (ASV).  This must be requested through BAO.
4. Point of Sale Solution. Operations such as food services that require a cash register, often procure a POS solution from a third party service provider. Before executing a contract, your vendor must be approved by Business Affairs and complete the Third Party Credit Card Processor Authorization Request Form.  The university's merchant bank offers a tablet based POS solution called Talech.  If interested contact Business Affairs to arrange a demonstration.
5. Mobile Payment Processing. Phone based card acceptance solutions are popular but risky because they are vulnerable to malware residing on the device.  The university's  merchant bank offers a solution that converts your phone or tablet into a secure mobile point of sale solution.

University merchants must:

1. Comply with the UO Payment Card Acceptance Policy
2. Comply with the university merchant banking service agreement (Elavon/US Bank)
3. Never store cardholder data on university computers or on portable devices and media.
4. Never accept customer card information by email or on a multi-function printer/copier/fax machine.
5. Self-assess and validate compliance with PCI Rules annually by March 31st.
6. Ensure all employees involved in card processing participate annually in security awareness training.
7. Before contracting with a third party for card processing services complete the Third Party Credit Card Processor Authorization Request Form.  Comply with PCI DSS requirement 12.8 by ensuring the required language is included in the contract, maintaining a list of service providers, obtaining a document that identifies which requirements the merchant and service provider are responsible for, and obtaining evidence each year from service providers that they remain compliant.
8. Before connecting a payment card terminal or other card processing device to the university network, please provide the merchant ID number, model and serial number, MAC address, building name, room number, jack number and IP to mmccullo@uoregon.edu.  Also ask your local IT support to take these steps to tag the device in Netdot.
9. Develop, maintain and implement merchant operating procedures (see below)
10. Properly dispose of payment card terminals at the end of their useful life.  Call Elavon terminals support 1-800-777-7240 for instructions to wipe the terminals memory, then complete a Property Disposition Request and Campus Ops will properly dispose of it for you.

To comply with PCI rules each campus merchant must maintain and implement their own set of written operating procedures. Here is a template to use that covers 90% of what is required,

UO Department Payment Card Procedures

Unit security officer, business manager will:

1. Become familiar with the PCI Council Skimming Prevention Best Practices.
2. Train all personnel who operate a point of sale terminal toinspect the terminal before first transaction of each day
3. Report suspicious behavior, such as unexpected repair technicians, bribes, coercion and signs of device tampering or substitution to the university cashier.
4. Take pictures of the body of the card swipe terminal, and all cables and connections to compare during inspections.
5. When inspecting the terminal look for; damaged or altered seals, missing mfg labels, missing or damaged screws, incorrect keyboard overlays, external wires, damage to the housing, incorrect serial number, anything else out of the ordinary.
6. Report all performance issues to the university cashier.
7. Ensure wireless terminals are not Wi Fi enabled.
8. Physically secure the payment terminal.Place payment terminals in a manner that offers the greatest level of security, observation and monitoring.When not in use lock in office or cabinet. When unattended for brief periods place behind public service counter. Where practical use cable locks to prevent the terminal from being replaced and secure terminal connections in conduit.
9. Look out for hidden cameras installed in false ceilings or leaflet and charity boxes next to PIN pads.

Payment Card Terminal Operaters will:

1. Use the Payment Terminal Evaluation Forms (or something similar) to physically inspect all payment terminals before the first transaction each business day.
2. Take a quick look for broken or discolored surfaces, changed serial number, ripped security labels, altered cables, and any other sign of tampering or swapping.
3. Refer to Payment Terminal Skimming Prevention for images depicting tampering
4. Contact the university cashier before updating, servicing, or returning a card terminal.

References:

• Understanding version 3.0 SAQs
• SAQ Instruction guide2.1
• Glossary
• Standard 11.2 Internal and External Scan Requirements (Oregon State Treasurer Guidance)

To process customer credit cards a campus merchant must have a bank account for the deposit of settled funds. State law requires that public funds (university funds) be deposited directly into Treasury account. The university Cashier can assist campus merchants with requests for new merchant bank accounts or MIDs.

Separate MIDs are required for separate physical business locations, separate DBA names, and for internet vs. card present transactions.

The following information is needed to request a MID for internet payment processing:

1. Department contact name, phone, fax, street address
2. Business Name to appear on customer card statement (max 32 characters) example: U of O Public Safety
3. Anticipated transaction volume per week
4. Average transaction value $
5. Description of product or service
6. Phone number to appear on customer card statement
7. Will you accept Discover Yes or No
8. URL of web page containing:
   1. customer service phone number
   2. return and refund policy
   3. delivery method and time frame
   4. privacy statement (customize sample at /content/electronic-commerce-privacy-statement)
   5. make payment page (must begin with https://)
9. Tech support name, phone, fax

The following information is needed to request a MID for card present transactions (Card swipe machine):

1. Contact name, phone number & fax number.
2. Street address you would like the terminal/software/materials delivered to (usually University Cashier).
3. Mailing address.
4. Doing Business As DBA Name to show on customer card statements. Max 24 characters example U of O School of Music
5. Estimated start date.
6. Sales volume expected: $ monthly, # transactions monthly.
7. Percentage of transactions over the counter (card present), Percentage Mail/Telephone orders
8. Average transaction dollar amount.
9. Do you want pin debit options Yes or No?
10. Product or service?
11. Delay in shipping product policy (not applicable for services)
12. Phone number to appear on customer card statement.
13. Do you wish to accept Discover? Yes or No
14. Do you wish to accept American Express? Yes or No

The following items are required for any university credit card order form:

1. Business name including UO affiliation
2. Customer service telephone number and email address
3. Warning stating the University of Oregon will not process card numbers submitted by email. Please do not send sensitive private data by email.
4. Return and refund policy
5. Delivery method and time frame (if applicable)
6. Link to university privacy statement /content/electronic-commerce-privacy-statement
7. Listing of products and prices in US dollars.
8. SSL encryption https://
9. The domain must be registered to the merchant.
10. English translation for foreign language sites

See the Information Security Office page for information about the university's Information Security program and Incident response procedure.

Employees directly or indirectly (managers) involved in credit card payment acceptance (all methods) must participate in PCI security awareness training annually.

To register search for PCI security awareness in the My Track Learning Library.

There is a shortened version for payment clerks.

• UO Department Payment Card Procedures
• UO Terminal Inspection Log
• Terminal Security Forum May 29 2019
• Payment card terminal inspection log (one terminal)
• Payment card terminal inspection log (multiple terminals)
• UO Ticket Office terminal inspection log
• Payment Terminal Skimming Prevention Best Practices
• Terminal Evaluation Forms
• Incident Report
• Card Swipe & Virtual Merchant Meeting Feb 2012
• Catering card swipe training document
• Fraud detection (VISA)
• Payment Card Terminals (Elavon)
  • How to Operate Verifone Vx 520
  • How to operate Ingenico iWL 250G
• Account codes for deposit of university credit card proceeds
  • 03611 private individual gift, cash donationsnotinvolving an exchange of goods or services
  • 06499 Other Event Income
  • 06033 Wearing Apparel Sales
  • 06035 Tapes CDs Prerecorded Sales
  • 06031 Confections Sales
  • 06723 Rental Income/Facilities Use
  • 06403 Conference Income
  • 06420 Concession Income

QuikPAY Service Advisory Board

If the product or service being paid for is primarily intended for international customers paying online rather than in person, and the average payment amount is high, then we recommend using Flywire.  Flywire provides the customer the ability to pay using their native currency with favorable wire fees and international exchange rates.  Flywire also provides the option of credit card payment with the card processing fees paid for by the customer rather than the university department.  To get started with Flywire or discuss international payment options please contact cashiers@uoregon.edu

The university cashier receives a statement at the end of each month from our merchant service provider US Bank/Elavon and assesses each merchant their portion of fees.

The university's current merchant agreement with US Bank/Elavon is “cost plus” meaning university merchants pay actual interchange plus a few cents for each transaction to Elavon/US Bank.  

Cost plus is generally the most economical pricing format.

Merchant fees are complex and are composed of the folllowing three components:

1.Acquiring/merchant bank transaction fee (US Bank/Elavon currently currently charges the university a few cents per transaction.  This is the only component that the university can negotiate.

2.Card Association or Network fee paid to the card brands Visa, MasterCard, AmEx, Discover (a combination of % and flat amount)

3.Interchange fees paid to card issuing bank (a combination of % and flat amount, established by card brands twice per year, depends on card type (higher for corporate and reward cards), processing method (higher for card not present), card brand (higher for AmEx), and merchant category code (higher for high risk categories).  Interchange is the largest component.

Because all three merchant fees have flat components we can't accurately predict total merchant fees as a percentage of sales.

However past years merchant fees seem to average around 2.25% of sales.

Card brand rules, enforced through terms in our merchant agreement, prohibit charging customers a fee for accepting a credit card payments.  It is best to consider merchant fees a cost of doing business and incorporate it into product or service pricing.