UCSB Credit Card Merchant Handbook



Similar documents
UCSB Credit Card Processing and PCI Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

PCI DSS v3.0 SAQ Eligibility

Understanding the SAQs for PCI DSS version 3

University Policy Accepting Credit Cards to Conduct University Business

CREDIT CARD MERCHANT PROCEDURES. Revised 01/21/2014 Prepared by: NIU Merchant Services

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

POLICY SECTION 509: Electronic Financial Transaction Procedures

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Sales Rep Frequently Asked Questions

Merchant Card Processing Best Practices

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

PRODUCTS & SERVICES FOR BANKS

Annual Trustwave PCI Self Assessment Questionnaire (SAQ) Educational Presentation. Understanding the Merchants Responsibilities for PCI Compliance

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

IT TECHNICAL SECURITY REVIEW CHECKLISTS FOR E-COMMERCE WEBSITES

UW Platteville Credit Card Handling Policy

The Comprehensive, Yet Concise Guide to Credit Card Processing

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES

Saint Louis University Merchant Card Processing Policy & Procedures

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Benefits of Integrated Credit Card Processing Within Microsoft Dynamics GP. White Paper

Fall Conference November 19 21, 2013 Merchant Card Processing Overview

Becoming PCI Compliant

PCI DSS Gap Analysis Briefing

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

Credit Card Processing, Point of Sale, ecommerce

GLOSSARY OF MOST COMMONLY USED TERMS IN THE MERCHANT SERVICES INDUSTRY

Why Is Compliance with PCI DSS Important?

CREDIT CARD PROCESSING AND MERCHANT SERVICES

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Presented by: Sam Campisi, Business Relationship Manager, OECM Bruce Averill, Account Executive Sales, Chase Paymentech Kevin Brock, National Sales

Office of Finance and Treasury

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

Your gateway to card acceptance.

CREDIT CARD PROCESSING POLICY AND PROCEDURES

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

EDUCATION - TERMS 101

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

FAQ s for Payment Card Processing at the University

E-Market Policy Accepting Online Payment for Conducting University Business

Glossary ACH Acquirer Assessments: AVS Authorization Back End: Backbilling Basis Point Batch

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

Merchant Card Processing Request Form

Merchant Payment Solutions

CREDIT CARD PROCESSING GLOSSARY OF TERMS

Adjustment A debit or credit to a cardholder or merchant account to correct a transaction error

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN

Payment Card Industry (PCI) Data Security Standard

PCI DSS. CollectorSolutions, Incorporated

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

New York University University Policies

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

Credit Card Processing Overview

Policies and Procedures. Merchant Card Services Office of Treasury Operations

Adyen PCI DSS 3.0 Compliance Guide

Information Technology

MERCHANT CREDIT CARD PROCESSING APPLICATION AND AGREEMENT PAGE 1 of 2 BUSINESS INFORMATION Taxpayer Identifi cation Number: (9 digits)

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

How To Program A Credit Card Terminal To Be A Pca Compliant (Cpo) Or Not (Pca) Compliant (Dns) (Cisp) (Dhs) (Pci) (Susu) (Usu/

Merchant Payment Solutions

CardControl. Credit Card Processing 101. Overview. Contents

Redwood Merchant Services. Merchant Processing Terminology

Merchant Payment Solutions

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

Revenue Security and Efficiency

The University of Michigan Treasurer s Office Card Services. Merchant Services Policy Document

How To Control Credit Card And Debit Card Payments In Wisconsin

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

bid every 10 years Are there specific pain points or issues with your current processor you are trying to resolve by going out for RFP?

. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume.

How Online Payments Really Work

ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS

Frequently Asked Questions

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Transcription:

UCSB Credit Card Merchant Handbook June 2013 Version 3.0 Page 1 of 15

Table of Contents Steps to Becoming a Credit Card Merchant Credit Card Solutions Department Based Vendors Policies Governing Credit Card Acceptance and Merchants UC Policy PCI Compliance Costs for Credit Card Acceptance Fees Equipment Compliance Credit Card Reconciliation Process Credit Card Terminology Page 2 of 15

Steps to Becoming a Credit Card Merchant If a department or unit would like to accept credit cards, and become a merchant, the first step is a discussion with the Campus Credit Coordinator ( Coordinator ). At that time, the department/unit will discuss their plans, potential revenue, etc. In addition, the Coordinator will review aspects of credit card acceptance, including approval from the Chancellor, the type of setup the unit/department is requesting, potential vendors, associated fees, and UC and campus policies. Credit Card Coordinator Review The Coordinator will want to gain an understanding of the department/unit s need to accept credit cards. Things to consider are the amount of potential revenue to be generated and level of staff support to manage the acceptance and reconciliation of all of the credit card income and fees. In addition, a review of the activities will be done to consider potential issues such as the need for a revenue account, unrelated business income tax (UBIT) reporting, and the approval of the activities by the campus Rate and Recharge Committee. Chancellor Approval The Chancellor approves all requests from departments/units to accept credit cards. This is done via a letter from the department/unit head, that is routed to the Coordinator, the campus Controller and on to the Chancellor. Determine Type of Setup A majority of our campus merchants wish to accept credit cards for registration fees associated with conferences the department/unit is hosting. The remaining merchants are selling other types of goods or services, such as tickets to events, or parking for example. There are two options for accepting credit cards: I. Department/Unit Hosted Website For this option, the department/unit typically has technical support staff, who can create an event website and a database behind the scenes to capture all of the registration information. This setup also requires integration with a payment gateway and does not allow for any storage of credit card data. Also known as the click to pay model, because users are redirected to a payment gateway for secure collection of credit card data. Page 3 of 15

II. Vendor Solution A. UC Approved Vendor Another option for accepting credit cards is to use an approved UC vendor, who can facilitate the development of a web page/form, which can collect the registration information, provide reports, and process the credit card transactions with the payment gateway. B. Outside Vendor If a department/unit has a need to sell goods/services and wishes to use a vendor who does not currently have an approved agreement with the UC system, the vendor must meet certain guidelines prior to signing any agreement. 1. Payment Card Industry Standards (PCI) Any vendor who offers credit card acceptance capability, and wishes to do business with the University must agree to standard UC contract language about PCI compliance and provide evidence of their PCI validation. 2. Payment Application Best Practices Depending on the type of product offered by the vendor, the vendor may also have to certify their product was developed according Payment Application Best Practices (PABP). 3. Certificates of Insurance Any vendor who offers credit card acceptance capability, and wishes to do business with the University must agree to standard UC levels of insurance that must be carried by the vendor. NOTE: Departments need to be very aware of the requirements outlined above. Many times smaller businesses/vendors will not be able to meet the insurance requirements, or be willing to accept or negotiate our contract language. Should this occur, we will not be able to move forward and use the vendor. Page 4 of 15

Credit Card Merchant Training Terminology (courtesy of Authorize.net website: www.authorize.net, Bill Collins, Former Vice President Relationship Management, Chase Paymentech Solutions, and Visa) Acquiring Bank The bank or financial institution that holds the merchant s bank account that is used for collecting the proceeds for credit card processing. Card Associations Credit card issuing entities such as Visa and MasterCard that govern and oversee the use of credit cards for payment transactions. Interchange The process by which all parties involved in a credit card transaction (i.e., processors, acquirers, issuers, etc.) manage the processing, clearing and settlement of credit card transactions, including the assessment, and collection and/or distribution of fees between parties. Also known as Credit Card Interchange. Merchant The person or business entity that sells goods or services to a customer. Merchant Account A financial institution or bank account that is used by a merchant specifically for the purpose of collecting proceeds consumer bank account or credit card payment transactions. A Card Present (CP) merchant account is used by merchants that receive payments in a physical location where payment is physically presented to the merchant by the customer at the time of the transaction. A Card Not Present (CNP) merchant account is used by merchants that receive payments electronically or in situations where payment is not physically presented to the merchant by the consumer at the time of the transaction. Payment Application Best Practices (PABP) Visa has developed "Payment Application Best Practices" to assist software vendors create secure payment applications that help ensure merchant compliance with the PCI Data Security Standard. (From the Visa website, http://www.usa.visa.com/merchants/) Payment Card Industry Data Security Standard (PCI DSS) The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. (From the PCICO website, https://www.pcisecuritystandards.org/tech/index.htm) Page 5 of 15

Payment Gateway (UCSB = Authorize.net or Cybersource) A system of technologies and processes that allow merchants to electronically submit payment transactions to the payment processing networks (i.e., the Credit Card Interchange and the ACH Network). Payment gateways also provide merchants with transaction management, reporting, and billing services. Platform (UC = North Platform) The processing system "engine" the merchant account uses. Point of Sale (POS) A term used in the payments industry that refers to the physical location where a payment transaction takes place. POS is also used to describe credit card payment acceptance systems that are designed for the place of sale, such as card swipe terminals. Processor An entity in the credit card processing network that handles the posting of transactions for authorization, clearing and settlement to consumer credit card accounts at the card associations; and the settlement of funds to merchant bank accounts. Processors may also provide merchants with billing and reporting services. Retail The business of selling merchandise or services to consumers. Merchants that operate in a storefront or physical location and accept Card Present payments meaning that payment is physically presented to the merchant, and credit cards are swiped into a card reading device. Also called Brick and Mortar. Settlement For credit card transactions, settlement occurs at the completion of transaction processing between the involved financial institutions and processing entities, and funds for the credit card transaction have been successfully deposited into the merchant s bank account. Terminal A piece of electronic hardware, or a device, that is used by a merchant to submit credit card payment information to the processing network. Terminals are connected to the credit card processing network via dial-up telephone connection or Broadband. Also see POS Device. Virtual Point-of-Sale (VPOS) Terminal A secure, easy-to-use solution that allows retail, or brick and mortar merchants, to manually submit transactions using a computer with Windows Internet Explorer, and a MagTek USB HID card reader. Page 6 of 15

Visa Cardholder Information Security Program (CISP) A program created by Visa stating its technology and sensitive data security requirements for merchants and merchant service providers. Compliance is required of its member institutions. Page 7 of 15

Self Assessment Questionnaires Courtesy of Sabrina Hagberg, First Data SAQ A SAQ Validation Type 1 / SAQ A: Card-not-present, All Cardholder Data Functions Outsourced SAQ A has been developed to address requirements applicable to merchants who retain only paper reports or receipts with cardholder data, do not store cardholder data in electronic format and do not process or transmit any cardholder data on their premises. Merchants in Validation Type 1 do not store cardholder data in electronic format and do not process or transmit any cardholder data on their premises, and must validate compliance by completing SAQ A and the associated Attestation of Compliance, confirming that: Your company handles only card-not-present (e-commerce or mail/telephone-order) transactions; Your company does not store, process, or transmit any cardholder data on your premises, but relies entirely on a third party to handle these functions; Your company has confirmed that the third party handling storage, processing, and/or transmission of cardholder data is PCI DSS compliant; Your company retains only paper reports or receipts with cardholder data, and these documents are not received electronically; and Your company does not store any cardholder data in electronic format. This option would not apply to merchants with a 100% face to face POS environment. Page 8 of 15

SAQ B SAQ Validation Type 2 / SAQ B Imprint Merchant Only, No Electronic Cardholder Data Storage SAQ B has been developed to address requirements applicable to merchants who process cardholder data only via imprint machines or stand-alone dial-up terminals. Merchants in Validation Type 2 only process cardholder data via imprint machines, and must validate compliance by completing SAQ B and the associated Attestation of Compliance, confirming that: Your company uses only an imprint machine to take your customers payment card information; Your company does not transmit cardholder data over either a phone line or the Internet; Your company retains only paper copies of receipts; and Your company does not store cardholder data in electronic format. SAQ Validation Type 3 / SAQ B Standalone, Dial-out Terminal Merchant, no Electronic Cardholder Data Storage SAQ B has been developed to address requirements applicable to merchants who process cardholder data only via imprint machines or stand-alone dial-up terminals. Merchants in Validation Type 3 process cardholder data via stand-alone, dial-out terminals, and may be either brick-and-mortar (card-present) or e-commerce or mail/telephone order (card-not-present) merchants. Merchants in Validation Type 3 must validate compliance by completing SAQ B and the associated Attestation of Compliance, confirming that: Your company uses only standalone, dial-out terminals (connected via a phone line to your processor); The standalone, dial-out terminals are not connected to any other systems within your environment; The standalone, dial-out terminals are not connected to the Internet; Your company retains only paper reports or paper copies of receipts; and Your company does not store cardholder data in electronic format. Page 9 of 15

SAQ C SAQ Validation Type 4 / SAQ C Merchants with Payment Application Systems Connected to the Internet SAQ C has been developed to address requirements applicable to merchants whose payment application systems (e.g., point-of-sale or shopping cart systems) are connected to the Internet either because: 1. The payment application system is on a pc that is connected to the Internet (e.g., for email or browsing), or 2. The payment application system is connected to the Internet to transmit cardholder data. Merchants in Validation Type 4 process cardholder data via payment application systems connected to the Internet, do not store cardholder data on any computer system, and may be either brick-and-mortar (card-present) or e-commerce or mail/telephone-order (card-not-present) merchants. Merchants in Validation Type 4 must validate compliance by completing SAQ C and the associated Attestation of Compliance, confirming that: 1. Your company has a payment application system and an Internet connection on the same device; 2. The payment application system/internet device is not connected to any other systems within your environment; 3. Your company retains only paper reports or paper copies of receipts; 4. Your company does not store cardholder data in electronic format; and 5. Your company s payment application software vendor uses secure techniques to provide remote support to your payment application system. Page 10 of 15

SAQ D SAQ Validation Type 5 / SAQ D All Other Merchants and All Service Providers Defined by a Payment Brand as Eligible to Complete an SAQ SAQ D has been developed to address requirements applicable to all merchants who do not fall under Validation Types 1-4. Merchants in Validation Type 5 must validate compliance by completing SAQ D and the associated Attestation of Compliance. While many of the organizations completing SAQ D will need to validate compliance with every PCI DSS requirement, some organizations with very specific business models may find that some requirements do not apply. For example, a company that does not use wireless technology in any capacity would not be expected to validate compliance with the sections of the PCI DSS that are specific to wireless technology. Page 11 of 15

Credit Card Reconciliation Process All credit card receipts from all campus departments are deposited via Bank of America Merchant Services, to the UCSB Bank Account at Bank of America. Based on the Bank of America statement, Accounting clears the UCSB bank account by crediting campus merchants for the deposits, and debiting departments for the fees associated with acceptance of credit cards on the campus. On the first day of the month (i.e., March), Accounting emails to the department a spreadsheet, showing the total receipts collected for the prior month (i.e, February), as indicated on our Bank of America statement. Based on the Bank of America statement, Accounting prepares a journal that debits the department/merchant s clearing account for the deposits and credits the department/merchant s clearing account for the fees. The department then needs to prepare a journal that debits their clearing account, and credits the appropriate department account for the income. The department also prepares a journal that credits their clearing account, and debits the appropriate department account for the fees. Object Code 7226 should be used for this entry. The fees are one month in arrears. The department should reconcile the transactions between the Bank of America statement, the Bank of America Merchant Services statement and any internal records kept for deposits. Page 12 of 15

Internet Gateways with UC Agreements Authorize.net http://www.authorize.net Card Not Present Gateway Fee: $10.00/mo Transaction Fee: $.03/transaction Reactivation Fee $25 Retail Set up Fee: $49 Gateway Fee: $8.00/mo (includes 100 transactions) Transaction Fee: $.04/transaction Reactivation Fee $25 Cybersource http://www.cybersource.com $19.95/mo, plus $.10/transaction RegOnline http://www.regonline.com/ 4.95% processing fee for Visa / MC using them as a Gateway (card processor) or;.95% processing fee if using another Gateway like Auth.net PLUS, $3.75 per registration Page 13 of 15

Credit Card Terminals University of California Updated pricing 12/22/2008 FDCS TERMINALS: Rental Purchase FD 50 TERM $16.50 $349.00 FD100 TERM $22.00 $439.00 FD200 TERM AND CHECK $28.00 $ 669.02 FD300 MULTI MERCH $ 648.18 FD400 WIRELESS $ 799.25 FD20 CONTACTLESS READER $ 218.43 $16.50 $ 349.00 T7PLUS * $35.00 $ 550.00 VX570 $35.00 $675.00 NURIT 8000 $60.00 $1,095.00 OLD TERMINALS: T330 $30.00 $ 400.00 T380 $35.00 $ 450.00 T380X2-256K $35.00 $ 490.00 ECLIPSE $45.00 $ 725.00 OMNI 3200 * $39.00 $ 595.00 OMNI 3750DM * $39.00 $ 675.00 PINPADS: FD10 $12.50 $127.27 FD10C $13.00 $127.27 PP1000SE (3 DES) * $15.00 $ 175.00 S9 (3 DES) * $15.00 $ 225.00 PRINTERS: P900 $26.00 $ 296.00 * DENOTES A 5 YEAR WARRANTY. SWAPS = $50. -- ALL OTHER TERMINALS ONLY HAVE A 1 YEAR WARRANTY MAINTENANCE PROGRAM $8.00 PER MONTH Page 14 of 15

Resources Contacts Jonelle Miller Credit Card Coordinator 805-893-3959 Jonelle.Miller@bfs.ucsb.edu Neil Clark Associate Director of Controls 805-893-7667 Neil.Clark@bfs.ucsb.edu Russell Remington General Accounting Supervisor Credit Card Reconciliation 805-893-2372 Russell.Remington@bfs.ucsb.edu Kimberly Tapia Contracts Manager 805-893-5836 kimberly.tapia@bfs.ucsb.edu Meta Clow Campus Policy and Records Management Coordinator 805-893-4212 meta.clow@vcadmin.ucsb.edu Policies BUS-49, Policy for Cash and Cash Equivalents Received http://policy.ucop.edu/doc/3420337/bfb-bus-49 Use of University Logo http://www.policy.ucsb.edu/policies/logo/ Terms of Use http://www.policy.ucsb.edu/terms_of_use/ Page 15 of 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information