Navigate Up
Sign In
Click to show/hide contact information.

Payment Card Merchant Guide

  
  
  
PCI_Merchant_Application.pdfWritable PDF
  
Expand or contract all step headings
printer
printer
increase font size Decrease Font Size
 
 
 
 magnifying glassDelete Circle
  • Before You Start

    In order to process payment cards (i.e. credit cards, debit cards), merchants must comply with Payment Card Industry Data Security Standard Requirements (PCI-DSS). This guide provides a high level overview of these requirements, as determined by the PCI Security Standards Council.

    To apply become a merchant, or request assistance with a PCI related issue, Contact the Campus Payment Card Coordinator.

    Important things to know:

    • Payment card association rules are numerous with significant fines imposed for violations.
    • Payment Card Industry Data Security Standard (PCI-DSS) requirements are stringent and can be very complicated to implement.
    • Maintaining a secure transaction processing environment and protecting cardholder data from unauthorized access can be difficult and costly.
    • Payment card acceptance processes have their own unique terminology and acronyms.

    Back to Top
  • Assess Eligibility and Financial Feasibility

    ​Determining Eligibility

    A prospective campus payment card merchant must meet at least one of the following criteria:

    1. Increasing revenue: Additional net revenue generated from payment card sales exceeds the additional cost of accepting them.
    2. Assuring payment: Accepting cards will reduce bad debt by more than the additional cost of accepting them.
    3. Automating payment collection: accepting payment cards reduces the cost of payment processing by more than the additional cost of accepting them.
    4. Providing customer service convenience: accepting payment cards provides customers with a substantially improved level of service.

    Determining Financial Feasibility

    Follow these steps:
    1. Estimate the annual financial benefit to be realized from accepting payment cards.
      1. Increased sales
      2. Reduced bad debt costs (for units billing for goods or services)
      3. Reduced operational costs (e.g. elimination of customer billing)
    2. Estimate the annual costs of accepting payment cards
      1. Bank fees
      2. Discount fee
      3. Equipment acquisition and maintenance costs
      4. Information technology-security costs
      5. PCI-DSS compliance and cardholder data protection-related costs
      6. Staffing costs
    3. Compare estimated annual benefit to estimated annual cost, also considering one-time start-up costs​

    Back to Top
  • Identify Cards to be Accepted by Your Unit

    ​A campus merchant may accept any of the following card brands

    American Express: US cardholders: 38 million (Approximate)

    Pros:
    • More secure transaction processing as a result of operating a closed loop network
    • American Express serves more than 70% of the Fortune 500 companies with its convenient Corporate Card
    Cons:
    • Highest processing fees due to the fact that American Express is a card issuer
    • American Express deposits are processed separately from the other card brands and may take 3-5 days to be credited to the merchant’s bank account

    Discover: U.S. cardholders: 49 million (Approximate)

    Pros:
    • One agreement with Discover allows a merchant to also accept Diners Club International, as well as the following foreign-issued card brands: UnionPay (China), JCB (Japan), and BC Card (Korea)
    Cons:
    • Higher processing fees due to the fact that Discover is a card issuer

    MasterCard: U.S. cardholders: 82 million (Approximate)

    Pros:
    • Commonly-held payment card
    • Lower processing fees due to the fact that MasterCard is a credit card processor
    Cons:
    • None

    Visa: U.S. cardholders: 109 million (Approximate)

    Pros:
    • Most commonly-held payment card
    • Lower processing fees due to the fact that Visa is a credit card processor
    Cons:
    • None

    Debit card:

    Pros:
    • Flat rate fee per transaction
    • Less risk of chargeback
    Cons:
    • Total per-transaction fees can be costlier than comparable credit card fees
    • Additional pin pad equipment required​

    Back to Top
  • Determine the Payment Processing Channels Used to Accept Payment Cards

    ​Each of the following ways of accepting payment cards transactions has its use depending on a merchant’s situation:

    Kiosk or Telephone Interactive Voice Response (IVR)

    • How it works: Customer-initiated payment at either a stand-alone kiosk or over the telephone guided step-by-step through the transaction by voice prompts.
    • Best uses:
      1. Processing non-retail transactions
      2. 24/7 availability for payment acceptance
    • Cost to maintain: Relatively low-cost, low PCI-DSS compliance cost
    • Notes:
      • Of limited use for most campus units
    Standalone point-of-sale terminal connected to telephone line
    • How it works: A point-of-sale countertop terminal utilized for processing payment through a dial-up telephone connection.
    • Best uses:
      1. In-person, over-the-counter transactions
    • Cost to maintain: Lower cost for equipment, low PCI-DSS compliance costs
    • Notes:
      1. Works well for a unit that does not need integration with a point-of-sale system
    Standalone point-of-sale terminal connected to cellular phone network
    • How it works: A point-of-sale countertop terminal utilized for processing payment through a cellular connection.
    • Best uses:
      1. In-person transactions in situations where a power source or telephone are not available
    • Cost to maintain: Lower cost for equipment plus monthly wireless connection fee, low PCI-DSS compliance costs
    • Notes:
      1. Terminal must have satisfactory cellular connection
      2. Works well for a unit that does not need integration with a point-of-sale system
    Standalone point-of-sale terminal connected to Internet
    • How it works: A point-of-sale countertop terminal utilized for processing transactions through an internet connection.
    • Best uses:
      1. In-person transactions using a point-of-sale system
    • Cost to maintain: Higher PCI-DSS compliance costs than if connected to telephone line
    • Notes:
      1. Authorization response time is usually quicker
      2. Works well for a unit that does not need integration with a point-of-sale system
    Virtual point-of-sale attached to a computer connected to Internet
    • How it works: A Virtual Point of Sale (VPOS) turns any Internet-connected computer into a point-of-sale (POS) terminal with the simple addition of an USB Human Interface Device (HID) swipe card reader.
    • Best uses:
      1. Processing a high volume of telephone and/or mail orders
      2. Processing a low volume of card-present transactions in a non-retail environment
    • Cost to maintain: Minimal equipment costs, higher PCI-DSS compliance costs
    • Notes:
      1. Computer must be setup and configured to meet a variety of IT-related security requirements
    Third-party hosted browser based virtual terminal
    • How it works: Involves using an Internet-connected computer workstation to manually process payment card transactions
    • Best uses:
      1. Processing low to moderate volumes of telephone and/or mail orders
    • Cost to maintain: Minimal equipment costs, higher PCI-DSS compliance costs
    • Notes:
    • Computer workstation must be setup and configured to meet a variety of IT-related security requirements
      Point-of-sale payment system connected to the Internet
      • How it works: A computerized network operated by a main computer and linked to several credit/debit card terminals with an integrated point-of-sale software program.
      • Best uses:
        1. High-volume sales retail environment with over-the-counter transactions using a point-of-sale system
      • Cost to maintain: High equipment costs, higher PCI-DSS compliance costs
      • Notes:
        1. System must be setup and configured to meet an extensive variety of IT-related security requirements
      Internet payment website (Hosted in-house)
      • How it works: A standalone program that is purchased, coded in-house, downloaded open-source code, and hosted using the merchant’s network hardware (i.e. Server and firewall)
      • Best uses:
        1. High volume on-line sales where the flexibility to customize the consumer experience is a critical need
      • Cost to maintain: High equipment costs, very high PCI-DSS compliance costs, high operating costs
      • Notes:
        1. System must be setup and configured to meet a very extensive variety of IT-related security requirements
        2. Electronic card data may be handled and/or stored, which significantly increases risk to the merchant, the campus, and its patrons.
      Internet payment website (Third-party hosted, PCI-compliant)
      • How it works: A UC-contracted vendor provides an eCommerce website in which it fully manages hardware and software, and ensures compliance with data security standards.
      • Best uses:
        1. Low to moderate volume of on-line sales
      • Cost to maintain: Little or no equipment costs, low PCI-DSS compliance costs, moderate operating costs
      • Notes:
        1. Website design flexibility may be limited
        2. Dependent on vendor to make changes to webpages
        3. Cardholder data is not handled or stored, thus reducing the risk to the merchant, the campus, and its patrons​

      Back to Top
    1. Merchant Operating Costs

      Merchants must pay for all operating costs, which may include some or all of the following:

      One-time costs
      • Card processing equipment, if purchased
      • Software or outsourced services procuring and setup costs
      • Consultant and/or contracted service fees associated with setup
      Ongoing costs
      • Interchange fees
      • Pass-through acquiring bank charges
      • Card processing equipment lease and/or maintenance fees
      • Payment gateway fee, for third-party internet payment gateway setups
      • Payment Card Industry Security compliance-related costs
      • Software application annual maintenance and/or licensing costs
      • Transaction processing fees (Third-party web hosting services)
      • Firewall maintenance recharge assessed by Information Technology Services
      • Annual campus payment card merchant support recharge
      Other costs
      • Cardholder data breach mitigation costs, including fines and cardholder notification

      Back to Top
    2. Card Acceptance and Processing Requirements

      Campus Requirements

      1. Facsimile and email orders: A merchant may not accept facsimile or email orders
      2. Refunds: Approved refunds must be made by crediting the cardholder’s account.
      3. Discount fee: A merchant is responsible for paying all bank and interchange fees and charges.
      4. Receipts deposit: A merchant may only deposit transactions belonging to that merchant’s department or program.
      5. Payment card reconciliation. All payment card receipts from all merchant units must be directly deposited to the UCSC Bank of America depository account.
      6. Accounting. The Accounting Office credits the merchant unit’s FOAPAL for the payment card deposit amount and debits it for fees associated with payment cards acceptance.
      7. Reconciliation. The merchant reconciles the transactions between the Bank of America statement, the Bank of America Merchant Services statement, and unit deposit records each month.
      8. Equipment acquisition: A merchant must either purchase or rent the equipment needed to process transactions from the university’s card processor.
      9. Equipment maintenance: A merchant is responsible for properly maintaining processing equipment.
      10. Data breach liability: A merchant is responsible for paying all costs associated with remediating a breach of customer data, including any fines resulting from failure to comply with PCI-DSS.

      Data Security-Related Requirements

      1. Data protection. Customer payment card data is protected from unauthorized access at all times
      2. EMV-chip enabled terminals. Point-of-sale terminals must be EMV-chip enabled
      3. Printed receipts. Processing equipment must print receipts with a truncated customer payment card account number
      4. Breach reporting. Any breaches in security, actual or suspected, involving customer payment card data must be promptly reported to the Campus Payment Card Coordinator

      Back to Top
    3. Document Card Transaction Processing Standards

      ​Here are some tips useful in establishing payment card processing standards:

      General Data Security Standards

      Implement features to make cardholder data unusable to identity thieves

      • Account number truncation
      • Data encryption
      • Data hashing
      • Strong Cryptography

      The following cardholder data may never be retained in any form:

      • PIN block or CVV2
      • Full primary account number
      • Expiration date

      Transaction Processing Steps

      Card-Present Transaction Handling. Sales made with the cardholder present, use these procedures:

      1. Swipe card through the magnetic card reader
      2. Verify the card’s security features, by checking for the following

        VISA:

        • Holographic dove design on the back
        • Holographic magnetic stripe on the back
        • Dove design hologram on the front
        • Flag and dove hologram design on front

        MasterCard:

        • Full color MasterCard brand mark on front
        • Valid account numbers start with the numbers “5” and “2”
        • CVC2 number appears on the back
          • Signature panel includes the word “MasterCard” printed in multi-colors at a 45 degree angle.
        • Signature panel includes the word “MasterCard” printed in multi-colors at a 45 degree angle.

        Discover:

        • “DISCOVER” or “DISCOVER NETWORK” will appear under an ultra-violet light
        • Valid account numbers start with the number “6”

        American Express:

        • Valid account numbers start with either “34” or “37”
        • Some cards have a hologram of the American Express image imbedded into the magnetic strip
      3. Check the card for alterations or inconsistency in appearance
        • Embossed numbers can be flattened and re-embossed
        • Magnetic strips can be re-encoded, not matching the account number appearing on the front
      4. Obtain authorization from the card issuer through the payment application
      5. Compare the name, number, and signature on the card to those on the transaction receipt.
      6. If transaction is not PIN-verified, obtain the cardholder signature on the transaction receipt.
      7. If you suspect fraud, follow these procedures:
        1. Keep the card in question in hand to address any questions
        2. Call the appropriate authorization center and mention having a “Code 10 authorization request.” Follow instructions provided by the operator, answering questions with a “yes” or “no”
          • MasterCard or Visa: 800-430-7161, at prompt, select option 1
          • American Express: 800-528-2121
          • Discover: 800-347-1111
        3. For your safety, do not, under any circumstances, confront or try and apprehend the customer
        4. Notify your supervisor

      Card-Not Present Transactions

      Sales made without the cardholder being present:

      1. For a telephone or mail order, obtain the following cardholder information:
        • Account number
        • Name as it appears on card
        • Card expiration date
        • Cardholder’s billing address
        • For a telephone order, perform these additional steps:
          • Record the time and date of your conversation
          • Make a note of the details of the conversation
        • For a mail order, perform these additional steps
          • Obtain the cardholder’s signature on the order form
          • Retain a copy of the written order for as long as necessary for business purposes e.g. including the chargeback period of 90 days for any dispute responses
      2. Optionally, request additional identification information from the cardholder
        • A cardholder is not required to provide this information
        • Merchant card acceptance policy needs to indicate if a sale will be made if the information is not provided
      3. Use the card processing application or equipment to enter card authorization information
      4. Properly store cardholder data for the minimum amount of time necessary. See PCI Data Storage "Do's and Don't's" for more information.

      Back to Top
    4. Payment Card Industry - Data Security Standard Requirements

      Network Build and maintain a secure network and information technology system for handling payment card transactions

      1. Ensure network segmentation.
        1. Isolate the system that stores, processes, and/or transmits cardholder data from all other systems.
      2. Install and maintain a firewall configuration to protect cardholder data.
        1. The merchant must enter into a Memorandum of Understanding (MOU) with ITS – Networking that details ITS and merchant firewall maintenance responsibilities.
        2. To initiate an MOU, submit a ticket to the ITS Support Center, itrequest.ucsc.edu or help@ucsc.edu.
      3. Change vendor-supplied defaults for system passwords and other security parameters
      4. Install and regularly update applications protecting computing equipment against malware and virus attacks
      5. Ensure all cardholder data is encrypted from point of sale to acceptance.
      6. Develop and maintain secure systems and applications
        1. Establish a process to identify security vulnerabilities, using reputable external consultant, as needed
          • Assign a severity level to each newly-discovered security vulnerability
        2. Promptly install vendor-supplied security patches to protect against known vulnerabilities
        3. Incorporate information security throughout the software development life cycle.
          • All software applications, internally or externally developed, must be compliant with UCSC and PCI-DSS requirements
        4. A formal change control process must be used in upgrading or changing system components
        5. Software coding standards need to prioritize inclusion of features preventing sensitive data from being accessed
          • Control how personal or sensitive data is handled in memory
        6. An application vulnerability assessment of all public-facing web applications must be performed annually and after any changes are made
          • Alternately, use a web traffic monitoring application, such as a web-application firewall, that detects and prevents web-based attacks
      7. Identify and authenticate access to system components
        1. Restrict access to system components and cardholder data to those individuals with a business need-to-know.
          • For all others, set to “deny all”
      8. Track and monitor the activities of every individual accessing computing and network resources used to process and, as applicable, store cardholder data
      9. Monitor and regularly test network for security flaws and weakness
        1. Host Network Intrusion Detection and Prevention system scans
        2. File Integrity system verification
        3. Vulnerability analysis scans
      10. Protect cardholder data
        1. Secure areas where paper and/or electronic cardholder data is stored
        2. Managing Merchant unit employee risks by following the UCSC Cash Handling Guide, Separation of Duties Guide, and the Acceptable Use Policy.
      11. Report security breaches immediately
        1. Document actions taken
        2. Preserve logs and other electronic evidence
          • Keep computer “on” to preserve log files for investigative purposes
          • Disconnect affected computer(s) from the network and internet
        3. Notify appropriate unit management
        4. Notify the campus Payment Card Coordinator
        5. As directed by the Payment Card Coordinator
          • Notify the acquiring bank
          • For Visa, notify the Visa Fraud Control group
        6. Notify ITS Support Center at itrequest.ucsc.edu or help@ucsc.edu
        7. Notify UCSC Police Department if equipment was stolen
      12. Maintain a policy that addresses information security for employees and contractors 
        1. Ensure staff members are skilled in applying the policies and procedures
        2. Ensure that related security policies and operational procedures are documented, and deployed by all affected individuals

      Back to Top
    5. Transaction Processing Standards

      Here are some tips useful in establishing payment card processing standards:

      General Data Security Standards

      1. Implement features to make cardholder data unusable to identity thieves
        1. Account number truncation
        2. Data encryption
        3. Data hashing
        4. Strong Cryptography
      2. The following cardholder data may never be retained in any form:
        1. PIN block or CVV2
        2. Full primary account number
        3. Expiration date

      Transaction Processing Steps:

      Card-Present Transaction Handling

      Sales made with the cardholder present, use these procedures. Swipe the card through the magnetic card reader, then verify the card's security features by checking for the following:

      VISA:

      1. Holographic dove design on the back
      2. Holographic magnetic stripe on the back
      3. Dove design hologram on the front
      4. Flag and dove hologram design on front

      Mastercard:

      1. Full color MasterCard brand mark on front
      2. Valid account numbers start with the numbers “5” and “2”
      3. CVC2 number appears on the back
        • 3 digit validation number in reverse italics to the right of the last 4 digits of the account number
      4. Signature panel includes the word “MasterCard” printed in multi-colors at a 45 degree angle.

      Discover:

      1. “DISCOVER” or “DISCOVER NETWORK” will appear under an ultra-violet light
      2. Valid account numbers start with the number “6”

      American Express:

      1. Valid account numbers start with either “34” or “37”
      2. Some cards have a hologram of the American Express image imbedded into the magnetic strip
      3. Check the card for alterations or inconsistency in appearance
        • Embossed numbers can be flattened and re-embossed
        • Magnetic strips can be re-encoded, not matching the account number appearing on the front
      4. Obtain authorization from the card issuer through the payment application
      5. Compare the name, number, and signature on the card to those on the transaction receipt.
      6. If transaction is not PIN-verified, obtain the cardholder signature on the transaction receipt.

      If you suspect fraud, follow these procedures:

      1. Keep the card in question in hand to address any questions
      2. Call the appropriate authorization center and mention having a “Code 10 authorization request.” Follow instructions provided by the operator, answering questions with a “yes” or “no”
        • MasterCard or Visa: 800-430-7161, at prompt, select option 1
        • American Express: 800-528-2121
        • Discover: 800-347-1111
      3. For your safety, do not, under any circumstances, confront or try and apprehend the customer
      4. Notify your supervisor

      Card-Not Present Transactions - Sales made without the cardholder being present

      For a telephone or mail order, obtain the following cardholder information:

      1. Account number
      2. Name as it appears on card
      3. Card expiration date
      4. Cardholder’s billing address

      For a telephone order, perform these additional steps:

      1. Record the time and date of your conversation
      2. Make a note of the details of the conversation

      For a mail order, perform these additional steps:

      1. Obtain the cardholder’s signature on the order form
      2. Retain a copy of the written order for as long as necessary for business purposes e.g. including the chargeback period of 90 days for any dispute responses

      Optionally, request additional identification information from the cardholder:

      • A cardholder is not required to provide this information
      • Merchant card acceptance policy needs to indicate if a sale will be made if the information is not provided

      Use the card processing application or equipment to enter card authorization information, properly storing cardholder data for the minimum amount of time necessary


      Back to Top
    6. Handling Card Transactions

      Important things to know:

      Processing cardholder transactions
      See Processing cardholder transactions for more information.

      Refunds
      • Establish a formal policy for handling refunds
      • Ensure each refund is approved by a designated employee not having card processing responsibilities
      • Use the refunding process that is specific to the payment application
      Exchanges
      • Establish a formal policy for handling exchanges and returns
      Chargebacks
      • Establish a formal policy for taking corrective action on all chargebacks
      • Rebuttals must be completed within the number of days allowed on the chargeback notification
      Batching and depositing receipts
      • Batch receipts on a daily basis
      • Prepare a bank deposit form reflecting one or more batch totals broken down by card type
      • Make the deposit at the Main Cashier’s Office at least monthly
      • Refer to the UCSC Cash Handling Guide for additional information in regards to deposit preparation and processing.
      Accounting

      Verify receipt amounts appearing in the ledger agree to supporting Bank of America Merchant Services statement amounts for accuracy and timeliness each month

      • Report discrepancies to Financial and Accounting Office: General Accountant at finpolicy@ucsc.edu
      Records retention
      • Retain and secure paper-based and electronic credit card transaction data, including supporting information for the period of time required by UC document retention policies and the payment card company agreement.
      • As applicable, retain original paper sales drafts for at least 24 months; copies may be kept for a maximum of 7 years before being properly disposed of by being cross-cut shred or deposited in a locked shred bin.

      Back to Top
    7. Network Diagrams

      Create and maintain a departmental Network Diagram and Cardholder Data Environment (CDE) Diagram

      1. Applies to merchants transmitting cardholder data using the campus network
      2. The Network Diagram identifies each network and provides a description of the following:
        1. Computing equipment
        2. Networking equipment
        3. Software applications
        4. IT services provided by third-party suppliers
        5. Vendor-provided Internet payment gateway applications
      3. The CDE Diagram identifies the flow of card holder information across systems and networks

      Back to Top
    8. Policy and PCI Guidelines

      Establish a written information technology (IT) security policy addressing CDE risks.

      1. Employee and contractor usage policy
        1. Prohibit the use of modems or wireless connectivity
        2. Prohibit the use of email to transmit cardholder data
        3. Require computer monitors be secured from unauthorized viewing
          • Install barriers, reposition screens, and/or use anti-glare screens
        4. Place computing and network equipment in secure, access-restricted areas
          • Secure keys and/or access codes to the area
          • Maintain of log recording the date and time of each individual entering and leaving the area
        5. Secure documents containing cardholder data at all times
          • Shred documents containing cardholder data as soon as it is no longer needed
        6. Permanently erase data on a computing storage device containing cardholder data before disposing of it
      2. Document and implement daily operational security practices
        1. User account establishment, maintenance and termination
        2. Periodic review of system access logs for unusual patterns
      3. Perform a criminal background check on each individual who processes payment card transactions or accesses cardholder data
      4. Payment card processing staff must be properly trained in the following areas:
        1. UCSC cash handling and payment card processing requirements
        2. Applicable PCI-DSS requirements
        3. UCSC and departmental IT and data security requirements
        4. Cryptographic Key Management
      5. Assign a qualified staff member(s) or contractor to assume responsibility for IT security
      6. Tightly control the sharing of cardholder information
        1. Access:
          • Allow access on a business need-to-know basis only
          • Limit access to wherever cardholder data is stored, on paper or electronically, to authorized individuals
          • Prohibit the use of devices, like USB thumb drives, with computing equipment having access to cardholder data
          • Require the use of strong passwords and unique identities to access systems containing cardholder data
        2. Communication:
          • Prohibit card processing staff from discussing cardholder business in the presence of unqualified or unauthorized individuals
          • Prohibit leaving a voicemail that discusses cardholder account and/or personal information

        REFERENCES: Use the PCI-DSS Document Library to obtain information about the following areas:

        1. Implementation and operation of technical solutions or security controls applicable to the merchant cardholder data environment:
          1. Security firewall installation and maintenance
          2. Network diagram
          3. Cardholder data environment network segmentation
          4. Desktop support
          5. Telephone line installation for dial-up terminals
          6. Server installations
        2. Security control examples:
          1. Incident response process
          2. Encryption
          3. Access control list
          4. Network authentication
          5. Monthly vulnerability scans and assessment
          6. Internet provider service, firewall, malware, and URL and VPN log monitoring​

        Back to Top
      1. Set up Your Operation for Each Card Acceptance Channel Deployed

        For Dial-Up Terminal Setups:

        1. Establish formal, written departmental standards covering each of the following areas:
          1. Payment card handling controls consistent with applicable provisions of the UCSC Cash Handling Guide
          2. Chargebacks and refund procedures
          3. Payment and/or gateway service provider IT access controls
          4. Cardholder data access and protection controls
        2. Assign payment card processor, cash handler, accounting roles and responsibilities
          1. Ensure there is proper separation of duties
        3. Contact UC-approved payment gateway and/or service provider to obtain preliminary agreement terms
        4. Contact Procurement Services to discuss agreement terms
          1. Campus Payment Card Coordinator will confirm service provider PCI-DSS compliance
          2. Procurement Services will negotiate a contract with the service provider and will notify you when the contract is finalized.
        5. Contact the payment service provider to establish an account
          1. Bank of America Merchant Services assists in establishing Visa, MasterCard and Discover accounts
          2. American Express must be contacted directly to establish a merchant account
        6. Contact the Payment Card Coordinator for assistance with the following:
          1. Obtaining Merchant Identification Number (MID)
          2. Obtaining Terminal Identification Number (TID)
          3. Purchasing or renting processing equipment.
          4. Establishing an account with UC-contracted SAQ service provider
        7. Train staff and implement payment card processing, data access, and recordkeeping procedures, standards and controls

        Gateway Services:

        1. Establish formal, written departmental standards covering each of the following areas:
          1. Payment card handling controls consistent with applicable provisions of the UCSC Cash Handling Guide
          2. Chargebacks and refund procedures
          3. Payment and/or gateway service provider IT access controls
          4. Cardholder data access and protection controls
        2. Assign payment card processor, cash handler, accounting roles and responsibilities
          1. Ensure there is satisfactory separation of duties
        3. Contact UC-approved payment gateway and/or service provider to obtain preliminary agreement terms
        4. Contact Procurement Services to discuss agreement terms
          1. Campus Payment Card Coordinator will confirm service provider PCI-DSS compliance
          2. Procurement Services will negotiate a contract with the service provider and will notify you when the contract is finalized.
        5. Contact the appropriate payment service provider to establish acceptance of the following card brands:
          1. Bank of America Merchant Services assists in establishing Visa, MasterCard and Discover accounts
          2. American Express must be contacted directly to establish a merchant account
        6. Contact the Payment Card Coordinator for assistance with the following:
          1. Obtaining Merchant Identification Number (MID)
          2. Obtaining Terminal Identification Number (TID)
          3. Purchasing or renting processing equipment.
          4. Establishing an account with UC-contracted SAQ service provider
        7. Train staff and implement payment card processing, data access, and recordkeeping procedures, standards and controls

        For Ecommerce Setups Using In-House Hosted Payment Gateway Services:

        1. Establish formal, written departmental standards covering each of the following areas:
          1. Payment card handling controls consistent with applicable provisions of the UCSC Cash Handling Guide
          2. Chargebacks and refund procedures
          3. Payment and/or gateway service provider IT access controls
          4. Cardholder data access and protection controls
        2. Assign payment card processor, cash handler, accounting roles and responsibilities
          1. Ensure there is satisfactory separation of duties
        3. Contact UC-approved payment gateway and/or service provider to obtain preliminary agreement terms
        4. Contact Procurement Services to discuss agreement terms
          1. Campus Payment Card Coordinator will confirm service provider PCI-DSS compliance
          2. Procurement Services will negotiate a contract with the service provider and will notify you when the contract is finalized.
        5. Contact the payment service provider to establish an account
          1. Bank of America Merchant Services assists in establishing Visa, MasterCard and Discover accounts
          2. American Express must be contacted directly to establish a merchant account.
        6. Contact the Payment Card Coordinator for assistance with the following:
          1. Obtaining Merchant Identification Number (MID)
          2. Obtaining Terminal Identification Number (TID)
          3. Purchasing or renting processing equipment.
          4. Establishing an account with UC-contracted SAQ service provider
          5. Configuring the card data environment (CDE) in preparation for accepting credit cards
          6. Hardening the CDE to meet PCI requirements.
          7. Verifying standards documentation is complete and sufficient
        7. Train staff and implement payment card processing, data access, and recordkeeping procedures, standards and controls
        8. Unit Head certifies that the CDE complies with all regulatory, contractual and policy requirements.

        For Merchants Using Point-Of-Sale (POS) or Virtual POS Systems Transmitting Cardholder Data Through the UCSC Network

        1. Establish formal, written departmental standards covering each of the following areas:
          1. Payment card handling controls consistent with applicable provisions of the UCSC Cash Handling Guide
          2. Chargebacks and refund procedures
          3. Payment and/or gateway service provider IT access controls
          4. Cardholder data access and protection controls
        2. Assign payment card processor, cash handler, accounting roles and responsibilities
          1. Ensure there is satisfactory separation of duties
        3. Contact a UC-approved payment gateway and/or service provider to obtain preliminary agreement terms
        4. Contact Procurement Services to discuss agreement terms
          1. Campus Payment Card Coordinator will confirm service provider PCI-DSS compliance
          2. Procurement Services will negotiate a contract with the service provider and will notify you when the contract is finalized.
        5. Contact the payment service provider to establish an account
          1. Bank of America Merchant Services assists in establishing Visa, MasterCard and Discover accounts
          2. American Express must be contacted directly to establish a merchant account.
        6. Contact the Payment Card Coordinator for assistance with the following:
          1. Obtaining Merchant Identification Number (MID)
          2. Obtaining Terminal Identification Number (TID)
          3. Purchasing or renting processing equipment.
          4. Establishing an account with UC-contracted SAQ service provider
          5. Coordinating with your departmental IT staff member(s) to ensure equipment is installed appropriately and securely.
          6. Configuring the card data environment (CDE) in preparation for accepting credit cards
          7. Harden the CDE to meet PCI requirements.
          8. Verifying standards documentation will be effective given the design of the systems, procedures and technical processes
        7. Train staff and implement payment card processing, data access, and recordkeeping procedures, standards and controls
        8. Unit head certifies that the CDE complies with all regulatory, contractual and policy requirements.​

        Back to Top
      2. Design the Payment Card Processing Internal Control Environment

        Assessing Payment Card Processing Options and Risk

        Understanding the following security risks and related mitigation costs will help your unit set up a cost-effective merchant operation:

        Data Transmission Options

        The method used to transmit cardholder data to the payment card processor significantly influences risk.

        Using a stand-alone dial-up terminal is less vulnerable to hacking

        • Less risky, lower-cost option, needing less effort to secure and monitor

        Using a direct Internet connection to a terminal is more vulnerable to hacking

        • More risky, higher cost option, needing more effort to secure and monitor

        Processing System Options

        Each of the following processing system options present different levels of risk and associated mitigation costs:

        • Having more pieces of equipment connected to a cardholder payment processing system increases risk
        • Using the Internet to transmit data is more risky than using an analog telephone line
        • Using wireless networking to transmit data is more risky than using wired technology

        Ecommerce Options

        Each of the following eCommerce options presents a different level of risk and benefit

        Using a PCI-DSS-compliant, UC-contracted third-party internet payment service provider to manage order and payment processing is the least risky option, but can be costly and provide less flexibility.

        • Merchant usually does not handle cardholder data so security concerns may be less
        • Merchant remains responsible for PCI-DSS compliance related to those parts of the card handling process with which it may be involved
        • Merchant usually needs to have knowledge of basic PCI-DSS
        • Merchant is charged a fixed and/or per-transaction fee for its services

        Using a third-party, vendor-supplied eCommerce application on department IT equipment using the campus network to process payments is a more risky option, but provides customization flexibility.

        • Application supplier is responsible for ensuring application is PCI-DSS compliant
        • Merchant unit may handle cardholder data so security concerns are greater
        • Merchant is responsible for ensuring equipment and processes are compliant with fairly extensive PCI-DSS requirements
        • Merchant purchases or licenses software from vendor, paying one-time and/or ongoing fees
        • Merchant needs to have a thorough understanding of applicable PCI-DSS and campus IT security requirements
        • Merchant may incur other costs for IT support provided by the campus and/or externally-contracted support services

        Using an in-house application to process customer orders and payment is the most risky option, but provides maximum customization flexibility.

        • Merchant must have an extensive, detailed knowledge of PCI-DSS and campus IT security requirements
        • Merchant must ensure equipment, software, and processes are compliant with extensive PCI-DSS requirements
        • Merchant must manage the significant risk of handling and, possibly, storing cardholder data
        • Merchant incurs costs for maintaining the system and for IT support provided by the campus and/or externally-contracted support services

        Vendor-Supplied Systems

        Important information to know:

        Point-of Sale System (POS)

        • Individuals must process transactions in compliance with PCI Data Security Standards (PCI-DSS)
        • Configure the system to not automatically store customer payment card data
        • Implement a robust firewall to protect the POS system from unauthorized access
        • System may not rely on the use of common or default passwords
        • Remove all unnecessary and insecure services from POS systems and databases
        • System updates must be delivered using a secure method
          • Vendor accesses POS system under secure settings only
        • Customer data may never be stored on a POS system
          • Merchant is responsible for payment of all mitigation costs and fines resulting from a data breach

        eCommerce software application. Things to consider in choosing the right application:

        • Frequency of, timeliness of, and security of the method used in the delivery and/or installation of patches
        • Timeliness of notification of vulnerabilities
        • Software upgrade policy

        Back to Top
      3. Establishing an Ecommerce Operation

        Follow these steps to operate as an eCommerce merchant:

        First, Understand the PCI-DSS and campus IT requirements

        Establishing and operating a unit-managed eCommerce operation is generally more complicated and costly than using a third-party hosting service

        Identify the optimal operational setup

        In-house maintained system using campus internet and open-source, vendor-supplied, or in-house developed software application

        Pros:
        • Customizable eCommerce solution
        • Transaction processing cost may be lower
        • UC-contracted internet payment gateway service available
        Cons:
        • PCI compliance validation costs are very high
        • Installing PCI-compliant hardware and software can be very costly
        • Maintenance costs, including staffing and consultants, can be very costly
        • Cardholder data may be processed or stored in the system, increasing the risk of unauthorized access.

        Third-party-hosted system

        Pros:
        • Utilizing a PCI-validated eCommerce partner’s software and hardware reduces implementation costs
        • Ongoing PCI security compliance validation costs are very low
        • Cardholder data handled and stored by third-party reducing risk of unauthorized access
        Cons:
        • Customization options may be limited and require close coordination with third-party host
        • Transaction processing costs may be higher than using an in-house hosted solution

        Refer to the Design the Payment Card Processing Internal Control Environment section for more information about the benefits and risks associated with different setup options.

        Contracting with a third-party web hosting service:

        The third-party web hosting service provider must contract with Authorize.net or Stripe.com for payment gateway services
        • Some web hosting sites already have contracts with Authorize.net or Stripe.com
        • Once the service provider enters into a Authroize.net or Stripe.com contract, contact the Campus Payment Card Coordinator to obtain integration authorization
        Formal approval of Campus Controller and Information and Technology Services is required to use a non-UC-contracted provider
        • For information about obtaining non-UC-contracted third-party web hosting services refer to the Procurement Services How To Buy Guide

        Back to Top
      4. Document Card Acceptance and Processing Standards

        ​A campus merchant must establish written card acceptance policies that cover the following:

        1. Cardholder signature: For card-present transactions, the signature on a sales draft must be matched to the authorized signature appearing on the card.
          • If the card is not signed, then a government-issued identification card should be used to validate the sales draft signature
        2. Cash advances will not be allowed under any circumstances.
        3. Convenience fee: A convenience fee will not be charged for the use of a payment card
        4. Customer option: A cardholder will be given the option to use a payment card for purchasing any good or service provided at the merchant location.
        5. Email or facsimile orders: A merchant cannot accept a payment card for an email or facsimile order.
        6. Exchange and return policy: The merchant must have a written, fair policy for exchange and returns and give proper credit or issue credit vouchers.
        7. Minimum purchase: A merchant will not establish minimum or maximum transaction purchase amounts.
        8. Privacy of account information: Cardholder account information in any form obtained through a payment card transaction will not be sold or provided to, purchased from, or exchanged with any third party.
        9. Privacy of cardholder information: Cardholder personal information on a payment card draft/ticket, such as telephone number, social security number, or driver’s license number will not be recorded.
        10. Surcharge: A surcharge will not be assessed on any payment card transaction.
        11. Chargebacks: A merchant must have a written procedure for taking corrective action on all chargebacks.
          • Rebuttals must be completed within the number of days allowed on the chargeback notification.
        12. Record Retention. Original sales drafts and all supporting documentation will be retained for at least 30 days.
          • Copies of sales drafts must be retained for at least 7 years.
        13. Optional requirements: Identify sales requirements established at the option of the merchant, such as requiring the cardholder to provide additional identification information​

        Back to Top
      5. Assign Employees to Card Transaction Processing and Accounting Roles

        ​Each payment card merchant operation must assign a qualified staff member, ideally a different one, to each of the following roles:

        1. Transaction processor
          • This role cannot be combined with any other roles
        2. Returns, adjustments and chargebacks reviewer and approver
        3. Receipts depositing and accounting
          • This role cannot have transaction processing, or adjustment and chargeback approval authority responsibilities
        4. Ledger transaction reviewer and statement reconciler
        5. PCI-DSS compliance specialist

        Refer to the Separation of Duties Guide for Additional guidance.

        Merchants engaged in eCommerce, must assign a staff member to the following role:

        PCI-DSS security coordinator

        1. Qualifications
          • Thorough knowledge of PCI-DSS and, at least, a working knowledge of campus IT security requirements
        2. Responsibilities
          • Ensure full compliance with PCI-DSS, UC and UCSC information technology requirements
          • Implement required PCI-DSS and campus IT security standards in collaboration with qualified external support providers
          • Prepare and timely submit annual Self-Assessment Questionnaires (SAQ)
          • In collaboration with the department head, ensure that all security weaknesses are timely and effectively remedied
          • Serve as liaison with information technology audit and compliance service providers
          • Serve as a representative on the Campus Merchant PCI Security Workgroup​

        Back to Top
      6. Submit an Application for Authorization to Operate as a Payment Card Merchant

        ​Follow these steps:

        1. Complete the UCSC PCI Merchant Application
        2. Department head and business manager reviews the application, including the operating and other compliance requirements, and both certify agreement on the application to comply with all requirements
        3. Submit the application to the Campus Payment Card Coordinator, mailstop: Accounting Office
          • The application will be reviewed by the Campus Controller and the Campus Payment Card Coordinator.
          • The department head will be notified of the determination. If authorized to operate as a merchant, the Payment Card Coordinator will contact to assist in coordinating the payment card operation.

        Back to Top
      7. Comply with Ongoing Operating Requirements

        Assess system security and cardholder data security practices annually:

        Review and update standards and policies as needed to comply with current regulatory, contractual and policy requirements

        • IT usage
        • Employee information security
        • Network map

        Work with the Payment Card Coordinator annually to

        • Complete a PCI-DSS Self-Assessment Questionnaire (SAQ)
        • Complete and submit attestation of compliance with PCI-DSS. Refer to Appendix 6
        • Plan and implement any needed security improvements

        PCI-DSS Self-Assessment Questionnaire

        Merchants transmitting cardholder data through the campus network are required to complete a facilitated Self-Assessment Questionnaire (SAQ) administered by a Qualified Security Assessor (QSA).

        The SAQ must be completed annually or when a merchant changes processing methods

        The QSA is usually a UC-contracted firm

        It requires assessing the following areas of a merchant’s operation

        • Scoping the Cardholder Data Environment
          • PCI DSS security requirements apply to all of the people, processes and technologies that are involved in storing, processing, or transmitting cardholder data or sensitive authentication data.
          • “Technologies” include network devices, servers, computing devices, and applications.
        • Assessing each key control for adequacy and PCI-DSS compliance, and identifying risks or “gaps” requiring mitigation action.
          • Computer system, network, or web applications containing cardholder information vulnerable to attack by unauthorized parties
          • Weaknesses in payment card processing, internal controls, policies possibly exposing cardholder data to unauthorized parties
        • Reviewing evidence validating the assessment

        The QSA provides the following services to the merchant:

        • Guidance completing the SAQ
        • A “gap report” to the merchant identifying security improvement recommendations
        • Compilation and submission of records substantiating remediation actions
        • As applicable to the merchant, submission of compliance reports to the acquiring bank and card brands

        Back to Top
      8. Where to Get Help

        Contact the Campus Payment Card Coordinator for assistance with the following:

        1. Payment card handling
        2. Merchant banking services
        3. General eCommerce related questions
        4. PCI-DSS SAQ related questions
        5. Merchant processing environment
          • Additional resource: Bank of America Merchant Services at 1-855-833-3614

        For technical IT-related service help/requests open a ticket at the ITS Support Center.

        For PCI-DSS Qualified Security Assessor QSA support, Contact the Campus Payment Card Coordinator for references to QSA consultants.


        Back to Top
      9. Glossary of Terms and Acronyms

        Here is a list of common terms and acronyms associated with operating payment card merchant and eCommerce operations:

        American Express card – a charge card issued by American Express directly to the cardholder.

        Bank card – a Visa or MasterCard charge card issued by a bank that is a member of the Visa or MasterCard Association.

        Card processor – a bank that processes credit card transactions on behalf of a merchant. UCSC merchants use the card processor selected by the University.

        Cardholder data - any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data. Cardholder data environment (CDE) is an area of the computer system network that possesses cardholder data or sensitive authentication data and those systems and segments that directly attach or support cardholder processing, storage, or transmission.

        CDE Diagram – Cardholder data-flow diagrams identify the location of all cardholder data that is stored, processed, or transmitted within the network.

        Credit card – Bank, American Express, or Discover card.

        Cryptographic key – A cryptographic key is a string of bits used by a cryptographic algorithm to transform plain text into cipher text or vice versa.

        Debit card - A card issued by a bank allowing the holder to transfer money electronically to another bank account when making a purchase.

        Discount fees – the fees paid by the UCSC merchant accepting a credit or debit card for payment. For Visa and MasterCard, the largest component of the discount fee is interchange, which is charged by the Visa or MasterCard Associations. Interchange rates are not negotiable, as they are determined by the Associations and are based on qualification requirements of each transaction. The bank that issues a credit card to an individual receives the interchange fees.

        Discover card – a charge card issued by Discover directly to the cardholder.

        Electronic check (e-check) – an electronic transfer of money from one bank account to another through the internet or other computer-based system.

        Electronic commerce (eCommerce) – business which is conducted electronically, such as on the Internet.

        eCommerce environment – the people, processes and technologies that operate together to store, process or transmit cardholder data or sensitive authentication data.

        EMV – acronym for Europay, MasterCard and Visa, a standard for chip-enabled payment cards and card-capable point of sale (POS) terminals and automated teller machines (ATMs).

        Fee, convenience – a fee charged to a customer for the convenience of paying via an automated payment channel. A UCSC credit card merchant may not assess a convenience fee.

        Fee, flat – a flat dollar amount charged to a customer, regardless of payment amount. A UCSC credit card merchant may not assess a flat fee or surcharge.

        Fee, variable rate – a fee that varies based on the amount paid. May be percentage based or tiered. A UCSC credit card merchant may not assess a variable rate fee.

        Harden the CDE – refers to the process of securing an information technology system by limiting access to those with a business need and reducing the number of unrelated services or functions provided by the system.

        Hashing – Process of rendering cardholder data unreadable by converting data into a fixed-length message digest via Strong Cryptography.

        Key management – the management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, and replacement of keys.

        Merchant – see payment card merchant

        Merchant bank – see card processor

        Network Diagram – Network diagrams describe how networks are configured, and identify the location of all network devices.

        Payment application – Anything that stores, processes, or transmits cardholder data electronically.

        Payment card – a credit, charge or debit card; also includes an electronic check.

        Payment Card Industry Data Security Standard (PCI–DSS) – set of requirements designed to ensure that all organizations that process, store or transmit credit card information maintain a secure environment.

        Payment card merchant – a UCSC department or program accepting payment cards, debit cards, and/or electronic checks through any payment channel, including an in-house- or externally-managed electronic commerce (“eCommerce”) operation.

        Payment channel – the way in which a payment is received. Mail (including drop boxes), in-person/over-the-counter, and telephone (interaction with a live person) are traditional payment channels. Interactive voice response (IVR), internet/web, and kiosk (web access provided on-site) are “convenient” automated payment channels.

        Payment gateway – a service provided by an eCommerce application service provider that authorizes a customer’s payment. This service is triggered when a customer clicks on the “buy” or “purchase” button on a payment portal webpage.

        Payment portal – a webpage where a customer begins the payment process. A payment portal webpage may be hosted by a department or by a third-party through a contract.

        Payment type – cash, paper check, Automated Clearing House (ACH) debit (sometimes referred to as electronic check), ATM debit card, or credit card.

        Truncation – Method of rendering the full PAN unreadable by permanently removing a segment of Primary Account Number (PAN) data.

        Qualified Security Assessor (QSA) – individual or firm certified by the PCI Security Standards Council to audit merchants for PCI-DSS compliance.

        Self-Assessment Questionnaire (SAQ) – a validation tool allowing a merchant to self-evaluate compliance with PCI-DSS, in situations where the merchant is not required to undergo an on-site data security assessment. The acquiring bank may require submission of the SAQ.

        Service provider - anything, including a software application that stores, processes, or transmits card data electronically. Examples include point of sale systems and website eCommerce shopping carts.

        Strong cryptography – Cryptography based on industry-tested and accepted algorithms, along with strong key lengths (minimum 112-bits of effective key strength) and proper key management.

        Surcharge – a fee charged to the cardholder for paying with a credit or debit card, whether charged separately or reflected in a higher price that is not charged to someone paying via another payment type such as cash or check. A UCSC payment card merchant may not assess a surcharge.


        Back to Top
      10. Policy References

        Back to Top
      There are no results.
      University of California Santa Cruz, 1156 High Street, Santa Cruz, Ca 95064
      © 2016 Regents of the University of California. All Rights Reserved.

      Site Feedback
      finaff-tech@ucsc.edu