Credit Card Acceptance
I want to start accepting credit cards. What do I do?
All potential merchants must complete the New Merchant Application and agree to comply with and sign the Merchant Contract. As it can take three to four weeks to receive a merchant ID and equipment, it is highly recommended that these documents are returned as soon as possible to Chelsea Smith-Antonides, Buchanan Hall, Room 208 or firstname.lastname@example.org. Please note that the merchant contract must be signed by the account sponsor for the department number listed on the application. All requests must be approved by the Compliance Administrator and prospective merchants must schedule a training session before approval can be granted. To schedule training, please contact Chelsea Smith-Antonides at email@example.com.
Bursar Operations will provide one terminal for free (subject to change) that requires IP connectivity. Please call 325-HELP to request port installation specifically for a credit card terminal that must fall under PCI Data Security Standards. If you are interested in purchasing a terminal with mobile capability, the expense will be the merchant’s responsibility.
If you opt to accept credit card transactions online, Bursar Operations offers a gateway solution provided by TouchNet. There is not a charge for an ecommerce merchant who elects to utilize TouchNet as their payment gateway (subject to change). If you have another service provider in mind, it must be approved by Bursar Operations before an agreement is made or a contract is signed with the third party service provider. The merchant will be responsible for all costs associated with a service provider that is not TouchNet. Please include the name of the service provider on the New Merchant Application. If you currently have a TouchNet Store and would like to add authorized users, please complete the TouchNet Access Form. Credit card transactions processed through TouchNet are subject to a 3% charge based on total monthly credit card volume.
If you require a mobile device to accept credit cards the approved terminal is an FD400. It is $879.00 plus $19.95 per month (pricing subject to change). This terminal connects wirelessly using AT&T’s GPRS or Sprint’s CDMA network. The merchant will be responsible for all expense incurred using a mobile device. If there is another mobile device that the merchant prefers to use, they must have the approval of Bursar Operations and the device must fall under the University approved Mobile Device Policy.
The merchant departmental account will be expensed 3.0% for the total monthly credit card volume. Volume is calculated at the end of each month from the department’s PeopleSoft reporting. The expense will appear on the departmental account at the beginning of each month for previous month’s activity.
Equipment expense: There is not a charge for a merchant who chooses to use the FD200 terminal and FD35 PIN pad (subject to change). Bursar Operations will provide one terminal and one PIN pad. All expense incurred for additional equipment will be the responsibility of the merchant. All expense incurred for an Ethernet drop for the terminal will be the responsibility of the merchant and pricing is determined by OU IT and Facilities Management.
Ecommerce expense: There is not a charge for an ecommerce merchant who elects to utilize Touchnet as their payment gateway (subject to change). If a different service provider is chosen (subject to approval), the merchant is responsible for all expenses incurred. Credit card transactions processed through TouchNet are subject to a 3% charge based on total monthly credit card volume.
How do I Protect Sensitive Cardholder Data?
PCI Data Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The Council is responsible for managing the security standards, while compliance with the PCI Security Standards is enforced by the payment card brands. The standards apply to all organizations that store, process, or transmit cardholder data. In operational terms, complying with PCI DSS means that you are doing your part to ensure that our students, parents, alumni, donors, and visitors payment card data is being kept safe throughout every transaction at the University of Oklahoma. By ensuring a secure and compliant environment they – and you – can have confidence that they’re protected against the pain and cost of data breaches. All University of Oklahoma departments that accept, store, process, or transmit payment cards are required to be compliant with PCI DSS.
Self-Assessment Questionnaire (SAQ): The SAQ is a validation tool for eligible organizations that self-assess their PCI DSS compliance. An SAQ is required to be completed annually by the merchant. The University of Oklahoma utilizes a portal aid in completing the SAQ annually. University merchants will be contacted with log on information, instruction, and assistance when it is time to complete your department’s SAQ.
- Identify and document the existence of all cardholder data (CHD) in your environment and the accessibility of CHD.
- Document CHD flows in a diagram to ensure that network segmentation and processes are in place to isolate your CHD environment.
- Truncate the Primary Account Number (PAN) on both merchant and customer copies. Printouts should be truncated or masked.
- Set POS terminals to auto-settle to ensure that batches are settled nightly.
- Deploy anti-virus software on all systems commonly affected by viruses.
- Do not store sensitive authentication data contained in a payment card’s chip or magnetic strip, including the 3-4 digit verification code/value printed on the front or back of the payment card.
- You may not store payment card data in POS terminals or other unprotected endpoint device’s such as:
- Laptop, tablet, smart phone, or other portable devices
- Removable media such as CDs, DVDs and USB thumb drives
- Home computers
- Do not leave paper and electronic media, computers, networking and communications physically unsecured.
- Cardholder data must not be transmitted in an unsecure manner such as email, unsecured fax, instant message, chat, or campus mail.
- Permit only employees who have a legitimate business “need-to-know” access to cardholder information.
In the event of a breach or suspected breach of security, including the suspicion that credit/debit card information has been exposed or stolen, the merchant must immediately contact:
Please indentify yourself as a Norman merchant with a PCI related incident. This number is available 24/7.
Please refer to the University Incident Response Plan.
All merchants that accept payment cards as a form or payment are required to have the following:
- Signed merchant contract with Bursar Operations
- A policy that addresses information security for all personnel (Updated as needed and approved annually by department head)
- An incident response plan
- An inventory of all terminals and devices
- A list of employees who handle cardholder data in any way as well as a signed document that they have received and understand annual training within the department (Training performed annually and for new employees)
- A Network Diagram that shows the flow of cardholder data in the merchant’s environment.
- An annually completed Self-Assessment Questionnaire (SAQ)
- Contractual agreement with third party service provider utilized stating that the service provider is responsible for security of cardholder data it possesses.
- Service Provider-Merchant PCI DSS Responsibility Matrix (see Important Documents below).