Payment Card Industry (PCI)
The University of Colorado has guidelines for data security compliance that are aimed at protecting not only our constituents, but also university units. As part of our use of Cvent, the Office of Information Security and Treasury has advised us on those guidelines for data security compliance. The merchant accounts that are currently available in Cvent will undergo an audit in August with our partner bank, Wells Fargo Merchant Services (WFMS) to ensure we meet the current Payment Card Industry Data Security Standard (PCI-DSS).
Help CU stay compliantIf you create event registration forms in Cvent that require credit card transactions, you must meet CU data security standards to ensure that we can continue to use secure merchant accounts in Cvent.
What is PCI?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
If you create event registration forms in Cvent that require credit card transactions, the following activities are NOT PCI compliant and could result in steep fines or worse, inability to use a merchant account with our partner bank, Wells Fargo Merchant Services (WFMS).
DISCONTINUEDiscontinue accepting credit card information over the phone, via mail and in-person (eg; at an event) and entering it into a Cvent form on/via a CU-owned device (computer, laptop, phone, etc.)
We understand that this may present challenges in the way you meet your business needs. We are offering the following alternatives.
1) TAKE CASH OR CHECK
For those attendees who cannot register for an event using a personal device and who would have previously provided credit card information over the phone or via mail, encourage them to mail a check or bring cash (check with your unit finance representative about cash) or check to the event.
IS THERE A COST?There is no cost to your unit with this option.
2) PURCHASE (OR RENT) A CREDIT CARD TERMINAL
Obtain an individual merchant account that is owned by your unit AND purchase (or rent) a terminal ("swiper"). You will be able to accept call-in, mail-in and in-person credit card information using this terminal that is associated with your unit-owned merchant account.
Merchant accounts are FREE if associated with a terminal ("swiper"). You must have a merchant account AND a swiper to be compliant. You have a few options for a credit card "swiper" terminal: Other considerations:
IS THERE A COST?
Merchant accounts are FREE if associated with a terminal ("swiper"). You must have a merchant account AND a swiper to be compliant.
You have a few options for a credit card "swiper" terminal:
3) USE A TERMINAL AND SET UP A CVENT IMA
In addition to obtaining a merchant account and purchasing a swiper (see 2nd alternative above), you can also purchase a separate Internet Merchant Account (IMA) and set it up within Cvent.
- This option allows you to accept call-in, mail-in and walk-up transactions using the terminal (2nd option).
- The Cvent IMA allows for a smoother money process as all transactions will go straight to your IMA, instead of via the CU-shared IMA where the money eventually ends up in your speedtype via reconciliation and journal entries made by Treasury and Controller offices.
- The separate merchant account is specific to online transactions (eg; for Cvent). This is required by Wells Fargo Merchant Services (WFMS). If you go with this option, you will have TWO merchant accounts: one for the terminal/swiper and the other for online transactions (via Cvent).
- All merchant account holders must work with their campus security teams on their annual compliance assessment.
IS THERE A COST?
4) SET UP DEDICATED COMPUTERS
NOTE: You must work with your campus information security team to determine if this is an option.
If you set up dedicated computer(s) within your unit that are ONLY used for processing credit card transactions (eg; via Cvent forms) and that are approved by your campus security team:
- you need to purchase a separate merchant account (see option 3 above)
- you do not need to purchase a terminal ("swiper").
IS THERE A COST?
Yes. There is a cost - see option 3. You would be doing option 3 + option 4 in this scenario.
Q: What is a Merchant Account?
A: A bank account that enables the holder to accept credit cards for payment.
Q: Why can’t we enter credit card information into a Cvent form on a CU device?
A: The non-compliant component is that the credit card information is transmitted on a CU-owned device.
Check out the "Compliant Alternatives and Costs" tab for details on other options.
Q: Can I use the Cvent mobile app and Cvent swiper?
A: The Cvent mobile app and swiper solution is currently under review by our data security team. As it stands now, it is NOT approved to accept credit card transactions. However, your unit can use it for any purposes other than credit card transactions. We will alert CU eComm Cvent users when we know more. Learn more about Cvent's mobile app, OnArrival.
Q: How much does it cost to get a new merchant account?
A: It depends on which option works best for your unit. See the "Compliant Alternatives and Costs" tab for more information.
Q: If I obtain a merchant account for my unit, can I have all of my Cvent forms associated with that?
A: No. You would have to set up a separate merchant account that is specific to online transactions. The cost for a merchant account online gateway is $200 and $20 per month after that. There is an annual cost with Cvent of $750 for an integrated merchant account. One-time cost is $970. Annual cost is $750. See the "Compliant Alternatives and Costs" tab for more information.
Q: Can a “walk-up” attendee use their own phone to register and pay using their credit card?
A: Yes. As long as the transaction takes place on a NON-CU device, you are compliant.
Q: How do I ensure Cvent reflects the registration if we are using a swiper to accept credit card transactions for call-in, mail-in or in-person transactions?
A: Register as normal using Cvent, but mark the registration as “Offline.” Visit our How-Tos page for help on how to do this. You will do this IN ADDITION to using the credit card swiper.
Q: Is there a university policy that addresses PCI compliance?
A: Yes. Visit http://www.cu.edu/ope/aps/4056.
Q: What if my event is a University fundraising event and I am using the CU Foundation merchant account ("CUF Cvent")? Does this apply?
A: You do not need to obtain a merchant account or purchase a swiper for a fundraising event that has been approved to use the CUF merchant account. The CU Foundation can accept credit card and mail-in credit card information as they have a PCI compliant computer that is dedicated to this activity. Contact Matt Roush for more information.
Q: If I am conducting a fundraising event and using the CUF merchant account for registration payments, can I also use this same account for other event activities such as auctions or merchandise sales?
A: No, auction and/or merchandise sales will require the rental or purchase of a wireless terminal through the Treasurer’s Office. Revenues from these types of activities should be deposited to the University and to your event Speedtype.
Have more questions?Send them to email@example.com and we'll post the answers here.
If you are a CU Cvent user, confirm that you are PCI compliant in your use of the CU Cvent "CU Events" merchant account.
- Complete this form even if you host free events.
- Complete this form even if you are not an authoritative event form "approver" in your unit.
- Failure to complete this form may result in Cvent access discontinuation.
Jennifer Hane | eComm
Contact Jennifer for more information about eComm or Cvent.
Brad Judy | Office of Information Security
Contact Brad for more information about PCI and data security.
Lexie Kelly | Treasury
Contact Lexie for more information about merchant accounts or if you would like to set one up for your unit.