There is a range of acceptable options to take credit card payments:
- Point of Sale Devices
- E-Commerce (online accounts)
- EMV capable swipe card terminals
- Point to Point Encrypted devices (P2PE)
Credit Card Merchant Accounts
please contact Alexis.Kelly@cu.edu for more information.
In order to accept payment cards in return for their goods/services, departments (merchants) must complete a Merchant Application and return it to the Office of the Treasurer. Currently, the University of Colorado accepts VISA, MasterCard, and Discover cards. In addition, American Express accounts tied to the master account can be requested. Any department accepting payment cards on behalf of the University of Colorado for goods or services (“Merchant Department”) must designate an individual (staff or faculty member) within that department who will have primary authority and responsibility for the payment card transaction processing within that department. After the merchant application has been received and reviewed, the following approvals are required: 1. The campus Controller (or their designee) must approve the unit’s business need and processes for accepting card payments. This usually entails a review of the department’s business procedures for processing payments, and reconciliation procedures. 2. The campus Security Principal must also approve the technical security of the computer systems, networks, websites, and terminals to be used for processing payments. The department must work with the campus Internal Security Assessor to complete a Self-Assessment Questionnaire (SAQ) in advance of the account “go live” date. The primary contact for the merchant department must complete and pass a PCI-DSS online course offered within the CU Skillsoft portal. After all approvals have been received and reviewed, the Office of the Treasurer will request that a new merchant account be created with the acquiring bank, currently Wells Fargo. It usually takes 10 days for the merchant account to be established. All CU merchants must annually complete the following requirements: Attend in-person PCI training Please contact Lexie at Alexis.Kelly@cu.edu, 303-837-2182, for more information. The following business practices should be in place BEFORE a unit decides whether to accept credit card payments. Below is a checklist of things to consider: Things to Watch For to Reduce Credit Card Fraud
Why care about fraud? Fraud raises the cost of doing business for all card merchants and financial institutions in the payment card system. The organizational unit is financially responsible for the costs associated with the merchant account, including fines passed down from the card brands for fraudulent activity. Start by ensuring that all staff understand: 1. Your department’s typical customer profile (i.e. student at the campus, specific faculty group, general public within Colorado, International) 2. Your department’s typical market area (i.e. Denver, Boulder, Metro Denver, within Colorado, USA only, International) 3. With your market area, customer profile, and typical transaction defined, ask yourself the following questions about each transaction: Is it from the typical customer? 4. That you should always obtain an authorization for the full amount at the time of purchase. 5. That if express or overnight shipping is requested, it could be a fraudulent transaction. 6. Always ask yourself: Does the customer appear nervous or display unusual behavior? Note that a "yes" answer to any one of these questions (that is, a single red flag) does not necessarily indicate a fraudulent transaction. However, the more yes answers / red flags, the higher the probability that the transaction is fraudulent. 7. Do NOT: Process the transaction if the authorization process returns a decline. 8. Understand that there are fraud screening protections for online accounts; some are free and some are available for a minimal extra cost, including: Maximum or minimum amount of purchase 1) Define your Customers, Market Area, and Typical Transaction Knowing to whom you provide your products and services, where you provide them, and what a typical transaction looks like is very important in reducing fraud. It also assists you in defining internal controls. 2) Require Good Internal Controls Require that payment processing happen with good internal controls. This means that the three tasks of processing the payment, balancing out the daily transactions, and balancing the books (PeopleSoft accounts) be distributed between at least two different people. If this is not possible, please consult with your campus controller or finance office for advice on how to implement sufficient internal controls to ensure that opportunities for error and fraud are reduced as much as possible. In no case should an employee ever process their own card transaction (payment or refund). 3) Specify a Security Policy Each merchant is required to have a security policy, whether you process card payments manually, over the phone, through your web site, or use a third party processor to handle everything. You policy should cover at a minimum the following points: Perform an annual risk / threat assessment or review Security Policy Tips: NEVER store cardholder data in spreadsheet, word processing, database, or other software. If you have a business need approved by the Office of the Treasurer to write down credit card numbers until you receive the bank authorization approval, design forms with cardholder information / signature line in box at bottom of the form. When processing the transaction, write the last four digits of the card number and the authorization number on the upper part of the form, then separate and cross shred the cardholder information from the bottom of the form. 4) Specify a Refund Policy Your customers need to know your Refund Policy, and they must be told what it is. This will minimize misunderstanding and problems down the road. You can have a "No Refunds" policy. 5) Specify a Privacy Policy for Your Web Page Any information that you collect online to facilitate payments must be disclosed in your web site privacy policy / statement Modify the CU Privacy Policy to fit your actual data collection and use. 6) Establish and Maintain a Records Retention and Destruction Policy Most departments should have a Records Retention and Destruction Policy. If your department does not, it is important to have one and follow it for any records that might contain cardholder information– particularly the "Destruction" part. The State Archivist and the CU Office of University Controller (System) have established normal record retention timeframes for particular documents and your policy should follow those timeframes. In addition, the Payment Card Associations also have record retention timeframes pertaining specifically to payment card transactions. The records retention policy for CU can be found here: https://www.cu.edu/ope/aps/2006 The advice of the Treasurer’s office is to physically retain paper records for the minimum time necessary to document disputes and chargebacks. If a dispute or chargeback arises later, you can reconstruct the transaction from your receipt documentation or from the online ClientLine portal. It is extremely important to destroy records (by cross-shredding or other secure destruction technique) when their retention time is up. 7) Keep Treasury apprised of staff and address changes Here are some examples of best practices which will help your team to protect cardholder data: Learn your department’s merchant security policy, and make sure that you know how to apply the rules on the job. EMV capable terminals across the campus departments can process contactless payments using Near Field Communication (NFC) technology. Near Field Communication (NFC) technology lets Android Pay enabled smartphones communicate payment information when held near your NFC-enabled point-of-sale device.Process to open a merchant account to accept credit card payments
Complete a Self-Assessment Questionnaire with the assistance of their campus information security teamShould our department request a Credit Card Merchant Account?
Fraud Flags
Is it from an address in the defined market area? Is it a typical ticket size?
Is it from a normal source (online, in-person, via mail or telephone)?
Is the order for a normal number of items / services / amount? Is more than one card being used to make this purchase?
Are multiple transactions being made with similar card numbers in a sequence?
Does the customer repeatedly come back to make additional purchases?
Does the customer tell you she is having trouble with the card and give you a "special" authorization number to call?
Does the card appear to be altered in any way? (Number not embossed, number worn, damaged hologram, no magnetic stripe on the back, altered signature panel, the terminal displays a different card number than is embossed on the card, etc.)
Is there anything suspicious about the circumstance of this transaction?
Process the transaction if all the information necessary to complete the transaction is incomplete
Disturb the customer or attempt to make an arrest or assault the customer
Process your own transactions – good internal controls require that employees do not handle their own payment transactions
Allow volunteers or other non-university staff or students to process card transactions.
Number of transactions for a single customer within a defined time span
Number of items/services purchased per session
Number of simultaneous sessions from particular IP addresses
Address verification service which compares address submitted on the order to the address billing address
Enhanced card code verification to validate the cardholder 3 or 4 digit security codePayment Card Processing Best Practices
Specify standardized processing procedures that keep cardholder data secure
Cover whether or not remote access / processing is allowed, under what circumstances, and how it will be secured
Include employee security awareness program (all employees have security training upon hire and annually)
Require employees to acknowledge at least annually that they have read, understood, and accept the security policies ( we recommend keeping acknowledgements in personnel file)
Screen employees handling card payments (and other payments!)
Address use of third parties to handle / process cardholder data
Include PCIDSS security language in all contracts with vendors; monitor that vendor has maintained PCIDSS compliance
Implement an incident response plan
Your refund policy must be disclosed to your customers, via signs in your physical location if you process card-present transactions, on your web site, or in your mailing materials
Refunds must be processed against the original card presented for payment and for the full amount of the original purchase; they cannot be paid in check, unless the window for credit card refund has passed.
Refunds should be approved by a supervisor, and this approval should be documented along with the refund documentation
Tell your customers what data you collect, why you collect it, how you will use it, and when you will delete it from your records
Do not browse the internet or check e-mail on a computer used for payment processing.
Under no circumstances should credit/debit card information be obtained or transmitted via email.
No cardholder information is allowed to be stored electronically on any device (e.g. computer hard drives, CDs, disks, and other external storage media). This includes reports from hosted credit card processing vendors.
Access to cardholder information must be limited to those individuals whose job requires access.
Any paper documents that contain cardholder information (IF the business process is approved by the Office of the Treasurer), must be treated as confidential and must be cross-shredded immediately upon receiving authorization from the bank.
Technology changes that affect payment card systems are required to be approved by the Office of the Treasurer and your campus information security team prior to being implemented.
Any new systems/software that process payment cards are required to be approved by the Office of the Treasurer and your campus information security team prior to being purchased.
Use and regularly update anti-virus software.
Do not use vendor-supplied defaults for systems passwords and other security parametersEquipment Security Measurers