Merchant Services

In order to accept payment cards in return for their goods/services, departments (merchants) must complete a Merchant Application and return it to the Office of the Treasurer. Currently, the University of Colorado accepts VISA, MasterCard, and Discover cards. In addition, American Express accounts tied to the master account can be requested. 

Any department accepting payment cards on behalf of the University of Colorado for goods or services (“Merchant Department”) must designate an individual (staff or faculty member) within that department who will have primary authority and responsibility for the payment card transaction processing within that department.

After the merchant application has been received and reviewed, the following approvals are required:

1. The campus Controller (or their designee) must approve the unit’s business need and processes for accepting card payments. This usually entails a review of the department’s business procedures for processing payments, and reconciliation procedures.

2. The campus Security Principal must also approve the technical security of the computer systems, networks, websites, and terminals to be used for processing payments.

The department must work with the campus Internal Security Assessor to complete a Self-Assessment Questionnaire (SAQ) in advance of the account “go live” date.

The primary contact for the merchant department must complete and pass a PCI-DSS online course offered within the CU Skillsoft portal.

After all approvals have been received and reviewed, the Office of the Treasurer will request that a new merchant account be created with the acquiring bank, currently Wells Fargo.  It usually takes 10 days for the merchant account to be established.

All CU merchants must annually complete the following requirements:

Attend in-person PCI training
Complete a Self-Assessment Questionnaire with the assistance of their campus information security team

 Please contact Lexie at Alexis.Kelly@cu.edu,  303-837-2182, for more information.

The following business practices should be in place BEFORE a unit decides whether to accept credit card payments.

Below is a checklist of things to consider:

• Is the department currently employing good business practices for handling non-credit card payments?
• Do cash / deposit handling procedures conform to the campus’s cash control policies and procedures?
• Are transactions, cash/deposit handling, and reconciliation duties performed with proper segregation of duties? If not, what supervisory controls are in place to ensure proper oversight?
• Are refund transactions properly controlled?
• Are refunds approved by a supervisory before funds are returned to the payee?
• Are refund transactions properly documented and accounted for?
• Does staff understand the necessary accounting flows for transactions, and are they properly posted?
• Are daily detailed financial statements and reports reconciled timely?
• Does the unit have the financial resources to reconcile deposits daily?
• Are the unit’s Speedtypes managed in a fiscally sound manner?
• Are document and retention and destruction policies in place and followed?
• Are documents securely destroyed when their retention time is completed?
• Does the unit have paper shredding capability for record destruction for paper containing cardholder information? Cross-shredding or secure data destruction services are required.
• Does the unit understand the Treasury policy that requires only paid University staff (not volunteers) process all payments, including credit card transactions? (Paid student staff qualify.)
• Does the unit understand that it is prohibited from storing cardholder data in any electronic form whatsoever?
• Does the unit understand that they must respond to and report any incident that involves cardholder data?
• Does the unit have a training program for new staff, or staff accepting new payment processing responsibilities that include card payments?
• Does the unit have the IT staff and security knowledge to create and maintain a secure online payment website, if applicable?
• Has the unit consulted with their campus IT security team regarding their security obligations for processing credit card payments?
• Will the unit be responsible timely to chargebacks and disputes, (within 14 days of notification of dispute)?
• Does the unit understand that the primary contact for the merchant account and the fiscal principal are responsible to attend yearly in-person PCI training in addition to completing all other yearly PCI compliance requirements?

Things to Watch For to Reduce Credit Card Fraud

Why care about fraud? Fraud raises the cost of doing business for all card merchants and financial institutions in the payment card system. The organizational unit is financially responsible for the costs associated with the merchant account, including fines passed down from the card brands for fraudulent activity. 

Start by ensuring that all staff understand:

1.   Your department’s typical customer profile (i.e. student at the campus, specific faculty group, general public within Colorado, International)

2. Your department’s typical market area (i.e. Denver, Boulder, Metro Denver, within Colorado, USA only, International)

3. With your market area, customer profile, and typical transaction defined, ask yourself the following questions about each transaction:

Is it from the typical customer?
Is it from an address in the defined market area? Is it a typical ticket size?
Is it from a normal source (online, in-person, via mail or telephone)?
Is the order for a normal number of items / services / amount? Is more than one card being used to make this purchase?
Are multiple transactions being made with similar card numbers in a sequence?

4.   That you should always obtain an authorization for the full amount at the time of purchase.

5.   That if express or overnight shipping is requested, it could be a fraudulent transaction.

6.   Always ask yourself:

Does the customer appear nervous or display unusual behavior?
Does the customer repeatedly come back to make additional purchases?
Does the customer tell you she is having trouble with the card and give you a "special" authorization number to call?
Does the card appear to be altered in any way? (Number not embossed, number worn, damaged hologram, no magnetic stripe on the back, altered signature panel, the terminal displays a different card number than is embossed on the card, etc.)
Is there anything suspicious about the circumstance of this transaction?

Note that a "yes" answer to any one of these questions (that is, a single red flag) does not necessarily indicate a fraudulent transaction. However, the more yes answers / red flags, the higher the probability that the transaction is fraudulent.

7. Do NOT:

Process the transaction if the authorization process returns a decline.
Process the transaction if all the information necessary to complete the transaction is incomplete
Disturb the customer or attempt to make an arrest or assault the customer
Process your own transactions – good internal controls require that employees do not handle their own payment transactions
Allow volunteers or other non-university staff or students to process card transactions.

8.      Understand that there are fraud screening protections for online accounts; some are free and some are available for a minimal extra cost, including:

Maximum or minimum amount of purchase
Number of transactions for a single customer within a defined time span
Number of items/services purchased per session
Number of simultaneous sessions from particular IP addresses
Address verification service which compares address submitted on the order to the address billing address
Enhanced card code verification to validate the cardholder 3 or 4 digit security code

1) Define your Customers, Market Area, and Typical Transaction

Knowing to whom you provide your products and services, where you provide them, and what a typical transaction looks like is very important in reducing fraud. It also assists you in defining internal controls.

2) Require Good Internal Controls

Require that payment processing happen with good internal controls. This means that the three tasks of processing the payment, balancing out the daily transactions, and balancing the books (PeopleSoft accounts) be distributed between at least two different people. If this is not possible, please consult with your campus controller or finance office for advice on how to implement sufficient internal controls to ensure that opportunities for error and fraud are reduced as much as possible. In no case should an employee ever process their own card transaction (payment or refund).

3) Specify a Security Policy

Each merchant is required to have a security policy, whether you process card payments manually, over the phone, through your web site, or use a third party processor to handle everything. You policy should cover at a minimum the following points:

Perform an annual risk / threat assessment or review
Specify standardized processing procedures that keep cardholder data secure​
Cover whether or not remote access / processing is allowed, under what circumstances, and how it will be secured
Include employee security awareness program (all employees have security training upon hire and annually)
Require employees to acknowledge at least annually that they have read, understood, and accept the security policies ( we recommend keeping acknowledgements in personnel file)
Screen employees handling card payments (and other payments!)
Address use of third parties to handle / process cardholder data
Include PCIDSS security language in all contracts with vendors; monitor that vendor has maintained PCIDSS compliance
Implement an incident response plan

Security Policy Tips:

NEVER store cardholder data in spreadsheet, word processing, database, or other software.

If you have a business need approved by the Office of the Treasurer to write down credit card numbers until you receive the bank authorization approval, design forms with cardholder information / signature line in box at bottom of the form. When processing the transaction, write the last four digits of the card number and the authorization number on the upper part of the form, then separate and cross shred the cardholder information from the bottom of the form. 

4) Specify a Refund Policy

Your customers need to know your Refund Policy, and they must be told what it is. This will minimize misunderstanding and problems down the road.

You can have a "No Refunds" policy.
Your refund policy must be disclosed to your customers, via signs in your physical location if you process card-present transactions, on your web site, or in your mailing materials
Refunds must be processed against the original card presented for payment and for the full amount of the original purchase; they cannot be paid in check, unless the window for credit card refund has passed.
Refunds should be approved by a supervisor, and this approval should be documented along with the refund documentation

5) Specify a Privacy Policy for Your Web Page

Any information that you collect online to facilitate payments must be disclosed in your web site privacy policy / statement

Modify the CU Privacy Policy to fit your actual data collection and use.
Tell your customers what data you collect, why you collect it, how you will use it, and when you will delete it from your records

6) Establish and Maintain a Records Retention and Destruction Policy

Most departments should have a Records Retention and Destruction Policy. If your department does not, it is important to have one and follow it for any records that might contain cardholder information– particularly the "Destruction" part. The State Archivist and the CU Office of University Controller (System) have established normal record retention timeframes for particular documents and your policy should follow those timeframes. In addition, the Payment Card Associations also have record retention timeframes pertaining specifically to payment card transactions. The records retention policy for CU can be found here: https://www.cu.edu/ope/aps/2006

The advice of the Treasurer’s office is to physically retain paper records for the minimum time necessary to document disputes and chargebacks. If a dispute or chargeback arises later, you can reconstruct the transaction from your receipt documentation or from the online ClientLine portal.

It is extremely important to destroy records (by cross-shredding or other secure destruction technique) when their retention time is up.

7) Keep Treasury apprised of staff and address changes

Here are some examples of best practices which will help your team to protect cardholder data:

Learn your department’s merchant security policy, and make sure that you know how to apply the rules on the job. 
Do not browse the internet or check e-mail on a computer used for payment processing.
Under no circumstances should credit/debit card information be obtained or transmitted via email.
No cardholder information is allowed to be stored electronically on any device (e.g. computer hard drives, CDs, disks, and other external storage media). This includes reports from hosted credit card processing vendors.
Access to cardholder information must be limited to those individuals whose job requires access.
Any paper documents that contain cardholder information (IF the business process is approved by the Office of the Treasurer), must be treated as confidential and must be cross-shredded immediately upon receiving authorization from the bank.
Technology changes that affect payment card systems are required to be approved by the Office of the Treasurer and your campus information security team prior to being implemented.
Any new systems/software that process payment cards are required to be approved by the Office of the Treasurer and your campus information security team prior to being purchased.
Use and regularly update anti-virus software.
Do not use vendor-supplied defaults for systems passwords and other security parameters

• Look for false scanners attached to devices. Scanners can be placed over the card reader and look very similar to the original device. Look and feel for any parts that come loose easily.
• Keep an inventory of all devices used for payments, noting their serial numbers, makes, models, and any other identifying information.
• Routinely check the serial number and other characteristics of your devices to be sure that you are using the right one. An approved device could easily be switched for a false one, so it is important to be vigilant.
• Apply tamper-evident security tape over any parts of a device that can be opened. Even if the terminal can’t be opened, security tape helps you recognize your terminals and create awareness of the devices.
• Keep swipe card terminals in a secure area where unauthorized people are unable to access.

EMV capable terminals across the campus departments can process contactless payments using Near Field Communication (NFC) technology. Near Field Communication (NFC) technology lets Android Pay enabled smartphones communicate payment information when held near your NFC-enabled point-of-sale device.