Merchant Services

In order to accept payment cards in return for their goods/services, departments (merchants) must complete a Merchant Application and return it to the Office of the Treasurer. Currently, the University of Colorado accepts VISA, MasterCard, and Discover cards. In addition, American Express accounts tied to the master account can be requested. 

Any department accepting payment cards on behalf of the University of Colorado for goods or services (“Merchant Department”) must designate an individual (staff or faculty member) within that department who will have primary authority and responsibility for the payment card transaction processing within that department.

After the merchant application has been received and reviewed, the following approvals are required:

1. The campus Controller (or their designee) must approve the unit’s business need and processes for accepting card payments. This usually entails a review of the department’s business procedures for processing payments, and reconciliation procedures.

2. The campus Security Principal must also approve the technical security of the computer systems, networks, websites, and terminals to be used for processing payments.

The department must work with the campus Internal Security Assessor to complete a Self-Assessment Questionnaire (SAQ) in advance of the account “go live” date.

The primary contact for the merchant department must complete and pass a PCI-DSS online course offered within the CU Skillsoft portal.

After all approvals have been received and reviewed, the Office of the Treasurer will request that a new merchant account be created with the acquiring bank, currently Wells Fargo.  It usually takes 10 days for the merchant account to be established.

All CU merchants must annually complete the following requirements:

Attend in-person PCI training
Complete a Self-Assessment Questionnaire with the assistance of their campus information security team

 Please contact Alisha.Palas@cu.edu, 303-837-2135, for more information.

credit-card-flowchart.pdf

The following business practices should be in place BEFORE a unit decides whether to accept credit card payments.

Below is a checklist of things to consider:

• Is the department currently employing good business practices for handling non-credit card payments?
• Do cash / deposit handling procedures conform to the campus’s cash control policies and procedures?
• Are transactions, cash/deposit handling, and reconciliation duties performed with proper segregation of duties? If not, what supervisory controls are in place to ensure proper oversight?
• Are refund transactions properly controlled?
• Are refunds approved by a supervisory before funds are returned to the payee?
• Are refund transactions properly documented and accounted for?
• Does staff understand the necessary accounting flows for transactions, and are they properly posted?
• Are daily detailed financial statements and reports reconciled timely?
• Does the unit have the financial resources to reconcile deposits daily?
• Are the unit’s Speedtypes managed in a fiscally sound manner?
• Are document and retention and destruction policies in place and followed?
• Are documents securely destroyed when their retention time is completed?
• Does the unit have paper shredding capability for record destruction for paper containing cardholder information? Cross-shredding or secure data destruction services are required.
• Does the unit understand the Treasury policy that requires only paid University staff (not volunteers) process all payments, including credit card transactions? (Paid student staff qualify.)
• Does the unit understand that it is prohibited from storing cardholder data in any electronic form whatsoever?
• Does the unit understand that they must respond to and report any incident that involves cardholder data?
• Does the unit have a training program for new staff, or staff accepting new payment processing responsibilities that include card payments?
• Does the unit have the IT staff and security knowledge to create and maintain a secure online payment website, if applicable?
• Has the unit consulted with their campus IT security team regarding their security obligations for processing credit card payments?
• Will the unit be responsible timely to chargebacks and disputes, (within 14 days of notification of dispute)?
• Does the unit understand that the primary contact for the merchant account and the fiscal principal are responsible to attend yearly in-person PCI training in addition to completing all other yearly PCI compliance requirements?

Things to Watch For to Reduce Credit Card Fraud

Why care about fraud? Fraud raises the cost of doing business for all card merchants and financial institutions in the payment card system. The organizational unit is financially responsible for the costs associated with the merchant account, including fines passed down from the card brands for fraudulent activity. 

Start by ensuring that all staff understand:

1.   Your department’s typical customer profile (i.e. student at the campus, specific faculty group, general public within Colorado, International)

2. Your department’s typical market area (i.e. Denver, Boulder, Metro Denver, within Colorado, USA only, International)

3. With your market area, customer profile, and typical transaction defined, ask yourself the following questions about each transaction:

Is it from the typical customer?
Is it from an address in the defined market area? Is it a typical ticket size?
Is it from a normal source (online, in-person, via mail or telephone)?
Is the order for a normal number of items / services / amount? Is more than one card being used to make this purchase?
Are multiple transactions being made with similar card numbers in a sequence?

4.   That you should always obtain an authorization for the full amount at the time of purchase.

5.   That if express or overnight shipping is requested, it could be a fraudulent transaction.

6.   Always ask yourself:

Does the customer appear nervous or display unusual behavior?
Does the customer repeatedly come back to make additional purchases?
Does the customer tell you she is having trouble with the card and give you a "special" authorization number to call?
Does the card appear to be altered in any way? (Number not embossed, number worn, damaged hologram, no magnetic stripe on the back, altered signature panel, the terminal displays a different card number than is embossed on the card, etc.)
Is there anything suspicious about the circumstance of this transaction?

Note that a "yes" answer to any one of these questions (that is, a single red flag) does not necessarily indicate a fraudulent transaction. However, the more yes answers / red flags, the higher the probability that the transaction is fraudulent.

7. Do NOT:

Process the transaction if the authorization process returns a decline.
Process the transaction if all the information necessary to complete the transaction is incomplete
Disturb the customer or attempt to make an arrest or assault the customer
Process your own transactions – good internal controls require that employees do not handle their own payment transactions
Allow volunteers or other non-university staff or students to process card transactions.

8.      Understand that there are fraud screening protections for online accounts; some are free and some are available for a minimal extra cost, including:

Maximum or minimum amount of purchase
Number of transactions for a single customer within a defined time span
Number of items/services purchased per session
Number of simultaneous sessions from particular IP addresses
Address verification service which compares address submitted on the order to the address billing address
Enhanced card code verification to validate the cardholder 3 or 4 digit security code

1) Define your Customers, Market Area, and Typical Transaction

Knowing to whom you provide your products and services, where you provide them, and what a typical transaction looks like is very important in reducing fraud. It also assists you in defining internal controls.

2) Require Good Internal Controls

Require that payment processing happen with good internal controls. This means that the three tasks of processing the payment, balancing out the daily transactions, and balancing the books (PeopleSoft accounts) be distributed between at least two different people. If this is not possible, please consult with your campus controller or finance office for advice on how to implement sufficient internal controls to ensure that opportunities for error and fraud are reduced as much as possible. In no case should an employee ever process their own card transaction (payment or refund).

3) Specify a Security Policy

Each merchant is required to have a security policy, whether you process card payments manually, over the phone, through your web site, or use a third party processor to handle everything. You policy should cover at a minimum the following points:

Perform an annual risk / threat assessment or review
Specify standardized processing procedures that keep cardholder data secure​
Cover whether or not remote access / processing is allowed, under what circumstances, and how it will be secured
Include employee security awareness program (all employees have security training upon hire and annually)
Require employees to acknowledge at least annually that they have read, understood, and accept the security policies ( we recommend keeping acknowledgements in personnel file)
Screen employees handling card payments (and other payments!)
Address use of third parties to handle / process cardholder data
Include PCIDSS security language in all contracts with vendors; monitor that vendor has maintained PCIDSS compliance
Implement an incident response plan

Security Policy Tips:

NEVER store cardholder data in spreadsheet, word processing, database, or other software.

If you have a business need approved by the Office of the Treasurer to write down credit card numbers until you receive the bank authorization approval, design forms with cardholder information / signature line in box at bottom of the form. When processing the transaction, write the last four digits of the card number and the authorization number on the upper part of the form, then separate and cross shred the cardholder information from the bottom of the form. 

4) Specify a Refund Policy

Your customers need to know your Refund Policy, and they must be told what it is. This will minimize misunderstanding and problems down the road.

You can have a "No Refunds" policy.
Your refund policy must be disclosed to your customers, via signs in your physical location if you process card-present transactions, on your web site, or in your mailing materials
Refunds must be processed against the original card presented for payment and for the full amount of the original purchase; they cannot be paid in check, unless the window for credit card refund has passed.
Refunds should be approved by a supervisor, and this approval should be documented along with the refund documentation

5) Specify a Privacy Policy for Your Web Page

Any information that you collect online to facilitate payments must be disclosed in your web site privacy policy / statement

Modify the CU Privacy Policy to fit your actual data collection and use.
Tell your customers what data you collect, why you collect it, how you will use it, and when you will delete it from your records

6) Establish and Maintain a Records Retention and Destruction Policy

Most departments should have a Records Retention and Destruction Policy. If your department does not, it is important to have one and follow it for any records that might contain cardholder information– particularly the "Destruction" part. The State Archivist and the CU Office of University Controller (System) have established normal record retention timeframes for particular documents and your policy should follow those timeframes. In addition, the Payment Card Associations also have record retention timeframes pertaining specifically to payment card transactions. The records retention policy for CU can be found here: https://www.cu.edu/ope/aps/2006

The advice of the Treasurer’s office is to physically retain paper records for the minimum time necessary to document disputes and chargebacks. If a dispute or chargeback arises later, you can reconstruct the transaction from your receipt documentation or from the online ClientLine portal.

It is extremely important to destroy records (by cross-shredding or other secure destruction technique) when their retention time is up.

7) Keep Treasury apprised of staff and address changes

Here are some examples of best practices which will help your team to protect cardholder data:

Learn your department’s merchant security policy, and make sure that you know how to apply the rules on the job. 
Do not browse the internet or check e-mail on a computer used for payment processing.
Under no circumstances should credit/debit card information be obtained or transmitted via email.
No cardholder information is allowed to be stored electronically on any device (e.g. computer hard drives, CDs, disks, and other external storage media). This includes reports from hosted credit card processing vendors.
Access to cardholder information must be limited to those individuals whose job requires access.
Any paper documents that contain cardholder information (IF the business process is approved by the Office of the Treasurer), must be treated as confidential and must be cross-shredded immediately upon receiving authorization from the bank.
Technology changes that affect payment card systems are required to be approved by the Office of the Treasurer and your campus information security team prior to being implemented.
Any new systems/software that process payment cards are required to be approved by the Office of the Treasurer and your campus information security team prior to being purchased.
Use and regularly update anti-virus software.
Do not use vendor-supplied defaults for systems passwords and other security parameters

• Look for false scanners attached to devices. Scanners can be placed over the card reader and look very similar to the original device. Look and feel for any parts that come loose easily.
• Keep an inventory of all devices used for payments, noting their serial numbers, makes, models, and any other identifying information.
• Routinely check the serial number and other characteristics of your devices to be sure that you are using the right one. An approved device could easily be switched for a false one, so it is important to be vigilant.
• Apply tamper-evident security tape over any parts of a device that can be opened. Even if the terminal can’t be opened, security tape helps you recognize your terminals and create awareness of the devices.
• Keep swipe card terminals in a secure area where unauthorized people are unable to access.

EMV capable terminals across the campus departments can process contactless payments using Near Field Communication (NFC) technology. Near Field Communication (NFC) technology lets Android Pay enabled smartphones communicate payment information when held near your NFC-enabled point-of-sale device.

PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store, or transmit cardholder data. The payment card brands (Visa, MasterCard, Discover, American Express, and JCB) have collaborated to create a single set of industry requirements, called the PCI DSS, for consumer data protection. The PCI Data Security Standard aligns the security standards to create streamlined requirements, compliance criteria, and validation processes.

University of Colorado departments who accept credit and debit cards for payment are responsible for ensuring all card information is received and maintained in a secure manner in accordance with the payment card industry standards. Individual departments will be held accountable if monetary sanctions and/or card acceptance restrictions are imposed as a result of a breach in PCI compliance.

Below is a high-level overview of the PCI DSS, consisting of 6 goals and 12 requirements:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

Requirement 3: Protect stored cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.  

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software or programs.

Requirement 6: Develop and maintain secure systems and applications. 

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need to know.

Requirement 8: Assign a unique ID to each person with computer access.

Requirement 9: Restrict physical access to cardholder data.  

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data.

Requirement 11: Regularly test security systems and processes.  

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for all personnel. 

For more information, consult the PCI website: https://www.pcisecuritystandards.org/

CU departments processing credit and debit card transactions must follow ALL of the PCI-DSS requirements: https://www.pcisecuritystandards.org/pci_security/maintaining_payment_se...

Immediately Report all suspected or known security breaches FIRST to the System Administration Office of Information Security, https://www.cu.edu/ois, security@cu.edu. The Treasurer’s Office (treas.all@cu.edu) and your campus information security team should be notified as well. 

Boulder: security@colorado.edu 
Denver: UCD-OIT-RAC@ucdenver.edu 
UCCS: security@uccs.edu 
System Administration: security@cu.edu

Cvent - An online platform to manage your events using Cvent, eComm's event management platform. CU departmental staff can build forms for both simple and complex events. The CU Office of the Treasurer has authorized Cvent as an approved vendor to accept secure credit card payments. You can easily customize the design of your event form and website, even if you don’t know HTML. For more information about the program and instructions on how to contact your campus leadership team, go to https://www.cu.edu/ecomm.

Touchnet Information Systems, Inc.  - A robust online payment gateway called the CU Online Store was launched by the University of Colorado in October, 2019. More information is available can be found at www.cu.edu/store.  All questions and requests for additional information can be directed to onlinestore@cu.edu.

Nelnet Campus Commerce - An electronic payment service provider used across the campuses for electronic student bill presentment and electronic student payment processing using Automated Clearing House (ACH) debits, credit cards and debit cards.  The Commerce Manager portal within Nelnet Campus Commerce is available for departments accepting online payments tied to admission applications and program deposits.

Authorize.Net - The primary payment gateway provider integrated with a Wells Fargo merchant account for CU departments processing online payments. Authorize.net allows departments to accept credit cards and electronic checks from websites and deposit funds automatically into their merchant bank account. The solution offers fraud protection services, recurring billing subscriptions, and checkout options.

Adding new merchant accounts/vendors: If your department would like to open another merchant account, or contract with a third party vendor to accept credit card payments, start the process early by contacting the Treasurer’s Office and your campus Internal Security Assessor to discuss options.  If a third party vendor has already been vetted and approved by the University, the process will be easier and quicker. If a vendor is not currently under contract with the University of Colorado, please allow please allow 9 months for Payment Card review and contract negotiations after the request has been submitted to the Procurement Service Center.

If a potential third-party vendor processes payment card transactions, the vendor MUST be vetted and approved for PCI compliance, regardless of dollar amount.

University of Colorado Boulder Campus

Outsourcing agreements to third party vendors must be preapproved in writing by the Campus Controller, Treasurer’s Office and IT Security Office prior to the execution of any agreement. Departments may be required to use preapproved vendors unless there exists a legitimate business need. All third party providers must meet the standards set forth by the PCIDSS. Outsourcing agreements must also comply with Procurement Service Center (PSC) procedures. In the event that the actual processing of credit card transactions is outsourced, various training and duty requirements will differ as noted below, but the principles are the same. Any requisition that appears to be for the purchase of information communication technology (ICT) goods or services has to be reviewed and approved by the ICT program. The Boulder campus policy, available at http://www.colorado.edu/accessibility/, requires that these purchases be reviewed for accessibility before proceeding. Please visit the ICT Integrity page for more information about the process and to submit a request for review: http://www.colorado.edu/ictintegrity/.

The link to the Boulder ICT program: http://www.colorado.edu/ictintegrity/ict-review-process

Procedural Statement can be found here: https://www.colorado.edu/controller/sites/default/files/attached-files/P...

The Boulder campus Internal Security Assessor, Lincoln Nkin, can be contacted at: OIT-DL-PCI-DSS@colorado.edu

University of Colorado Denver/Anschutz Medical Campus

Third party vendors are now subject to the same Security Rule requirements as Covered Entities, and are also subject to relevant sections of the Privacy Rule and the HITECH Breach Notification Rule. In order to protect university confidential and highly confidential data, including PHI, the risk and compliance team assesses the security and practices of all third party vendor server applications and cloud services. Third party vendor applications include those that process, transmit or store PCI (Payment Card Industry) data.
Third party vendors must:

• Prevent the loss, theft, unauthorized access and/or disclosure of university data
• Destroy data when no longer needed per university data owner instructions
• Have incident response procedures and reporting requirements in case of a breach

For more information about the approved applications and assessment process go to: https://www.ucdenver.edu/offices/office-of-information-technology/secure...

Contact the Denver/Anschutz campus Internal Security team at UCD-OIT-RAC@ucdenver.edu.

University of Colorado Colorado Springs Campus

The UCCS Card Acceptance and Security Policy states that outsourcing agreements to third party vendors must be preapproved in writing by the Campus Controller and Treasurer’s Office prior to the execution of any agreement. All Third party providers must meet the standards set forth by the Payment Card Industry Data Security Standard (PCIDSS) and be certified. This certification must be obtained before vendor is contracted and reaffirmed annually. The Treasurer's Office can assist with the vendor certification determination.

The UCCS Credit Card Acceptance and Security Policy can be found at this site: https://compliance.uccs.edu/news/credit-card-acceptance-and-security

The Colorado Springs campus Office of Information Security team contact information can be found here: https://oit.uccs.edu/ The Internal Security Assessor is Neil Kautzner.

Third Party Service Providers

A third-party service provider is a business entity directly involved in the processing, storage, or transmission of transaction data or cardholder data on behalf of the university. They also include companies or organizations that provide services that control or could impact the security of cardholder data, or manage system components – such as routers, firewalls, databases, physical security, and/or servers – in their CDE. When an entity is processing, storing or transmitting cardholder data on behalf of the university, or they have access to university's cardholder data, they are a service provider.

The use of a third party service provide does not relieve the CU merchant of ultimate responsibility for its own PCI DSS compliance, or exempt the university from accountability and obligation for ensuring that its cardholder data and Cardholder Data Environment are secure.

At this time, phone add-on devices like Square cannot be used to accept credit card payments on behalf of the University of Colorado.

Signing up for Business Track_.pdf