The topics shown on this page may be displaying a summary of the content. Click the Continue reading » button to view the full content.
Steps to Becoming a Credit Card Merchant
The first step for a department or unit that would like to accept credit cards is to have a discussion with the Coordinator. At that time, the department/unit will discuss their plans, potential revenue, etc. In addition, the Coordinator will review with them all aspects of credit card acceptance, including the approval process, the type of setup the unit/department is requesting, potential suppliers and solutions, associated fees, and UC, campus, and regulatory policies and requirements.
Campus Credit Card Coordinator Review
The Coordinator will want to gain an understanding of the department/unit’s need to accept credit cards. Things to consider are the amount of potential revenue to be generated and level of staff support to manage the acceptance and reconciliation of all credit card income/fees. A review of the activities will also be done to consider potential issues such as the responsibilities and costs of meeting compliance requirements, need for a revenue account, unrelated business income tax (UBIT) reporting, and the approval of the activities by the campus Rate and Recharge Committee.
Campus Controller Approval
The Campus Controller approves all requests from departments/units to accept credit cards. This is done via a letter from the department/unit head, which is routed to the Coordinator and on to the Campus Controller. The Coordinator will supply a template that can be used as the basis for the letter.
Credit Card Acceptance Considerations
A department wishing to apply for a credit card merchant account has many things to consider:
- Potential revenue. If the event/conference/sales revenue will be relatively small, it may be in the department's best interest to use a shared campus solution, such as Stova (formerly Aventri), or accept only cash and checks, due to the workload involved with administering and reconciling a merchant account. If the event/conference/sales will generate larger revenue, then establishing a merchant account for credit card acceptance may be the best option, and the department needs to work with General Accounting to establish a new revenue account and evaluate the revenue for potential trigger of Unrelated Business Income Taxes (UBIT).
- Frequency of Sales. If the event/conference will be held only one time, or sales of items will be for a limited time, it may be in the department's best interest to use a shared campus solution, such as Stova, or accept only cash and checks due to the costs and workload involved with administering and reconciling a merchant account. The department should consult with the Campus Credit Card Coordinator to discuss best options, especially if it will be a one-time only event.
- Technical Support. Depending on the method of credit card acceptance, departments will need varying degrees of technical support from their IT staff. Merchants may also need technical support to complete the required annual PCI validation.
- Department Staffing Levels. Acceptance of credit cards requires administration of the account, monitoring, and reconciliation. Departments should consider availability of staff for these functions.
Credit Card Merchant Responsibilities
All UCSB merchants/departments must abide by the following guidelines:
- No electronic storage of cardholder data (on computers, or stored electronically in any database, application, or system), and credit card information (credit card number, expiration date, card verification codes, etc.) must not be transmitted via email or fax
- Credit card terminals, if used, must be monitored and tracked at all times
- Designate an individual who holds the primary authority and responsibility for payment card processing
- Pay the costs associated with payment card processing (bank and gateway fees, equipment fees if applicable, PCI compliance fees, and other fees as deemed appropriate)
- Comply with all PCI DSS guidelines, UCOP’s Business & Finance Bulletin 49 (BUS-49), Policy for Cash and Cash Equivalents Received, and UCSB’s policies and procedures for payment card acceptance and security
Credit Card Processing Methods
There are many options available to departments that want to accept credit cards. Departments can accept credit cards over the web/internet (e-commerce), in person (retail), or by mail/over the phone(MO/TO). Credit cards can be accepted for goods and services, such as tickets to events, parking permits, registration fees associated with conferences the department/unit is hosting, dining, lodging, and other purposes. Each of these needs may have several solutions the merchant can consider in consultation with the Coordinator. Note: All options require coordination with the Campus Credit Card Coordinator to establish accounts and gateways.
e-commerce: Website Sales of Goods and Services
I. Department/Unit Hosted Website
For this option, the department/unit typically has technical support staff that can create a website to display the goods/services available for purchase, and may capture non-sensitive customer information during the purchase process. This can be accomplished using a custom-built database, or merchants may choose to use an approved third-party shopping cart. To complete the purchase using credit cards, this setup requires redirection to an approved, completely outsourced payment gateway, and does not allow for any processing, storage, or transmission of credit card data. This is also known as the “click to pay” model, because users are redirected to a payment gateway for secure collection of credit card data.
II. Supplier Solutions
Another option for accepting credit cards online is to use an approved UC supplier that can provide, or facilitate the development of, a website.
Credit Card Fees
There are many costs to accepting credit cards. Fees include, but may not be limited to:
PCI Compliance Fees
There can be one or more fees related to PCI compliance for a merchant. For example:
- $90/year for each self-assessment questionnaire (“SAQ”). This is a pass-through fee assessed by the Office of the Controller to departments via a journal on an annual basis. A merchant can have more than one SAQ, depending on how many merchant accounts and processing environments are supported (e.g., e-commerce and retail);
- $1,000 to $3,000 for a QSA Facilitated SAQ, if required due to an unusual or complex processing environment, or at a department’s request;
- $1,000 to $10,000+ for external/internal network scans and penetration testing, depending on the complexity of the processing environment (SAQ-C and -D, primarily);
- $8,000+ for a QSA examination of a non-validated P2PE environment (i.e., not listed as a validated solution on the PCI SSC website).
Credit Card Acceptance Fees
For most UCSB merchants, these fees total approximately 2-2.5% of the transaction, and are identified in the monthly statement that comes from Bank of America merchant services.
Credit Card Reconciliation
All campus credit card revenue and fees are deposited/charged to one central campus bank account. General Accounting reviews the bank statement and distributes the revenue and fees to GL accounts designated by each merchant. Departments are responsible for recording their revenue and fees to the appropriate department revenue and expense accounts in coordination with General Accounting.
Credit card reconciliation can be a complex process requiring review of multiple statements to ensure revenue and fees are accounted for appropriately. The following is a list of steps in the credit card reconciliation process:
Working with Third-Party Suppliers
UCSB departments will, whenever possible, use suppliers previously vetted by Office of the President (UCOP) or UCSB to ensure security, PCI DSS compliance, and efficient use of University resources.
If not using an UCOP/UCSB vetted supplier, departments must ensure third-party service providers, and their payment software, gateways, equipment, and outsourced payment services, are PCI DSS compliant and the appropriate data security language must be included in all contracts with third party service providers involving payment card acceptance. Third party payment solutions must be approved by the Coordinator and Procurement Services.
General Requirements of Third-Party Suppliers
In general, if a department wants to work with an outside (third-party) supplier to sell goods and/or services on behalf of the UC Regents, the supplier must meet the following requirements:
Incident Response: Suspected Cardholder Data Compromise
An incident, for purposes of this plan, is defined as a suspected or confirmed compromise of cardholder data. At a minimum, cardholder data consists of the full card number. Cardholder data may also appear in the form of the full card number plus any of the following: cardholder name, expiration date and/or sensitive authentication data. A cardholder data compromise is any situation where intrusion into a computer system occurs and unauthorized disclosure, theft, modification, or destruction of cardholder data is suspected or the suspected or confirmed loss or theft of any material or records that contain cardholder data.
Departments that suspect or have confirmed an account data compromise must take prompt action to prevent additional exposure of payment card data. The following steps must be taken:
Credit Card Merchant Terminology
(UCSB = Bank of America merchant services (aka “BAMS”))
Also referred to as “merchant bank,” “merchant processor,” “acquirer,” or “acquiring financial institution” Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance. Note: UCSB is required to report the PCI compliance status of our merchants to our acquiring bank, BAMS.
Approved Scanning Vendor (“ASV”)
Company approved by the PCI Security Standards Council to conduct scanning services to identify common weaknesses in system configuration. The UC’s QSA, Coalfire Services, is our ASV.
Credit card issuing entities such as Visa and MasterCard that govern and oversee the use of credit cards for payment transactions.
Card Data / Customer Card Data
At a minimum, card data includes the primary account number (PAN), and may also include cardholder name and expiration date. The PAN is visible on the front of the card and encoded into the card’s magnetic stripe and/or the embedded chip. Also referred to as cardholder data. See also Sensitive Authentication Data for additional data elements which may be part of a payment transaction but which must not be stored after the transaction is authorized.
Merchant Card Processing Basics
Suggested Reading: Dispute Management Guidelines for Visa Merchants
“Dispute Management Guidelines for Visa Merchants is a comprehensive manual for all businesses that accept Visa transactions. The purpose of this guide is to provide merchants and their back-office sales staff with accurate, up-to-date information to help merchants minimizing the risk of loss from fraud and disputes. This document covers dispute requirements and best practices for processing transactions that are charged back to the merchant by their acquirer.” Download the “Dispute Management Guidelines for Visa Merchants” guide.
Merchant Best Practices
The following are tips courtesy of Bank of America Merchant Services.
BUS-49, Policy for Cash and Cash Equivalents Received
Use of University Logo
UC Privacy and Data Security Incident Response Plan Standard