There are many options available to departments that want to accept credit cards. Departments can accept credit cards over the web/internet (e-commerce), in person (retail), or by mail/over the phone(MO/TO). Credit cards can be accepted for goods and services, such as tickets to events, parking permits, registration fees associated with conferences the department/unit is hosting, dining, lodging, and other purposes. Each of these needs may have several solutions the merchant can consider in consultation with the Coordinator. Note: All options require coordination with the Campus Credit Card Coordinator to establish accounts and gateways.
e-commerce: Website Sales of Goods and Services
I. Department/Unit Hosted Website
For this option, the department/unit typically has technical support staff that can create a website to display the goods/services available for purchase, and may capture non-sensitive customer information during the purchase process. This can be accomplished using a custom-built database, or merchants may choose to use an approved third-party shopping cart. To complete the purchase using credit cards, this setup requires redirection to an approved, completely outsourced payment gateway, and does not allow for any processing, storage, or transmission of credit card data. This is also known as the “click to pay” model, because users are redirected to a payment gateway for secure collection of credit card data.
II. Supplier Solutions
- UC Approved Supplier
Another option for accepting credit cards online is to use an approved UC supplier that can provide, or facilitate the development of, a website. The website can manage inventory, collect non-sensitive customer information, provide reports, and more. In almost all cases, this setup requires redirection to a completely outsourced payment gateway to complete transactions, and does not allow for any processing, storage, or transmission of credit card data (exceptions will be considered on a case-by-case basis by the Coordinator).
- Third-Party Supplier
If a department/unit has a need to sell goods/services and wishes to use a supplier that does not currently have an approved agreement with UCSB or the UC system, the supplier must meet certain guidelines prior to signing any agreement. The agreement must be submitted to, and approved by, the campus Procurement Services group to ensure it meets all required standards. The Coordinator will participate in the review to address all credit-card related concerns. For more details, see information referring to Working with Payments Processing Suppliers, below.
I. Use Stova (formerly Aventri) for Event/Conference Registration
Stova is a UC system-wide supplier, and has all the functionalities that departments need to design and maintain an online event registration system (click here for more information). For credit card acceptance, departments use payment processing provided by Business & Financial Services, so there is no separate merchant application necessary and no PCI Compliance requirements to manage. Fees for Stova are currently $2.10 per registration plus a percentage of transaction amounts processed by credit card. Contact email@example.com for more information.
II. Department Developed Web Site
If a department has IT support, the department will need to develop a website, with a backend database to collect demographic information about the participants who are registering for the events/conferences. This will allow the department to do reporting and have information about the participants. To complete the registration using credit cards, this setup requires redirection to a completely outsourced payment gateway, and does not allow for any processing, storage, or transmission of credit card data.
III. Third-Party Supplier Solution
For more details, see information referring to Working with Payments Processing Suppliers, below.
Retail & MO/TO
To accept credit cards in person, or through the mail or over the phone, the department/merchant must use a secure physical terminal (Virtual Terminal, the typing of credit card information into an internet browser using a computer’s keyboard or non-approved device, is not allowed). In addition, for telephone payments the phone used to collect cardholder data must be an approved device.
Accepting Payments Over the Phone
VoIP phones (e.g., Zoom Phone) connected to campus networks are not PCI compliant. For more information on PCI standards covering telephone payments, see the Information Supplement: Protecting Telephone-Based Payment Card Data published by the PCI Security Standards Council.
Credit card information received over the phone for manual entry using an approved POS terminal may only be accepted over a phone that is not connected to any UCSB network, either by wired (Ethernet) or wireless (WiFi) connection. Approved devices for accepting credit card data include those connected via analog (POTS) phone line; Zoom Phone VoIP desk phones managed by UCSB Communications and connected directly to a cellular provider over Ethernet (via cellular hotspot/router) or WiFi (via cellular hotspot) connection; or, a departmental UCSB-owned (not personal) cellphone managed by the appropriate IT support and installed with Mobile Device Management (MDM) software to prevent the device from connecting to a UCSB network. Contact firstname.lastname@example.org with any questions.
Please contact UCSB Communications Services to arrange the purchase of phones, cellular hotspots, and related equipment.
Acquiring Payment Terminals
Payment terminals are generally rented or purchased from an approved supplier, and will usually be requested by the Coordinator. In certain circumstances, a merchant may purchase equipment from another supplier when specific terminals are required. See Credit Card Terminal Pricing for current costs.
P2PE Terminal Requirement for Retail & MO/TO Merchants
PCI-validated P2PE (Point to Point Encryption) solutions are the most secure processing systems currently available, and significantly reduce annual validation costs and resource requirements, as well as offering the highest security for the cardholders who do business with the University. UCSB has contracted with Bluefin Payment Systems as the primary (but not exclusive) provider of approved P2PE solutions, including terminals for retail, mobile, and MO/TO merchants.
UCSB requires all new credit card processing solutions to use P2PE solutions wherever possible. Existing merchants are encouraged, but not required, to replace terminals with P2PE solutions. The Coordinator can discuss non-P2PE solutions with merchants, if a merchant feels there is a reason why P2PE is not a preferred or viable option.
Note: Many suppliers claim to offer P2PE solutions, but ONLY solutions listed on the PCI SSC website are validated, approved by UCSB, and guarantee the automatically reduced scope of PCI compliance efforts. Non-validated solutions will be considered by the Coordinator on a case-by-case basis, but will subject the merchant to significant additional compliance fees. The list is continually updated here.