Department Commerce

Many departments or programs sell goods or direct services to employees and students. This guide will explain the necessary steps for establishing revenue collection solutions. For questions on this topic contact controller.

On this page:

Getting Started

Information on this page is intended for departments and offices that engage in the sale of goods and or services to employees, students, and others and desire to collect payments from customers by credit cards. Departments must review this information, select the best option for their commerce, and submit the appropriate request with their business plan to Financial Services. The College accepts Visa, MasterCard, and Discover. American Express is available but the department will incur significantly higher credit card processing fees. Options for processing tools are as follows:

E-Commerce — CashNet

  • The College’s e-commerce solution for collecting miscellaneous payments is CashNet Online Marketplace
  • Financial Services will create individual payment sites for your department’s unique business needs.
  • Allow 10 business days to set up a new site
  • Updates and changes can be made to the site as needed
  • CashNet can accept e-checks, credit cards, and MasterPass as payment types.
  • E-mail notifications and daily/weekly reports are available.
  • Transactions are uploaded into PeopleSoft. No additional processing or paperwork is needed from your department.
  • Departments benefit from reduced credit card fees.

EMV/Swipe Terminal

  • Credit card terminals will be supplied by Financial Services.
  • Allow 2 weeks for new equipment and setup.
  • Terminals are set up and programmed according to the departments particular needs. Ex. Card present (swipe/dip point of sale), Card not-present (mail order/telephone).
  • Data will transmitted via a dial up phone line.
  • Credit card fees associated with the purchase of a terminal (current price approx. $400.00 for an EMV/swipe terminal), monthly merchant account fees, and transaction fees (typically about 3% of the transaction amount) will be charged to your department monthly.
  • Credit card data must be treated as confidential.
  • Credit card account numbers must be masked or truncated if and when displayed (no more than the last 4 digits of the CC number).
  • Cardholder data received in hardcopy should be maintained in a secure location (locked cabinet or safe) with limited access and destroyed upon use. Under no circumstances is the security code or pin allowed to be stored.
  • Credit card data should not be accepted or transmitted through e-mail or fax.
  • The credit card terminal that is assigned to your department should not be moved or used by another department without prior notification to Financial Services. Each credit card terminal is programmed to be used for specific transactions and deposited into specific bank accounts.
  • Credit card terminals should be kept in a secure location.
  • Periodically inspect devices to look for tampering.
  • Ensure no new components or devices are added.
  • Ensure no new stickers have been added or original stickers removed.
  • Inspect terminal connection cables for any signs of tampering.

Mobile Payment Options

PayEverywhere tool for use by DAPR only

  • Mobile payment options are available when needing to process credit card transactions off campus.
  • Merchant e-Solutions (Gettysburg College’s credit card merchant provider) offers a mobile application called PayEverywhere which can be used in conjunction with a Merchant e-Solutions card reader which immediately encrypts the credit card information as the card is swiped and is PCI compliant.
  • Transactions are transmitted via cellular data. Credit card data is not permitted to be transferred via Wi-Fi / wireless networks. A data plan will need to be set up with Telecommunications. Currently a data plan costs approximately $40.00 / month.
  • An approved and compatible ipad can be purchased (working with IT department and Financial Services) and will be used solely as a cash register. No other features such as web browsing, e-mail, nor additional app’s can be used on the ipad.
  • Connecting to a wireless network is prohibited.
  • Departments must follow Mobile Payment App guidelines and procedures (provided separately).

Credit Card Equipment Loans/Replacement/Disposal

  • If you have a one-time event in which you need the use of credit card equipment, please contact Financial Services to make arrangments.
  • Please allow at least one week notice in order to ensure there is a terminal available.
  • Your department will be responsible for loss or damaged equipment.
  • Your department will be charged for all credit card processing fees (typically about 3% of the transaction amount).
  • Your department must adhere to the PCI standards and credit card procedures.
  • Your department must follow processing transaction and daily settlement guidelines and recordkeeping procedures.
  • There is data saved on the terminal that will need to be removed prior to disposal.
  • When your credit card terminal in no longer needed, please notify Financial Services.

Financial Services Responsibilities

  • Ensure the College adheres to PCI compliance standards and filing of annual SAQ’s.
  • Establish and maintain credit card merchant services provider account.
  • Provide payment solutions support for College related business.
  • Maintain and supply credit card hardware.
  • Reconcile credit card transactions to the credit card merchant statements and bank statements monthly and allocate credit card fees.

Department Responsibilities

  • Adhere to PCI standards for all transactions
  • Complete annual certification of compliance
  • Adhere to College credit card procedures
  • Adhere to College Network Use and Information Security Policy
  • Develop departmental processes to include the above standards
  • Develop refund terms and conditions
  • Designate and train personnel for credit card processing

Credit Card Procedures

It is necessary for all departments to adhere to these procedures to ensure the College is compliant with Payment Card Industry (PCI) compliance standards and the terms and conditions set by our credit card merchant providers. This document is intended to be read in conjunction with the College’s Payment Card Industry Data Security Standards (PCI – DSS) and Merchant Services Provider Compliance Requirements document.

Processing and Recordkeeping

Transactions and Settlement for EMV Swipe and Mobile Tools

  • Process credit card transactions using Financial Services supplied equipment only.
  • Instructions for using the credit card terminals are provided separately.
  • All security questions must be answered when prompted in completing a transaction. Expiration date, zip code, and security code.
  • Transaction amounts greater than $10,000.00 will require written documentation (signed credit card slip, or e-mail confirmation from customer) from the customer that will be supplied to our credit card merchant provider. Transactions of this amount and greater could cause a flag on the account and funds may be held by the cc merchant provider until documentation has been submitted and verified.
  • For card-present transactions - customers should sign the credit card slip receipt.
  • For card-not-present transactions – documentation with credit card data removed should be maintained.
  • Daily settlement is required for all transactions processed via the EMV / swipe and mobile terminals.
  • Signed credit card slips and settlement slips should be kept in a secure location until ready to complete the daily cash transmittal.
  • Refunds should be processed to the same card holder account as the original credit card charge.

Prohibited Credit Card Transactions

  • Departments will not accept credit card payments for cash advances.
  • Departments will not discount a good or service based on method of payment.
  • Departments will not add a surcharge or additional fee to payment card transactions.
  • Refunds in excess of the original sale amount or cash refunds is prohibited.
  • Refunds to a different credit card account than the original sale is prohibited.
  • Departments will not use any other device than what is provided by Financial Services to accept credit card transactions. Square is prohibited.

Recordkeeping and Deposit Procedures

  • Daily or weekly submission of funds received must be made to the College cashier.
  • Transaction slips with the settlement slip stapled to the top of each batch needs to be submitted with the cash transmittal form.
  • Department/Organization Deposit forms should be marked with “ECC” and highlighted so that the funds are coded to the correct bank account. Admissions and Development departments do not need to mark the form ECC.

Financial Services Procedures

  • Record daily cash transmittals from departments.
  • Reconcile credit card transactions processed to the credit card merchant provider statements and bank statements. Discrepancies will be researched and resolved on a timely manner.
  • Credit card fees will be recorded in the general ledger monthly.
  • Chargebacks
  • Occasionally a customer will dispute a credit card transaction, ultimately leading to a chargeback (withdrawal of funds). Departments will be notified if this happens and asked for any additional documentation that our credit card merchant requests.

PCI - DSS Compliance Requirements

The College is required by the Card Associations (Visa, MasterCard, American Express and Discover) to be compliant with the Payment Card Industry (PCI) Data Security Standards, and is committed to providing a secure environment for our customers to protect against both loss and fraud. The College must comply with PCI requirements for securely processing, storing, transmitting and disposing of cardholder data. By accepting credit cards as a form of payment, departments are obligated to comply with PCI Data Security Standards (PCI DSS) and terms set forth by the issuing Merchant Services provider. Financial Services provides the below summary to assist Departments in understanding the terms of PCI DSS and Merchant Agreements so that PCI DSS proscribed credit card practices can be incorporated within department business processes.

Terms Used

  • Cardholder Data: At a minimum, cardholder data consists of the full PAN (primary account number or card number). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code (Three-digit or four-digit value in the magnetic-stripe that follows the expiration date of the payment card on the track data).
  • Payment Application: A software application that stores, processes, or transmits cardholder data as part of authorization or settlement, where the payment application is sold, distributed, or licensed to third parties.
  • SAQ: Acronym for “Self-Assessment Questionnaire.” Reporting tool used to document self-assessment results from an entity’s/merchant department’s PCI DSS assessment.
  • Virtual Payment Terminal: A virtual payment terminal is web-browser-based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant (College department) manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card.
  • PCI DSS: Payment Card Industry Security Standard. The PCI DSS applies to all departments that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you.

General Guidelines

  • The College’s network is accessed by many systems and many users and therefore is not intended to be secure to the extent required under PCI DSS. Therefore, cardholder data is prohibited from being entered/and or saved by College employees on a College computer or transmitted across the College’s network.
  • Cardholder data is confidential and should be treated with at least the same level of care as an individual’s social security and bank account number.
  • Never email or fax cardholder data.
  • Only departments who have been approved by Financial Services may process credit card transactions.
  • If a department suspects that cardholder data has been compromised Sharon Dayhoff (sdayhoff@gettysburg.edu) should be notified immediately.

PCI Goals and Requirements

  • All transactions that involve the processing of payment card data (debit and credit cards) are required to utilize one of the three credit card payment options supported by Financial Services:
    • E-commerce (CashNet)
    • EMV/Swipe Terminal (dial up only)
    • Mobile payments (PayEverywhere)
  • The College Store and Majestic Theater are the only departments currently authorized to use payment applications. The College only uses payment applications that adhere to Payment Application Security Standards (PA-DSS). All vendors used must be on the list of validated payment applications maintained by the PCI Security Standards Council. A review is done annually to ensure applications are still in compliance.

Department Using E-Commerce

  • Cardholder data must always be entered by the customer and not by a department employee on a College computer on the College’s network
  • If a department has a need for a virtual payment terminal please contact Financial Services. Costs which include an additional computer will be paid for by the requesting department and must also receive IT approval. Email or any other types of processing are not allowed on virtual payment terminals.

Department Using EMV/Swipe Terminals

  • Accept cardholder data only via phone, hard copy or in person (not via email/fax).
  • Maintain credit card terminals and cardholder data in a secure area.
  • Departments may accept the following cardholder data via hardcopy from customers:
    • Primary Account Number (PAN)
    • Cardholder Name
    • Expiration Date
    • CVV/CVC Code (this is the 3 or 4 digit number on the front/back of a card)
  • Process hardcopy credit card information as soon as possible and destroy once no longer needed. Cardholder information should be blacked out and then shredded.
  • Cardholder data is prohibited from being stored electronically (spreadsheets/word documents).
  • Cardholder data and credit card receipts are to be maintained in a secure area (locked drawer or safe) with access limited to those employees with credit card processing responsibility.
  • Departments should consider contacting Financial Services to have an e-commerce site setup so that there is no need to retain and store cardholder data.
  • Credit card terminals should be inspected periodically to look for tampering:
    • Ensure no new components or devices are added.
    • Ensure no new stickers have been added or original stickers removed.
    • Inspect terminal connection cables for any signs of tampering.

Departments Using Mobile Payments

  • Transactions may only be transmitted via a cellular data network. Under no circumstances is credit card data permitted to be transmitted via Wi-Fi / wireless networks.
  • Mobile payments may only be accepted via a Financial Services and IT approved device.
  • An approved device may be used only for credit card transactions. No other features such as web-browsing, e-mail or other apps may be used on the device.
  • Mobile payment devices are meant to be used to process credit card transactions immediately. If cardholder data must be written down due to lack of a cellular network the cardholder data may not be saved electronically and must be stored securely and shredded as soon as no longer needed.

Merchant Services Agreement Obligations

  • Departments are assigned a merchant ID based on sales channel (i.e. eCommerce/internet; card not present - mail order/telephone; card present (in person) – swipe, point of sale).
  • Contact Financial Services to update merchant ID settings if sales channel or products available for sale change.
  • Card number displayed on receipt should be truncated. A full PAN should never be printed.
  • Expiration date is required as part of authorization process.
  • Submit charge for processing no sooner than when goods are shipped and/or services performed.
  • Refund policy should be clearly stated in all materials.