Financial Services is responsible for the oversight of all campus commerce activities to ensure:
- Sound financial practices
- Compliance will all applicable regulatory statutes
- Security of customer data
Financial Services offers the following information and guidance on accepting credit card payments for College related business:
Gettysburg College Credit Card Procedures
Updated January 2017
The information below is intended to provide guidance for departments who would like to accept credit cards as a means of payment for goods or services. It is necessary for all departments to adhere to these procedures to assure that Gettysburg College is in compliance with Payment Card Industry (PCI) compliance standards and the terms and conditions set by our credit card merchant providers. This document is intended to be read in conjunction with Gettysburg College’s Payment Card Industry Data Security Standards (PCI – DSS) and Merchant Services Provider Compliance Requirements document.
Financial Services Responsibilities:
- Ensure Gettysburg College adheres to PCI compliance standards and filing of annual SAQ’s.
- Establish and ensure Gettysburg College adheres to credit card procedures.
- Establish and maintain credit card merchant services provider account.
- Provide payment solutions support for College related business.
- Maintain and supply credit card hardware.
- Reconcile credit card transactions to the credit card merchant statements and bank statements monthly and allocate credit card fees.
- Follow Payment Card Industry (PCI) compliance standards and ensure compliance within department.
- Departments will annually certify compliance with PCI standards.
- Follow Gettysburg College’s Credit Card Procedures.
- Develop credit card business processes which are compliant with PCI standards, Gettysburg College credit card procedures, and Network Use and Information Security policies.
- Contact Financial Services if any changes in credit card processing or additional payment options are needed.
- Designate personnel who are responsible for credit card processing. Financial Services should be notified of any designated personnel changes.
Requesting new credit card payment options
- To request new credit card payment options, please contact Dawn Crockett in Financial Services.
- Departments may not begin accepting credit cards until the request has been approved.
Credit Card Processing Options:
Financial Services offers three credit card payment options (described below) to meet your business needs. Gettysburg College accepts Visa, MasterCard, and Discover. American Express is available, however, the credit card fees are significantly higher. E-checks are accepted via CashNet.
Departments accepting credit card payments should clearly state their refund policy in all sales materials. The refund policy should be disclosed to consumers before a transaction is complete.
- E-Commerce (CashNet)
- EMV / Swipe Terminal (Dial up only)
- Mobile Payment Options (PayEverywhere)
- E-Commerce Application (CashNet):
- Gettysburg College’s e-commerce payment application is CashNet.
- Financial Services will create individual payment sites for your department’s unique business needs.
- Contact Wendy Quinley or Dawn Crockett for information and assistance.
- 10 Business days notification is needed to set up a new site.
- Updates and changes can be made to the site as needed.
- CashNet can accept e-checks, credit cards, and MasterPass as payment types.
- E-mail notifications and daily/weekly reports are available.
- Transactions are uploaded into PeopleSoft. No additional processing or paperwork is needed from your department.
- Departments benefit from reduced credit card fees.
- EMV / Swipe Terminals:
- Credit card terminals, which will be supplied by Financial Services, must be approved and compatible with our credit card merchant provider and processing network.
- Allow 2 weeks for new equipment and setup.
- Terminals are set up and programmed according to the departments particular needs. Ex. Card present (swipe/dip point of sale), Card not-present (mail order/telephone).
- Data will transmitted via a dial up phone line.
- Credit card fees associated with the purchase of a terminal (current price approx. $400.00 for an EMV/swipe terminal), monthly merchant account fees, and transaction fees (typically about 3% of the transaction amount) will be charged to your department monthly.
- Credit card data must be treated as confidential.
- Credit card account numbers must be masked or truncated if and when displayed (no more than the last 4 digits of the CC number).
- Cardholder data received in hardcopy should be maintained in a secure location (locked cabinet or safe) with limited access and destroyed upon use. Under no circumstances is the security code or pin allowed to be stored.
- Credit card data should not be accepted or transmitted through e-mail or fax.
- The credit card terminal that is assigned to your department should not be moved or used by another department without prior notification to Financial Services. Each credit card terminal is programmed to be used for specific transactions and deposited into specific bank accounts.
- Credit card terminals should be kept in a secure location.
- Periodically inspect devices to look for tampering.
- Ensure no new components or devices are added.
- Ensure no new stickers have been added or original stickers removed.
- Inspect terminal connection cables for any signs of tampering.
- Mobile Payment Options:
- Mobile payment options are available when needing to process credit card transactions off campus.
- Merchant e-Solutions (Gettysburg College’s credit card merchant provider) offers a mobile application called PayEverywhere which can be used in conjunction with a Merchant e-Solutions card reader which immediately encrypts the credit card information as the card is swiped and is PCI compliant.
- Transactions are transmitted via cellular data. Credit card data is not permitted to be transferred via Wi-Fi / wireless networks. A data plan will need to be set up with Telecommunications. Currently a data plan costs approximately $40.00 / month.
- An approved and compatible ipad can be purchased (working with IT department and Financial Services) and will be used solely as a cash register. No other features such as web browsing, e-mail, nor additional app’s can be used on the ipad.
- Connecting to a wireless network is prohibited.
- Departments must follow Mobile Payment App guidelines and procedures (provided separately).
Credit Card Equipment Loans and Disposal:
- If you have a one-time event in which you need the use of credit card equipment, please contact Dawn Crockett in Financial Services and arrangements can be made.
- Please allow at least one weeks’ notice in order to ensure there is a terminal available.
- Your department will be responsible for loss or damaged equipment.
- Your department will be charged for all credit card processing fees (typically about 3% of the transaction amount).
- Your department must adhere to the PCI standards and credit card procedures.
- Your department must follow processing transaction and daily settlement guidelines and recordkeeping procedures.
Equipment Replacement / Disposal
- When your credit card terminal in no longer needed, please notify Dawn Crockett in Financial Services.
- There is data saved on the terminal that will need to be removed prior to disposal.
Processing & Recordkeeping
Processing Transactions and Daily Settlement (for EMV / swipe & mobile transactions):
- Process credit card transactions using Financial Services supplied equipment only.
- Instructions in using the credit card terminals are provided separately.
- All security questions must be answered when prompted in completing a transaction. Expiration date, zip code, and security code.
- Transaction amounts greater than $10,000.00 will require written documentation (signed credit card slip, or e-mail confirmation from customer) from the customer that will be supplied to our credit card merchant provider. Transactions of this amount and greater could cause a flag on the account and funds may be held by the cc merchant provider until documentation has been submitted and verified.
- For card present transactions - customers should sign the credit card slip receipt.
- For card-not present transactions – documentation with credit card data removed should be maintained.
- Daily settlement is required for all transactions processed via the EMV / swipe and mobile terminals.
- Signed credit card slips and settlement slips should be kept in a secure location until ready to complete the daily cash transmittal.
- Refunds should be processed to the same card holder account as the original credit card charge.
Prohibited Credit Card Activities:
Gettysburg College prohibits certain credit card activities that include, but are not limited to:
- Departments will not accept credit card payments for cash advances.
- Departments will not discount a good or service based on method of payment.
- Departments will not add a surcharge or additional fee to payment card transactions.
- Refunds in excess of the original sale amount or cash refunds is prohibited.
- Refunds to a different credit card account than the original sale is prohibited.
- Departments will not use any other device than what is provided by Financial Services to accept credit card transactions. Square is prohibited.
Recordkeeping and Deposit Procedures:
Daily or weekly cash transmittal forms must be completed and remitted to the cashier’s office.
- Transaction slips with the settlement slip stapled to the top of each batch needs to be submitted with the cash transmittal form.
- Cash transmittal forms should be marked with “ECC” and highlighted so that the funds are coded to the correct bank account. Admissions and Development departments do not need to mark the form ECC.
Financial Services Procedures:
- Record daily cash transmittals from departments.
- Reconcile credit card transactions processed to the credit card merchant provider statements and bank statements. Discrepancies will be researched and resolved on a timely manner.
- Credit card fees will be recorded in the general ledger monthly.
- Occasionally a customer will dispute a credit card transaction, ultimately leading to a chargeback (withdrawal of funds). Departments will be notified if this happens and asked for any additional documentation that our credit card merchant requests.
Payment Card Industry Data Security Standards (PCI - DSS) and Merchant Services Provider Compliance Requirements
Gettysburg College is required by the Card Associations (Visa, MasterCard, American Express and Discover) to be compliant with the Payment Card Industry (PCI) Data Security Standards, and is committed to providing a secure environment for our customers to protect against both loss and fraud. Gettysburg College must comply with PCI requirements for securely processing, storing, transmitting and disposing of cardholder data.
By accepting credit cards as a form of payment, departments are obligated to comply with PCI Data Security Standards (PCI DSS) and terms set forth by the issuing Merchant Services provider. Financial Services provides the below summary to assist Departments in understanding the terms of PCI DSS and Merchant Agreements so that PCI DSS proscribed credit card practices can be incorporated within department business processes.
Terms used in this document:
- Cardholder Data: At a minimum, cardholder data consists of the full PAN (primary account number or card number). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code (Three-digit or four-digit value in the magnetic-stripe that follows the expiration date of the payment card on the track data).
- Payment Application: A software application that stores, processes, or transmits cardholder data as part of authorization or settlement, where the payment application is sold, distributed, or licensed to third parties.
- PCI DSS: Payment Card Industry Security Standard. The PCI DSS applies to all departments that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you.
- SAQ: Acronym for “Self-Assessment Questionnaire.” Reporting tool used to document self-assessment results from an entity’s/merchant department’s PCI DSS assessment.
- Virtual Payment Terminal: A virtual payment terminal is web-browser-based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant (College department) manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card.
- The College’s network is accessed by many systems and many users and therefore is not intended to be secure to the extent required under PCI DSS. Therefore, cardholder data is prohibited from being entered/and or saved by College employees on a College computer or transmitted across the College’s network.
- Cardholder data is confidential and should be treated with at least the same level of care as an individual’s social security and bank account number.
- Never email or fax cardholder data.
- Only departments who have been approved by Financial Services may process credit card transactions.
PCI Goals and Requirements:
The College must adhere to the goals and requirements listed below:
All transactions that involve the processing of payment card data (debit and credit cards) are required to utilize one of the three credit card payment options supported by Financial Services:
- E-commerce (CashNet)
- EMV/Swipe Terminal (dial up only)
- Mobile payments (PayEverywhere)
The College Store and Majestic Theater are the only departments currently authorized to use payment applications. The College only uses payment applications that adhere to Payment Application Security Standards (PA-DSS). All vendors used must be on the list of validated payment applications maintained by the PCI Security Standards Council. A review is done annually to ensure applications are still in compliance.
Practices to assist departments in maintaining PCI DSS compliance:
Departments using e-commerce:
- Cardholder data must always be entered by the customer and not by a department employee on a College computer on the College’s network
- If a department has a need for a virtual payment terminal please contact Financial Services. Costs which include an additional computer will be paid for by the requesting department and must also receive IT approval. Email or any other types of processing are not allowed on virtual payment terminals.
Departments using EMV/Swipe Terminals:
- Accept cardholder data only via phone, hard copy or in person (not via email/fax)
- Maintain credit card terminals and cardholder data in a secure area
- Departments may accept the following cardholder data via hardcopy from customers:
- Primary Account Number (PAN)
- Cardholder Name
- Expiration Date
- CVV/CVC Code (this is the 3 or 4 digit number on the front/back of a card)
- Process hardcopy credit card information as soon as possible and destroy once no longer needed. Cardholder information should be blacked out and then shredded.
- Cardholder data is prohibited from being stored electronically (spreadsheets/word documents)
- Cardholder data and credit card receipts are to be maintained in a secure area (locked drawer or safe) with access limited to those employees with credit card processing responsibility.
- Departments should consider contacting Financial Services to have an e-commerce site setup so that there is no need to retain and store cardholder data
- Credit card terminals should be inspected periodically to look for tampering:
- Ensure no new components or devices are added
- Ensure no new stickers have been added or original stickers removed
- Inspect terminal connection cables for any signs of tampering
Departments using Mobile Payments:
- Transactions may only be transmitted via a cellular data network. Under no circumstances is credit card data permitted to be transmitted via Wi-Fi / wireless networks.
- Mobile payments may only be accepted via a Financial Services and IT approved device.
- An approved device may be used only for credit card transactions. No other features such as web-browsing, e-mail or other apps may be used on the device.
- Mobile payment devices are meant to be used to process credit card transactions immediately. If cardholder data must be written down due to lack of a cellular network the cardholder data may not be saved electronically and must be stored securely and shredded as soon as no longer needed.
If a department suspects that cardholder data has been compromised Sharon Dayhoff (firstname.lastname@example.org) should be notified immediately.
Financial Services is responsible for submitting annual SAQs required by the PCI DSS. Department support may be requested in completing SAQs (which are completed for each merchant ID).
Merchant Services Agreement Obligations:
- Departments are assigned a merchant ID based on sales channel (i.e. eCommerce/internet; card not present - mail order/telephone; card present (in person) – swipe, point of sale).
- Contact Financial Services to update merchant ID settings if sales channel or products available for sale change.
- Card number displayed on receipt should be truncated. A full PAN should never be printed.
- Expiration date is required as part of authorization process
- Submit charge for processing no sooner than when goods are shipped and/or services performed.
- Refund policy should be clearly stated in all materials