Credit Card Handling

Getting Started

Accepting credit and debit cards improves a customer’s experience while also creating greater efficiencies in payment collection. However, having this convenience requires thorough preparation and constant vigilance in order to maintain card data security. This page outlines what a department needs to know and do to become a merchant. Under no circumstance should a department contract with a credit card processor to begin accepting credit/debit cards. Departments cannot accept credit/debit cards until they have the approval of the Office of the Bursar.

Payment Processing Options

Payment cards can be accepted using terminal, point-of-sale, or online systems:

• Terminals are small, desktop devices that can process credit and debit transactions and allow users to tap, swipe, insert a card (chip and PIN), or to enter information manually.
• Point-of-sale (POS) systems are computers specialized to process payments for a department’s specific business needs—typically one or more PCs connected to a central server or to a hosted environment. A POS system is more complex than a terminal and requires additional security and maintenance. POS systems support the same credit and debit payment cards and entry methods as a terminal. 
  • Note! Please contact the Office of the Bursar before you purchase any POS hardware or software. We will work with you to ensure that the POS system you are looking to purchase is compatible with the university’s credit card processor and meets any or all operational and security requirements.  The purchase must also be managed by Procurement.
• Online (ecommerce) applications enable departments to accept credit and debit payments over the internet. The Office of the Bursar can create eMarket sites for online payment processing. Departments that have their own ecommerce system can use a Transact Payments Checkout gateway to handle payment processing. Integrating with a Transact Payments Checkout gateway requires some programming but eliminates any card data security requirements for a department’s web site. 
  • Note! Departments are not allowed to accept payments via PayPal, Venmo, Square or other methods which require funds to flow to personal bank accounts. Contact the Office of the Bursar so that we can assist you with a solution.

All these methods can process Visa, MasterCard, American Express, and Discover cards. Departments may determine which of these cards they want to accept, although most accept all four brands. Any payment processing choice(s) must be approved by the Office of the Bursar before any transactions will be processed.

First Steps

1. Obtain approval to become  a cash handling department by completing the Departmental Cash Collection Application found on our Cash Handling page.
2. Review our  PCI Information Security page to understand what is required for your department to  comply with all card data security standards.
3. Ensure that employees complete the annual Cash Handling and Credit Card Security Awareness Training. This training is required for all employees who handle payment card data.
   • Faculty/staff employees (not student employees)
     • Connect to Blackboard from the Quick Links located at ohio.edu.
     • Select Organizations.
     • Select Professional Development Pathways.
     • Select Finance Pathway, Core Learning.
     • Click on Cash Handling and Credit Card Security Awareness training
   • Student employees
     • Submit a list to bursar@ohio.edu with the student employee name, OHIO id (email address), PID number, and location where they are employed.
     • Student employees will be provided with access to the student developed training.
     • Once access is provided, access instructions will be emailed to the student employee.

What to Expect

Once your request to begin accepting payments has been approved, we will notify your department and work with you to set up the payment options you have chosen.

 

• Terminals require a new merchant ID to be established with the university’s credit card processor. Allow up to four weeks for that process to complete. 
• Point-of-sale systems' setup time will vary widely. If a new merchant ID is required, allow six to ten weeks for that process to complete.
• Online merchant setup time is determined by how quickly you can integrate your website with Transact Payments.
• eMarket setup is dependent upon the complexity of your offering.  Review our eMarket  page for more information.

Responsibilities

The Office of the Bursar has the responsibility and authority to:

• Develop and issue operating policies and procedures for handling merchant cards and merchant card services.
• Provide general supervision of merchant card operations.
• Develop and maintain processes and systems.
• Enforce compliance with the Payment Card Industry Data Security Standard (PCI DSS) for credit/debit card security.
• Investigate breaches involving cardholder information and recommend disciplinary action.

 

The OIT Security Office has the responsibility and authority to:

• Develop and issue operating policies and procedures for handling merchant card services.
• Enforce compliance with the Payment Card Industry Data Security Standard (PCI DSS) for credit/debit card security.
• Investigate breaches involving cardholder information and recommend disciplinary action.

Departments authorized to accept credit/debit card payments are responsible for:

• Documenting departmental procedures in detail, to include:
  • Methods of payment card acceptance.
  • Step-by-step instructions on how to process payments.
  • A complete list of all departmental PCI trained employees.  The Cash Handling and Credit Card Security Awareness training is the only approved means to meet this requirement.
• Participate in site visits so that a Self-Assessment Questionnaire (SAQ) for your merchant location can be completed annually.
  • The Office of the Bursar and OIT Security office will coordinate the visit with the department manager and complete the SAQ on the department’s behalf.
• Complete a payment processing equipment inventory audit annually and inspect devices often. Inspections must be documented.
• Reviewing and understanding the content and requirements contained on the PCI Information Security page.
• Exercising reasonable care in screening charge transactions to reduce credit card misuse and loss of funds.
• Ensuring that all employees annually complete the required Cash Handling and Credit Card Security Awareness Training.
• Assisting the Office of the Bursar with responding to chargebacks.

 

Employees handling credit cards are responsible for:

• Keeping all cardholder information secure.
• Reviewing and understanding the content and requirements contained on the PCI Information Security page.
• Annually complete the Cash Handling and Credit Card Security Awareness Training.

Definitions

Cardholder Data (CHD)
Cardholder data consists of the full primary account number (PAN), cardholder name, expiration date and service code.

Chargeback
A chargeback is the reversal of a credit card payment previously received.  If a department fails to prove that a customer authorized a credit card transaction, the amount of the transaction will be deducted from the department's account.

Merchant Department
A university department that accepts credit and/or debit cards as a way to pay for goods, services, information, or gifts.

Primary Account Number (PAN)
The PAN is a unique credit or debit card number that identifies the issuing bank and the cardholder account.

Point of Sale (POS)
Hardware and/or software used to process credit/debit card transactions at merchant locations.

Redact
The process of removing sensitive or classified information from a document before it is stored.

SAQ
Acronym for “Self-Assessment Questionnaire.”  Reporting tool used to document self-assessment results from an entity’s PCI DSS assessment.

 

Accept Cards for Payment

Departments authorized to accept credit or debit card payments must exercise reasonable care in screening transactions to reduce credit/debit card misuse.

Fiscal officers and operations managers must acquaint themselves with the information found on this page and PCI Information Security page.  That information should be incorporated as part of training provided to staff who are processing transactions.    

Procedure

To accept cards for payment:

Card Present (in person purchase) – Chip Cards

1. Ask customer to insert card into the chip ready device and leave the card in the device during the entire transaction. Alternatively, the card may be tapped if tap is enabled on the terminal and the customer’s card allows for this.
2. The chip card and terminal will determine if a PIN or signature is required for verification.
3. If a PIN is required, the device prompts the customer to enter it. (When a PIN-based transaction is approved, the customer retrieves the chip card from the terminal. There is no opportunity for you to examine the card.)
4. If the transaction is PIN-verified, there is no need for a signature.
5. If the customer does not know their PIN, ask for another form of payment.
6. Print, email, or text a copy of the transaction receipt for the customer.
7. If the transaction is not PIN-based, the receipt may have a signature line for the customer to sign.

Card Not Present (mail, telephone, or web order)

• Mail or Telephone:  Most safeguards for card not present purchases are embedded in the software or terminal. When you process the transaction, the system or terminal will prompt you to enter information, such as the customer's billing address and the card security code, which is designed to reduce fraud.
• Web Order: If your department has an e-commerce website, do not enter card information for customers or accept payment information by email, chat, instant message, or any similar messaging technology, as that increases security risks. Direct the customer to your sales website for the customer to make the purchase for themselves.

 

Respond to Chargebacks (Disputed Transactions)

Cardholders have the right to dispute transactions they claim were not authorized or were charged in error. Disputed transactions that remain unresolved can negatively affect the ability of the University to continue accepting credit/debit cards.

Responding to disputed transactions:

1. When a cardholder disputes a charge with their financial institution, the Office of the Bursar is contacted.
2. The Office of the Bursar provides transaction details to the dispute resolution contact at the merchant department. They ask the department to provide supporting documentation (copy request) regarding the transaction.
3. The department dispute resolution contact has 2 business days to respond with the requested documentation. There is no grace period. If you miss this deadline, the revenue from the transaction will be debited from your department's account.
4. The Office of the Bursar forwards the documentation (rebuttal) to the university’s merchant processor.  The rebuttal is sent to the customer’s financial institution who reviews it and makes a decision. The department may be asked to provide additional information.
5. The disputed transaction is decided in favor of either the merchant department or the customer. The Office of the Bursar posts any adjustments to the department's account.

Refund a Transaction

When an item or service is purchased using a credit or debit card and a refund is necessary, the refund must be credited to the same card account from which the purchase was made.

To refund a transaction:

• Process the refund through the same technology used to make the original sale (for example, terminal, web, Point of Sale (POS) system).
• Always credit the same card account used in the original sale. Do not issue cash or a check.
• Do not refund more than the amount of the original sale. Do not consolidate multiple refunds in one transaction because that can cause the transaction to be flagged as possible fraud.

 

Reconcile Credit/Debit Card Transactions

The Office of the Bursar posts receipt transactions to Oracle each business day. Departments must reconcile their internal sales records with the amounts posted to Oracle regularly. Departments must also perform a monthly reconciliation to ensure that their sales log matches the amounts posted to the Oracle general ledger. Reconcile all accounts to be sure all revenue has been posted properly in Oracle. If there is a discrepancy, contact the Office of the Bursar as soon as possible at cashier@ohio.edu.           

 

Keeping Merchant Card Records

Records are official and trustworthy documents used for accountability and transparency. Requirements for retaining records are mandated by federal and state laws and regulations. Merchant card records consist of documentation of orders, sales receipts, settlement reports, and Payment Card Industry (PCI) self-assessment questionnaires (SAQs) and related documents.

Your department must retain sales receipts and order forms in a PCI-compliant manner. Retain these records for the current fiscal year and 4 previous fiscal years. Destroy records from these expired records as is convenient, but at least every month. Card numbers must be redacted immediately upon processing a transaction. If a transaction is being disputed, keep the transaction records until the dispute is resolved.

For assistance, consult the Office of the Bursar.

 

Store Cardholder Data on Paper Securely

Because storing cardholder data on paper increases the risk of a security breach, avoid doing so unless you have a strong business need.

To store cardholder data on paper securely:

1. If you believe you have a business need to store cardholder data, consult with the Office of the Bursar to confirm your business need and determine the best method for storage. Do not store cardholder data without receiving approval from the Office of the Bursar to do so.
2. Follow these minimum PCI Standard for any paper that contains card information:
   • Store all materials containing cardholder information in a locked file cabinet, safe, or other secure storage mechanism in a restricted/secure area.
   • Never store sensitive authentication data such as CVC2/CVV2/CID or PIN after the sale has been processed.
   • Limit access to sales drafts, reports, or other sources of cardholder data to employees on a need-to-know basis.
   • Make sure all identifying information is removed or redacted according to the information provided on this page under Redaction.
   • Show only the last four digits of the credit/debit card account number on printed receipts.
   • Conduct a periodic inventory of stored paper forms to account for all credit/debit transaction documents. When destroying paper forms that contain cardholder information, render them unreadable by using a cross-cut shredder.
   • Do not store card information in any electronic system, including customer databases or spreadsheets.

Redaction

Redaction is the process of removing sensitive or classified information from a document before it is stored.

To redact information from a paper document:

 

1. Before scanning a document (use either of the following methods):
   • Physically cut out all the text to be redacted and dispose of the clippings by cross-cut shredding or by using an officially approved document destruction service, such as Shred-It.
   • Use opaque tape or paper to completely cover the sections to be redacted.
2. After completely cutting out or covering the text to be redacted, copy or scan the document, making sure no un-redacted sensitive personal information is visible; use the resulting copy or image.
3. Cross-cut shred the paper document.

Insufficient redaction methods

Do not use the following methods to redact information from documents, as they are insufficient:

 

• Changing text color: Changing the redacted text's font color to match the document's background color leaves the redacted text easily discoverable to anyone who clicks and drags over the area using a mouse.
• Covering or highlighting text: Covering redacted text with images or comments, or highlighting text with a matching color, leaves the redacted text discoverable.
• Deleting only visible data: Digital files retain embedded and hidden metadata containing revision history and other information. Metadata can reveal anything that was contained in the file at any time, even text that was previously deleted or changed, and even if the file was re-saved. Metadata can be useful for tracking revisions, but if it is not purged from the document, anyone can view deleted information, even after the document has been converted to PDF format.
• White Out or Correction Tape: White out or correction tape can be removed from the document exposing the sensitive data.
• Black marker: A hard copy of a document redacted with black marker may still provide enough image detail to enable someone to see what was assumed hidden; this method is especially risky if that same data repeats multiple times across a document.

Payment Card Acceptance Requirements

IN PERSON
The card must be inserted (chip) or tapped on a card processing terminal or PIN pad. Follow the prompts given by the terminal or PIN pad. Do not keep any card information after a transaction has completed.

PHONE
Card and account information can be keyed into the card processing terminal. Follow the prompts given by the terminal. If any card information is written down while entering a transaction, that information must be cross-cut shredded once the transaction has been completed.

FAX
Most PC-based FAX software does not provide a secure repository for storing incoming FAXes, therefore the best method to accept card information is by a standalone FAX machine in a controlled location. Treat these FAXes the same way as you would treat cash.

Card information can be keyed into the card processing terminal. Follow the prompts given by the terminal. Once a transaction is complete, the card information on the FAX must be redacted. If an entire FAX must be kept, removing the card information from the document is preferable.

MAIL
Card information can be keyed into a card processing terminal. Follow the prompts given by the terminal. Once a transaction is complete, the part of the mailed form containing card information must be redacted in the approved manner.

EMAIL
Card information must never be accepted in an email message. If a customer sends card information by email, delete that email, also deleting from your deleted items or trash folder.  Send a response to the customer that card information is not accepted by email. In the response, give the customer a list of alternative methods of sending their card information (FAX, mail, phone, etc.). When you reply to the original email, delete any card information that was provided before sending the message.

SMS TEXT MESSAGING
Card information must never be accepted in test messaging or any other type of instant messaging system. If a customer sends card information in this manner, delete the message and send a response that card information is not accepted in that manner.  In the response, give the customer a list of alternative methods of sending their card information (FAX, mail, phone, etc.). Be certain when you reply that any card information has been deleted prior to submission.

FORM DESIGN TIP
When designing a form that will have an area to enter card information, put that section at the bottom of the form. After a payment has been processed, the bottom of the form can be cut or torn and then cross-cut shredded. Remove card information before scanning or imaging the form or prepping for other long-term storage. Card information on paper being disposed must always be cross-cut shredded.

PROCESSING DELAY TIP
It is best to accept card information only when it can be processed immediately. If a delay is required and card information must be stored, do not store it in electronic format, and treat the paper containing card information as if it were cash.

 

Security

Protecting customers’ payment card information is more than a great  idea—it’s a requirement. Two sets of standards apply to merchant card-processing units:

• The Payment Card Industry Data Security Standard (PCI DSS) is the technical and operational requirements set by the PCI Security Standards Council to protect cardholder data. The PCI DSS applies to all business entities that store, process, or transmit cardholder data. The Council is responsible for managing these security standards, and compliance is enforced by the founding members' council: American Express, Discover Financial Services, Visa and MasterCard.
• The PCI Information Security page provides additions that relate to the PCI DSS.

It is each merchant department's responsibility to follow all policies and procedures in the PCI DSS, as well as those put in place by Ohio University. Merchants that do not follow these policies and procedures may lose the ability to accept card payments.

The Office of the Bursar and the Office of Information Technology Security Office are responsible for making sure that all university departments that accept payment cards (for the sale of goods or services) comply with all applicable data security standards. Periodic reviews of each department's processing environment are conducted to ensure that all policies and procedures are being followed. As always, any business operation is subject to formal review by the Office of Audit, Risk, and Compliance.

 

Become PCI Compliant

All department heads must ensure that their department follows the Payment Card Industry Data Security Standard (PCI DSS) to keep payment card data secure. All departments must meet this standard or they will not be allowed to accept credit/debit cards.

Meeting this standard protects your department and the university. Data breaches can result in fines, penalties, loss of privileges from the credit/debit card processor, and damage to the university’s reputation. This standard also protects your customers. Data breaches can lead to identity theft and can result in lawsuits. In addition, customers are reluctant to shop at locations with a history of data breaches.

 

Procedure

To become PCI compliant, consult with the Office of the Bursar and the Office of Information Technology Security Office. They will help you determine your compliance in the areas below:

• Build and maintain a secure network
• Protect cardholder data
• Maintain anti-virus software
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

Validate PCI Compliance Annually

All departments that accept credit/debit cards must follow the Payment Card Industry Data Security Standard (PCI DSS) for credit/debit card security. Departments must validate their compliance with the PCI DSS each year.

Before making any changes to how you process credit/debit payments, contact the Office of the Bursar to ensure that you remain in compliance. You may need to re-validate compliance before the next scheduled annual validation.

To validate PCI compliance annually:

1. The department manager or designated contact will be contacted by the Office of the Bursar to schedule a physical or virtual site visit. 
2. Participate in the site visit for the purpose of assisting in the completion of a Self-Assessment Questionnaire (SAQ).
3. Confirm that all staff are staying current with their annual Cash Handling and Credit Card Security Awareness training.

Payment Card Industry Standards

All University departments that accept payment cards must follow all the requirements in Payment Card Industry Data Security Standard v4.0 and in the PCI Information Security page.

The most essential documents for complying with PCI DSS are provided in the following list:

• PCI DSS v4.0 (PDF) is the complete requirements list.
• PCI DSS Summary of Changes v3.2 to v4.0 (PDF) notes only the changes from version 3.2 to 4.0 (in December 2022).
• PCI DSS v4.0 Quick Reference Guide (PDF) provides a snapshot of the standard, with supplemental information for persons new to it.