University Payment Card Acceptance/E-Commerce Guidelines

Direction by Jeffrey J. West, Associate Vice President as of January 22, 2007

In addition to students using credit cards for payment of tuition, many other areas of campus now have the capability of accepting credit cards as payment for goods or services provided to the campus community and the public. Examples of these activities include purchase of tickets for athletic and cultural events, payment of parking fees/fines, student housing, etc. The University also accepts credit cards in their fund raising efforts. When processed electronically, using the internet, these credit card payments flow directly and seamlessly into the University’s bank accounts through a system known as “UMarket”;. This is the only official, approved method that the University supports for accepting credit card payments.

We recognize that occasionally your department may contemplate the purchase and implementation of software from a third party to meet the specific business needs you have in supporting students, faculty, researchers, and other “customers” of your department. Along with the specialized and desired functions provided, the software often has the ability to accept web credit card payments for these services. If the department has notified us prior to the purchase of the software, we have a chance to persuade the vendor to use our credit card processor (UMarket). We have been successful with having several of these third party vendors interface to UMarket. If the department has notified us prior to the purchase, such interfaces to UMarket become extremely problematic for the institution as a whole, despite the benefits provided to your department by the primary features of the software.

As the demand grows for additional departments accepting credit cards on campus, the University must manage the increased volume and complexity of potentially dealing with multiple interface requirements. In order to mitigate these problems, we have developed the following guidelines. Your support and cooperation in following these guidelines will insure that our limited administrative resources are used efficiently and that banking and accounting requirements can be met in the most effective way possible in conducting the business of the University. In addition to guidelines relating to accepting credit card payments electronically using the internet, we have also addressed how to process manual credit card payments at the end of this document.

Questions regarding acceptance of credit cards for payments to your department should be directed to Stuart Schrager, PCI Program Manager – Income Accounting and Student Loans (801-585-5686).

Bank Card E-Commerce Electronic Payments:

UMarket is the official University of Utah e-commerce application. UMarket allows departments to accept on-line bankcard payments using Visa, MasterCard, American Express and Discover. Departments can use UMarket to accept on-line payments for bills, merchandise, classes or seminars, donations, event tickets, housing, fees, magazines, or almost anything that a department collects money for. The benefits of using UMarket include:

  • Next day deposit to department Chartfields.
  • Full account reconciliation.
  • Accurate reconciliation with the University’s bank account.
  • Maximum earned interest.
  • Reduced department costs, including low merchant fees.
  • Refunds are made promptly to customers at department’s request.
  • The ability to purchase multiple items with one transaction, on-line, once.
  • A customizable interface with the U-Market application.
  • The department’s website is hosted on U’s secure web server

The following guidelines provide procedures and responsibilities to assist departments when they are considering an on-line payment application.

GUIDELINES:

  • Whenever a department is considering the purchase of software that has an e-commerce application, and there is the possibility that they will want to accept on-line payments through this application, they must confirm with the third party vendor that their software will allow bankcard payments to be processed through the University’s UMarket processor.
  • Third party vendor software purchased by departments must have the capability to process the e-commerce payments through UMarket .
    • An interface, between their software and the UMarket system, is usually required to complete this process. Departments should contact Administrative Computing Services, who manage the UMarket system, to elicit their involvement in negotiating the interface to use the UMarket bank card processor, the department must find a vendor who can, or forego allowing on-line payments to be made via credit card.
  • Departments must use UMarket to assure that the payments:
    • Are processed to the University’s bank account the next day.
    • Are processed and credited for the correct deposit amount.
    • Are refunded properly should there be a need to refund the payment.
    • Are processed with the lowest merchant rates.
    • Are processed with a Payment Card industry (PCI) compliant processor.
    • Comply with all the audit requirements.
    • Earn all interest due to the University
    • Have a timely, accurate, daily reconciliation, and monthly bank reconciliation.
  • Departments using UMarket have the responsibility to:
    • Perform a daily reconciliation between their department’s application and the UMarket totals.
    • Ensure that their applications are processing the assessing correct amounts.
    • Provide any changes to chard field numbers, contact names, and phone numbers to the UMarket custodian.

DEPARTMENTS CURRENTLY USING THIRD PARTIES FOR E-COMMERCE:

Departments who use a third party vendor must ensure that the following occurs:

  • Perform a daily reconciliation between their department’s applications and the third party vendor’s totals.
  • Ensure that their application is processing and assessing correct amounts.
  • Verify that the correct daily amounts are being deposited to the University’s bank account.
  • Verify that monies are being deposited to the bank the day after the vendor receives the money.
  • Allowable refunds are given promptly to the customer by the third party vendor.
  • Daily deposits are credited to the department’s chard fields daily.
  • The third party vendor is PCI compliant.
  • If accepting in-person or over the phone payments, a point-to point encrypted device must be used.

SETTING UP WEBSITES AND USING UNIVERSITY RESOURCES:

  • Complete an e-commerce application on-line.
  • If a department has a website that has already been created, a link can be made to the Umarket check out page.
  • Departments must pass an audit by the University’s information Security Office. (ISO)
  • A department may request assistance from UMarket-Lorrie MacGregor 801-581-3132 to set up their website.

RECONCILIATION PROCESS:

  • Departments should reconcile the previous day’s transactions by comparing the amount their website has in total payments to what the UMarket system displays.
  • Access to web credit card totals is through a secure query on the employees Campus Information System (CIS). Sign into the CIS screen and select “Finance/Accounting”, select “WFG CREDIT CARD DETAIL”. Security is granted to the responsible employee reconciling the e-commerce payments.

MAINTENANCE AND SECURITY OF BANK CARD INFORMATION:

  • Departments need to be sensitive to the issues surrounding accepting credit card numbers as part of a business transaction. The department and University can be held liable for improper usage of credit card numbers.
  • Any credit card information should not be stored on the department’s computers.
  • Any credit card information written on paper or sent by e-mail, should be destroyed once the payment has been processed.

COSTS:

  • The credit card companies and the bank assess merchant fees for all bankcards, monthly. The monthly fee is charged on the amount of transactions collected and is charged to the department’s account by a journal entry.
  • There is a quarterly administrative assessment, charged by the University, based on the department’s sales volume for each quarter. This assessment covers the cost of maintaining PCI DSS compliance, vulnerability scans, penetration tests on servers storing sensitive cardholder data, and the administration of the compliance requirements. See direction from Jeffrey J. West, Associate Vice President of FS, September 4, 2009.

UNIVERSITY POLICY REQUIREMENTS:

Bank Card Manual Payments:

The following guidelines provide procedures and responsibilities to assist departments when they are considering accepting credit cards via a manual-type process, where the payor is either physically present or communicating verbally over the phone (not on-line).

HOW TO GET STARTED:

  • Contact Income Accounting and Student Loan Services to request to have a merchant account set-up by the bank.
    • The contact person’s name and address needs to be identified.
    • A designated phone line, fax machine phone line, or a computer port is necessary for the equipment to process payments.
  • Be prepared to give details of what the account is for, including:
    • The number of transactions processed annually.
    • The average transaction amount.

PURCHASE OF EQUIPMENT:

  • The location address, number of credit card machines, and the type of transactions to be processed, is required. (i.e., debit card PIN pad).
  • Once the equipment is received, it will need to be initiated to accept payments.

DEPOSITING PAYMENTS:

  • The credit card machine should be settled and closed out every day that payments are input.
  • A separate departmental deposit form must be prepared per day.
    • Each card type, per settlement, must be listed as a separate deposit in the RECAP part of the form.
    • The deposit/settlement dates must be the same for all individual deposits, on the departmental deposit form.

COSTS:

  • There is a onetime charge for credit card and/or debit card PIN machines. Prices vary according to the machine.
  • The credit card companies and the bank assess merchant fees for all bankcards monthly. The monthly fee is charged on the amount of transactions collected and is charged to the department’s account by journal entry.
  • There is a quarterly administrative assessment, charged by the University, based on the department’s sales volume for each quarter. This assessment covers the cost of maintaining PCI DSS compliance, vulnerability scans, penetration tests on servers storing sensitive cardholder data, and the administration of the compliance requirements. See direction from Jeffrey J. West, Associate Vice President of FS, September 4, 2009.

MAINTENANCE AND SECURITY OF BANK CARD INFORMATION

  • Departments need to be sensitive to the issues surrounding accepting credit card numbers as part of a business transaction. The department and University can be held liable for improper usage of credit card numbers.
  • Any credit card information should not be stored on the department’s computers.
  • Any credit card information written on paper, should be destroyed once the payment has been processed.
  • Credit card receipts, settlement reports, and any attached documents, must be kept in a secure place that is locked with access granted only to necessary employees.
  • Credit card information should be held for six months and then be shredded and destroyed.