V. New Merchant Accounts

It is strongly encouraged for University entities that wish to accept credit cards as a form of payment to first consult with their departmental budget officer and IT manager to determine if merchant card processing is warranted for business purposes.  If the determination is to move forward with obtaining a merchant account, the entity must apply for merchant account privileges by using the Merchant Card Request Application: https://finapps.bo.uiowa.edu/MerchantAccount/.  When the request form has been approved by the budget officer responsible for the unit initiating the request, the form will be routed through Workflow to the University Controller, and possibly Chief Information Security Officer, for final approval (or denial).

Applications that have been approved by the University Controller will be forwarded to Treasury Operations, which is responsible for requesting new merchant accounts from the University’s credit card processor.  Merchants MAY NOT set up their own banking relationships for payment card processing, and revenue received from payment card sales must be deposited into a designated University bank account.

Treasury Operations negotiates all banking and card processing relationships on behalf of the entire University, leveraging discounts based on larger volumes and internal controls that are not available at the departmental level.

Merchants will automatically be setup to accept MasterCard, Visa and Discover.

A.  Preferred Methods for Credit Card Processing

There are many different methods for processing credit card transactions.  Due to PCI DSS requirements there are methods that the University strongly encourages over others.  Methods that are preferable include:

  1. Approved Gateways:  These are credit card processing services that can be integrated with web sites that need to collect payments.  
    1. Hosted pay page (HPP) is a gateway that is used with a website, where customers input their personal credit card information.  This method is strictly used for transactions initiated on the Internet and is preferred because a link to the HPP is embedded into the ecommerce website and transparently redirects the customer to the HPP provider’s website.  The University strongly recommends the use of the University’s processor gateway solution, since it is Payment Application Data Security Standards (PA DSS) compliant and provided by the University’s credit card processor.
    2. Authorize.net is a vendor gateway that is approved and compliant with the PA DSS standards. It is a supported integration with the UI’s credit card processor.
    3. Payflow Pro is a vendor gateway program that can be used to integrate a custom web form directly with the credit card processor.  This method is only intended to meet specific needs, and carries additional control requirements to ensure the form is programmed securely. Each use must be approved by the University Chief Information Security Officer and the University Controller.
  2. Credit Card Terminal: This is a separate machine, commonly associated with small to medium size merchant accounts, where a card can be inserted or “swiped” to transmit data for authorization of the transaction amount, as well as manual entry for Mail Order/Telephone Order (MOTO) transactions.  This method requires a separate, dedicated PHONE line for the transmission of data to the University’s credit card processor.
  3. Virtual Terminal: This is a web portal which functions similarly to a credit card terminal (see #2 listed above), however is accessible from any authorized university computer with a connection to the Internet.  This method is primarily used for MOTO transactions.  The University highly recommends the use of University’s processor virtual terminal solution as it is has been validated as compliant with PA DSS and is the Virtual Terminal application provided by the University’s credit card processor.

Departments and units whose needs cannot be met through one of these approved methods must provide business justification for use of a third party product and obtain approval from the University Chief Information Security Officer and the University Controller before acquiring an alternative system. A written agreement acknowledging the service provider’s responsibility for the security of cardholder data will be required. Third party vendors must provide proof of PCI DSS/PA DSS compliance.

B.  Card Processing Requirements

Before any new merchant can start accepting credit cards, the merchant must meet the following requirements:

  1. All persons involved with the processing, accounting and reconciliation of credit card transactions must complete the following Self-Service ICON training courses (Self-Service->Personal->Learning and Development->My Training->Enroll in Course):
    1. WCCARD - Credit Card Policy Training
    2. WSANS1 – UIOWA Security Awareness Training
  2. PCI Compliance & Trustwave
    1. Initial SAQ must be completed no later than 3 months after receiving approval to process credit cards.
    2. For merchants that require external vulnerability scans, scans must commence no later than 3 months after approval.
  3. Merchant must sign up to access monthly credit card processing statements at Merchant Connect.  Statements are not mailed out to merchants.
     
  4. eDeposit
    1. Read through eDeposit guide on how to post credit card sales and refunds to the General Ledger: https://edeposit.bo.uiowa.edu/edeposit/index.cfm?action=help

 

  1. Policy
  2. Purpose
  3. General Responsibilities
  4. Merchant Responsibilities
  5. New Merchant Accounts
  6. Established Merchant Accounts
  7. Universal Compliance Requirements
  8. Important Links for Merchants

APPENDIX A:  12 PRIMARY REQUIREMENTS OF PCI DATA SECURITY STANDARDS
APPENDIX B:  MERCHANT LEVELS DEFINED - COMPLIANCE VALIDATION REQUIREMENTS
APPENDIX C:  SAQ & TRUSTWAVE SCAN REQUIREMENTS