General University Reference Utility
To outline the University's Policy on the acceptance of electronic payments, specifically credit cards, as a form of payment by University areas or departments. For the purpose of this policy, the term "credit cards" shall also be construed to include "credit-card-branded," "debit cards" and "check cards." Only units which have established merchant accounts approved through the Corporate Controller's Office are permitted to accept credit cards as payment.
Online systematic acceptance of other forms of electronic payments, such as wires, EFTs and ACHs, must be approved by the Corporate Controller. The use of third-party payment services, such as PayPal, to process payment for goods or services offered by any University unit are not permitted, unless explicitly approved by the Corporate Controller.
Units which have a need to accept credit cards as a form of payment must carefully weigh the benefits and costs related to credit card processing. Security requirements for credit card data are strict and if not enforced, can result in significant monetary fines as well as damage to the reputation of the unit and the University. The Budget Executive in the unit must approve the establishment of all merchant accounts and related terminal IDs within their area of responsibility. Prior to approval, the Budget Executive must consider technical, financial and administrative issues and costs arising from the acceptance of credit cards versus the business need for accepting such payments.
All revenues received through electronic payments must be for the benefit of Penn State and should be processed as outlined in FN01. Penn State University does not permit the acceptance of electronic payments on websites which are hosted on Penn State computers and served by Penn State networks or servers, including PSU-provided personal webspace, unless the area has an approved merchant account. If an individual has the need to accept electronic payments on PSU-provided personal webspace (for example, in support of an academic journal), payment processing should be managed through Penn State’s eCommerce solutions. The individual may not collect or store electronic payment information through the personal website which is part of the Penn State network. In no case may electronic payments, even through third-party vendors, be accepted for any commercial enterprise which results in personal gain to the individual involved as outlined in policy AD20.
The University has a responsibility to its customers to protect credit card information, as well as to comply with the Payment Card Industry Data Security Standards (PCI DSS). The only credit card data that can be retained, on paper or electronically, is the last 4 digits of the card number, the expiration date and the card type. Other credit card data, including the full card number, CVC2/CVV2/CID data, PIN/PIN block and track data from the full magnetic stripe, cannot be stored, post authorization. This applies to all University systems, including the AIS eCommerce server, any University servers used or hosted by a third-party, as well as locally maintained systems, including databases, spreadsheets, email, imaging systems, and paper files. Exceptions must be specifically approved by the Corporate Controller.
The University also has a responsibility to protect any other payment information that may be personally-identifying information, as covered in policy FN23.
All University units with merchant accounts, including all terminal IDs tied to a merchant account, are responsible for the following:
- Compliance with all merchant rules established by the credit card companies which apply to the unit, which are available for review on the PSU Merchant Management website;
- Compliance with Payment Card Industry Data Security Standards (PCI DSS), including completion of the annual self-assessment questionnaire;
- Completion of required testing of security systems, network processes, and scheduling of quarterly scans, if processing credit cards through a network;
- Establishment of clear policies regarding returns and refunds, in compliance with University policy and merchant rules; and
- Notification to Security Operations and Services (SOS) of potential breaches.
Special charges or discounts resulting in a price differential between a credit card transaction and a transaction paid by cash or check are not permitted. Merchants must incorporate all costs related to credit card processing into fees charged for goods and services. The only exceptions are for a convenience fee for student account payments through eLion, or exceptions permitted under the conditions of the credit card merchant rules which have been reviewed and approved by the Corporate Controller. For example, merchants are not permitted to charge an additional fee if a payment is made by credit card versus cash or check.
Compliance- Merchants who are not compliant with approved security, storage, and processing procedures per both University and PCI DSS standards will have merchant accounts revoked or suspended.
Security Issues- The unit's network connection may be disabled due to breach or other security issue. Employees involved in breaches of credit card information are subject to the full range of sanctions, including loss of computer or network access privileges, disciplinary action, suspension, termination of employment and possible legal action. Some violations may constitute criminal offenses under local, state or federal laws. The University will carry out its responsibility to report such violations to appropriate authorities.
ESTABLISHING A MERCHANT ACCOUNT OR TERMINAL ID:
University units that wish to accept credit cards as a form of payment must first collaborate with the Financial Officer and IT leader for the administrative area to determine if applying for an account is appropriate. In some cases, a unit may have a merchant account, but may have a need to set up a unique Terminal Identification (TID) under that merchant account for a particular unit. If agreement is reached that a merchant account and/or terminal is appropriate, the unit must apply by completing a Credit Card Processing Merchant Request (available on GURU). This application must be completed in full, with the required signatures obtained. The Financial Officer is responsible for forwarding the request to the Corporate Controller's Office for final approval and processing.
Units applying for a merchant account or terminal ID must have a clear business purpose for processing credit card transactions, and will need to identify annual expected dollar volume, transaction volume and expected means of receiving credit card information (in person, phone, fax, mail, web). Units are responsible for all setup, operations, and maintenance costs, including security and breach management. On the application form, the unit must indicate which credit card processing will be used. Applications for merchant accounts may be denied if it is determined that another unit should be processing such payments, for example:
- Only the Bursar and Outreach may process credit card transactions for fees on the student account.
- Conferences and other programs with an external audience must be arranged through Outreach, per policy AD03.
If an application for a new merchant account or terminal ID is approved, the Corporate Controller's Office will coordinate with the credit card processor to establish a new merchant account (or terminal ID). The Corporate Controller's Office will notify the Financial Officer when the account is established.
If any changes are made in how credit card transactions are processed (i.e., move from POS terminals to AIS eCommerce Services), a revised Credit Card Processing Merchant Request must be submitted and approved.
CONTROL AND REPORTING:
It is the responsibility of the area that accepts credit cards to assure that all credit card sales are recorded on area and University accounting records. The selling unit must establish strict internal controls and reconciliation methods to assure that credit card sales have been properly recorded on central University records. In addition, credit card sales must be reported to the University on a Report of Cash Receipts (ROCR), through the appropriate Integrated Student Information System (ISIS) reporting channels, or through the Report of Electronic Cash Receipts (RECR) available for those processing through AIS eCommerce services. Credit card sales must be reported to the University the same day or the following business day that they are reported to the contracting bank (upon settlement).
TERMINATING MERCHANT OR TERMINAL IDs:
Units who no longer have a need for a merchant or terminal ID must contact the Corporate Controller's Office, through their Financial Officer, to formally terminate the merchant ID or terminal ID. The Corporate Controller's Office will notify other offices, such as AIS eCommerce Services and Security Operations and Services, as well as contacting the processor to close the account. Units are responsible for maintaining records for three years even though the merchant account or terminal ID has been closed.
RETURN AND REFUNDS:
Selling units which participate in credit card sales must offer an equitable exchange or return policy. In cases where the customer wishes to return a purchase for credit, or receive a refund for unused services, a credit must be issued via the same credit card that was used to process the original sales transaction. Refunds by cash are not permitted. Refunds by check are permitted only when a credit cannot be issued through the original credit card processing resources. Refer to Policy FN08 for guidance on refunds by check.
DOCUMENTATION OF CARDHOLDER COMPLAINTS:
As a merchant, units are required to keep a written record of all customer complaints where a credit card was used for payment. The follow information must be included in your written record for future reference:
- Cardholder’s name
- The units reference number, account number, or order number (not the full credit card number)
- The date and time the cardholder asserted the claim
- The nature of the claim
- The action taken to resolve the dispute (this section should be very detailed)
This documentation should be kept with your original transaction information so that everything is together and can be accessed in the future if needed.
Handling of cardholder complaints/disputes must follow the specific procedures as required by the Merchant Services Agreement and comply with the Fair Credit Billing Act. The University processor should be contacted with any questions regarding the handling of cardholder complaints.
Chargebacks must be responded to in a timely basis. More detail on chargeback procedures is available on the PSU Merchant Management website.
For questions, additional detail, or to request changes to this policy, please contact the Office of the Corporate Controller.
More detailed information about the processing of credit card sales is available on the PSU Merchant Management Website.
Effective Date: November 30, 2010
Date Approved: November 29, 2010
Date Published: November 29, 2010 (Editorial changes- September 25, 2013)
Most recent changes:
Revision History (and effective dates):