Credit Card FAQ’s
- Credit cards we accept
- What are the PCI DSS Security Standards?
- What is card holder data?
- Do you store paper documents that have the CAV2 / CVC2 / CVV2 / CID code on them?
- Does your terminal display the full PAN or card number on the machine and print the full PAN or card number on the receipt?
- What is a QSA (Qualified Security Assessor)?
- Who is the QSA Company for UM System?
- What is an Approved Scanning Vendor?
- Who is the Approved Scanning Vendor for UM System?
- What is a convenience fee?
- Can I charge a Convenience Fee to my customers?
- New Retail Merchant Information
- Existing Merchant Updates
- Requesting a new credit card machine
- Using your machine
- Can I request a loaner machine?
- Is there a reporting system that I can have access to in order to view my merchant credit card transactions?
- E-Commerce Frequently Asked Questions
- What are internal controls and where can I find more information?
- What is the records retention policy for credit card receipts?
- What do I do if I suspect that my payment card operation has experienced a breach?
- What are the rules for processing credit card refunds?
- What are the credit card costs?
- Is there an EMV Chip and PIN corporate travel credit card available for University travel overseas?
- American Express (in the process of fully implementing, and the merchants will be notified when completed)
- The PCI DSS (Payment Card Industry Data Security Standards), a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis.
- The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
Account Data consists of Cardholder Data plus Sensitive Authentication Data, as follows:
|Cardholder Data Includes:||Sensitive Authentication Data Includes:|
|Primary Account Number (PAN)||Full magnetic stripe data or equivalent on a chip|
|Cardholder Name||CAV2 / CVC2 / CVV2 / CID|
|Expiration Date||PINs / PIN blocks|
The following table illustrates commonly used elements of cardholder and sensitive authentication data, whether storage of each element is permitted or prohibited, and whether each data element must be protected. This table is not exhaustive, but is presented to illustrate the different types of requirements that apply to each data element.
|Data Element||Storage Permitted||Render Stored Account Data Unreadable per Requirement 3.4|
|Account Data||Cardholder Data||Primary Account Number (PAN)||Yes||Yes|
|Sensitive Authentication Data||Full Magnetic Stripe Data||No||Cannot Store|
|CAV2 / CVC2 / CVV2 / CID||No||Cannot Store|
|PIN / PIN Block||No||Cannot Store|
- Per PCI DSS requirements, you are not allowed to store this information electronically or in paper form. If you have current paper storage with the CVV code stored you need to remove the CVV. You cannot just mark it out with a "sharpie" but, if you marked out and then photo copy the marked-out original keeping the photo copy and cross-cut shred the original then you have successfully remediated your CVV2 paper storage problem.
- Please contact John Layman, 573-882-3318 because your terminal needs to be replaced.
- Per PCI DSS and University policy only the last 4 of the card can be displayed on the terminal and printed on the receipt.
- The Payment Card Industry (PCI) Qualified Security Assessor (QSA) designation is conferred by the PCI Security Standards Council to those individuals that meet specific information security education requirements, have taken the appropriate training from the PCI Security Standards Council, are employees of an Approved PCI Security and Auditing Firm, and will be performing PCI compliance assessments as they relate to the protection of credit card data.
- The term QSA may also be implied to identify an individual qualified to perform PCI compliance auditing and consulting.
- Trustwave is the approved QSA company used by the Curators of the University of Missouri.
- Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of internet facing environments of merchants and service providers.
- TrustKeeper is the Approved Scanning Vendor used by the Curators of the University of Missouri.
- The definition of a convenience fee varies slightly from one card brand to the next, but it's basically a charge in addition to the original transaction amount for the convenience of being able to use an alternate payment method. This is different than a surcharge. Surcharging customers for paying with a credit card is considered discrimination based on payment type. A convenience fee is a charge for offering customers another payment option that is separate and in addition to the standard payment methods.
- Please contact John Layman to determine if you would be eligible and what specific rules you would have to follow. As an alternative it might be better to determine all costs of doing business and add that total into your goods or services that you are selling. This is the best way to recoup those costs and it is a better customer friendly model.
- In order to accept credit card payments, either from a physical store or a store on the Internet, you need to have a merchant account id assigned by an acquiring financial institution. This is a requirement for physical stores as well as stores on the Internet. An acquiring financial institution contracts with merchants to enable them to accept credit card transactions. In order to take credit card payments over the web using your browser and secure server technology (SSL) you will need a merchant credit card account ("Merchant Account") that is specifically meant for Internet-based transactions. You may already have a merchant ID for handling your phone/fax orders, but a separate merchant is required to do e-commerce business. Commerce Bank is the University's financial institution, so they assign the merchant account for internet applications. You must check with Information Security & Access Management (ISAM) and the Treasurer's Office before you purchase a new e-commerce system. The acquiring financial institution records the daily credit card sales for your merchant account and transfers that information to the University for posting to your PeopleSoft Financials General Ledger account. When implementation of your application is underway, the e-commerce team will ask you for the information that is needed to request a merchant account ID.
Please complete our on line form. Once the request is received by the Office of the Treasurer, it will be initiated for completion. If you need an E-Commerce Merchant then please fill out the E-Commerce Request Form.
- The first step is to obtain the American Express merchant ID for your new retail merchant account.
- Once it has been established, the request is forwarded to our financial institution, Commerce Bank, so that they can establish the Visa/MasterCard/Discover merchant ID and have the terminal set up and delivered to the department.
- Once the Visa/MasterCard/Discover merchant ID has been established, the PeopleSoft financials feed will be established so that the revenue and expenses are fed correctly into the general ledger for your merchant.
- Once the terminal arrives at your processing location it should already be programmed (dial 9, auto batch close, etc.). You should just be able to plug it in (power and phone line if dialup) and it should work to your specific specifications.
- If for some reason you are having an issue with your card reader please contact the IT helpdesk at 573/882-5000 and firstname.lastname@example.org to trouble shoot the phone line and Commerce Bank Merchant Support at 800/828-1629 and email@example.com.
- Please complete our online merchant update request form. Once the request is received by the Office of the Treasurer, it will be initiated for completion. Once the update has been completed, the Treasurer’s Office will notify the department that originated the update request.
- If you are using an OMNI 3750, OMNI 3200, Tranz 380, Tranz 330, it CANNOT be used as an IP terminal. It can be used as a dial up terminal until December 1, 2014 and then MUST be replaced with a new terminal for security reasons.
- To request a new credit card machine, please fill out the new credit card machine form and email the form to John Layman.
- There is a possibility that you can "swap-out" your old machine that has stopped working for a new machine. If your old machine will need to be swapped-out then a new machine will be shipped to you and upon receipt of it you will need to return the older Vx570 IP model in the box provided. The box will also include a UPS Call Tag for pickup with instructions. The following items must be returned in order to complete the swap out process: Terminal, Power Cord, and Cables. A swap-out costs less than a regular machine order.
- If you are not able to "swap-out" your machine then please mail the old machine to: Attn. John Layman, 118 University Hall, Columbia, MO 65211
- Please contact the Merchant Support Desk at 800-828-1629 to request a swap out of the Vx570. The manufacturer VeriFone does not provide a warranty but Commerce Bank does provide a 90 day warranty. If past warranty, the swap out will cost them $100. When they call the Support Desk they will need to provide the serial number from the Vx570. If they call Mon – Thurs before 4:30 pm the terminal will be delivered the next day.
- Most terminals are dial up communication but some are IP communication or wireless. The communication method for a new machine depends on which type you request. Below are the manuals and quick reference guides for each terminal available through Commerce Bank. All terminals except the Nurit 8020 supports the invoice function for splitting revenue to different GL accounts. For additional information see; what is the ECC and how does it work and how to use the invoice function to post revenue to the GL using different MO Codes per transaction.
- VeriFone Vx510 (dial-up or IP, supports the 2 digit code) [No longer available but may be in service]
- VeriFone Vx570 (dial-up or IP, supports the 2 digit code) [No longer available but may be in service]
- Nurit 8020 (wireless) [No longer available but may still be in service]
- FD55 (dial-up or IP, supports the 2 digit code)
- FD100 (dial-up or IP, supports the 2 digit code) [No longer available but may be in service]
- FD130 (dial-up or IP, supports the 2 digit code) [Can accept Chip and PIN without the external FD35]
- FD130 DUO (dial-up or IP, Supports the 2 digit code) [FD130 and the FD35 sold together]
- FD200 (dial-up or IP, supports the 2 digit code)
- FD300 (dial-up or IP, supports the 2 digit code, & can hold multiple merchant numbers)
- FD35 PIN Pad (for chip and contactless payments)
- FD400 (cellular, supports 2 digit code) [No longer available but may be in service]
- FD410 (cellular, supports 2 digit code) [Can accept Chip and PIN]
- If you have questions concerning your setup please contact John Layman.
- Please note, you can change your communication method (Dial to IP or IP to Dial) by calling Commerce Bank Merchant Services 800-828-1629 so that they can create a new TID# (terminal ID number) and for them to send a new download for your terminal.
- EMV stands for Europay, MasterCard and Visa, a global standard for inter-operation of integrated circuit cards (IC cards or "chip cards") and IC card capable point of sale (POS) terminals and automated teller machines (ATMs), for authenticating credit card and debit card transactions. EMV transactions improve security against fraud compared to magnetic stripe card transactions by the use of PIN and cryptographic algorithms. The card brands have issued a "liability shift" to motivate merchants to invest in upgrading their card readers to be able to accept EMV chip cards by October 1, 2015.
- Contactless payment systems are credit cards and debit cards, key fobs, smartcards or other devices that use radio-frequency identification for making secure payments. The embedded chip and antenna enable consumers to wave their card or fob over a reader at the point of sale.
- For a merchant to accept EMV or contactless payments they need to have the correct terminal and an additional PIN pad. This is a list of all the possible combinations:
- VeriFone Vx510 with FD35 PIN Pad
- VeriFone Vx570 with FD35 PIN Pad
- FD55 with FD35 PIN Pad
- FD100 with FD35 PIN Pad
- FD130 by itself can accept EMV payments
- FD130 DUO can accept EMV and contactless payments
- FD200 with FD35 PIN Pad
- FD300 with FD35 PIN Pad
- FD410 by itself can accept EMV payments
- For a merchant to accept EMV or contactless payments they need to have the correct terminal and an additional PIN pad. This is a list of all the possible combinations:
- Many terminals have the invoice function turned on. The invoice field consists of 10 characters. If you do have this, the account code is the first 2 digits of the invoice number and then the time of day entered twice as the other 8 digits. So for example, account code 03 and if the time of day was 12:37 pm, the invoice you would want to enter would be 0312371237.
- The ECC stands for Electronic Credit Card. This is a PeopleSoft application that takes the end of day file from the card processor (First Data Merchant Services) and posts it to the general ledger (GL). If you have the invoice field turned on then the ECC takes that information that was entered and uses the first 2 digits and places the revenue into the MO code and PS account associated with that 2 digit code. To request an update to the ECC please contact John Layman at 573-882-3318
- If your invoice function has been turned on and your ECC account codes have been established then you need to enter a unique invoice number for the transaction. The invoice field consists of 10 characters. If you do have this the account code as the first 2 digits of the invoice number and then the time of day entered twice as the other 8 digits. So for example, account code 03 and the time of day was 12:37 pm, the invoice you would want to enter would be 0312371237.
- If the invoice function is not turned on then the invoice will be automatically populated by a sequential number through the day for your batch. This number could help you with your reconciliation process.
- Credit Card Terminals can have a two digit code added to the terminal download. For example, if the merchant has five (5) clerks, each clerk will be assigned a two digit number by the merchant. Some merchants use the last two digits of the clerks social security number as their cc terminal login. The clerk logs into the terminal using their 2 digit code and now the sales and credits are identifiable by the clerk’s two digit code. Reporting can be done in ClientLine and sorted by the clerk number. To have your terminal programmed for this step you need to call Commerce Bank Merchant Services at 800-828-1629.
- If you do not have a merchant number but you have infrequent events or other occasional uses for a machine, then you can contact John Layman and arrange to have a terminal reserved and set up for your event. You would need to pick up the machine and return the machine to 118 University Hall.
- You would need to setup an account using the following link https://www.myclientline.net/welcome.html
- If you have any questions with this process, please contact John Layman and he can walk you through that process.
- Please click this link for the E-Commerce FAQ page.
- Please see the following links for more information concerning internal controls.
- Here is a link to the policy for records retention.
- Please report any and all security incidents and security weaknesses per the incident response policy.
- In almost all cases, the refund should be processed back to the same card that was originally processed. In some cases the card may have expired. If so you will have to contact the customer to obtain the correct card information in order to process the refund. It is not a good idea to refund in cash or check. Without an offsetting credit, the card issuing bank has no evidence of a refund and may still pursue to have a chargeback reverse the sale. In this case you run the risk of having two refunds processed.
- Ways to protect against staff issuing refunds that should not have been processed:
- Credit card terminals can have a two digit code added to the terminal download. For example, if the merchant has five (5) clerks, each clerk will be assigned a two digit number by the merchant. Some merchants use the last two digits of the clerks social security number as their terminal login. The clerk logs into the terminal using their 2 digit code and now the sales and credits are identifiable by the clerk's two digit code. Reporting can be done in ClientLine and sorted by the clerk number. The manager who runs the report will need to look for fraud patterns, refund with no sale, same card number receiving numerous credits. The report identifies refunds that may warrant further investigation. The merchant should be looking for things like a refund that was run to one card numerous times or at an unusual time.
- ClientLine reporting: Login to Clientline - > Select "research" tab -> Run refunds with no sales report
- Here is a link to the credit card costs page.
- No not at this time. JPMorgan Chase Bank does not offer this card as a University travel card at this time. When they do become available we will let you know.