- Credit cards we accept
- What are the PCI DSS Security Standards?
- What is card holder data?
- Do you store paper documents that have the CAV2 / CVC2 / CVV2 / CID code on them?
- Does your terminal display the full PAN or card number on the machine and print the full PAN or card number on the receipt?
- What is a QSA (Qualified Security Assessor)?
- Who is the QSA Company for UM System?
- What is an Approved Scanning Vendor?
- Who is the Approved Scanning Vendor for UM System?
- What is a convenience fee or surcharge?
- Can I charge a Convenience Fee or Surcharge to my customers?
- New Retail Merchant Information
- Existing Merchant Updates
- Requesting a new credit card machine
- Using your machine
- Can I request a loaner machine?
- Is there a reporting system that I can have access to in order to view my merchant credit card transactions?
- E-Commerce Frequently Asked Questions
- What are internal controls and where can I find more information?
- What is the records retention policy for credit card receipts?
- What do I do if I suspect that my payment card operation has experienced a breach?
- What are the rules for processing credit card refunds?
- What are the credit card costs?
- Is there an EMV Chip and PIN corporate travel credit card available for University travel overseas?
- American Express (in the process of fully implementing, and the merchants will be notified when completed)
- The PCI DSS (Payment Card Industry Data Security Standards), a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis.
- The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
Account Data consists of Cardholder Data plus Sensitive Authentication Data, as follows:
|Cardholder Data Includes:||Sensitive Authentication Data Includes:|
|Primary Account Number (PAN)||Full magnetic stripe data or equivalent on a chip|
|Cardholder Name||CAV2 / CVC2 / CVV2 / CID|
|Expiration Date||PINs / PIN blocks|
The following table illustrates commonly used elements of cardholder and sensitive authentication data, whether storage of each element is permitted or prohibited, and whether each data element must be protected. This table is not exhaustive, but is presented to illustrate the different types of requirements that apply to each data element.
|Data Element||Storage Permitted||Render Stored Account Data Unreadable per Requirement 3.4|
|Account Data||Cardholder Data||Primary Account Number (PAN)||Yes||Yes|
|Sensitive Authentication Data||Full Magnetic Stripe Data||No||Cannot Store|
|CAV2 / CVC2 / CVV2 / CID||No||Cannot Store|
|PIN / PIN Block||No||Cannot Store|
- Per PCI DSS requirements, you are not allowed to store this information electronically or in paper form. If you have current paper storage with the CVV code stored you need to remove the CVV. You cannot just mark it out with a "sharpie" but, if you marked out and then photo copy the marked-out original keeping the photo copy and cross-cut shred the original then you have successfully remediated your CVV2 paper storage problem.
- Please contact John Layman, 573-882-3318 because your terminal needs to be replaced.
- Per PCI DSS and University policy, only the last 4 of the card can be displayed on the terminal and printed on the receipt.
- The Payment Card Industry (PCI) Qualified Security Assessor (QSA) designation is conferred by the PCI Security Standards Council to those individuals that meet specific information security education requirements, have taken the appropriate training from the PCI Security Standards Council, are employees of an Approved PCI Security and Auditing Firm,and will be performing PCI compliance assessments as they relate to the protection of credit card data.
- The term QSA may also be implied to identify an individual qualified to perform PCI compliance auditing and consulting.
Who is the QSA Company for UM System
- Security Metrics is the approved QSA company used by the Curators of the University of Missouri.
- Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of internet facing environments of merchants and service providers.
- Security Metrics is the Approved Scanning Vendor used by the Curators of the University of Missouri.
A convenience fee is a fee charged by the merchant to the cardholder for providing them with an alternative payment channel.
The Convenience Fee Program is open to educational institutions and public sector merchant categories:
Elementary and secondary schools for tuition and related fees, and school-maintained room and board.
Colleges, universities, professional schools, and junior colleges for tuition and related fees, and school-maintained room and board.
Local, state, and federal courts of law that administer and process court fees, alimony, and child support payments.
Qualifying MCCs: 8211, 8220, 9211, 9222, 9311 and 9399.
A merchant that charges a convenience fee must ensure that the fee is:
Charged for a bona fide convenience in the form of an alternative payment channel outside the merchant's customary payment channels. The requirement for an alternative payment channel means that mail/phone order merchants and electronic commerce merchants whose payment channels are exclusively card-absent environments may not impose a convenience fee.
Disclosed clearly to the cardholder as a charge for the alternative payment channel convenience.
Disclosed before the completion of the transaction and the cardholder is given the opportunity to cancel.
Added only to a transaction completed in a card-absent environment.
A flat or fixed amount, regardless of the value of the payment due.
Applicable to all forms of payment accepted in the payment channel.
Included as part of the total amount of the transaction.
Notify JPMorgan Chase Bank and the Treasurer's Office at least 30 days in advance of beginning to charge a convenience fee.
In the U.S. Region or in a U.S. Territory, a merchant that assesses a U.S. credit card surcharge must not charge a convenience fee in addition to the U.S. credit card surcharge. In the AP Region and the U.S. Region, a convenience fee must not be added to a recurring transaction.
What is a surcharge?
A surcharge is an additional fee that a merchant adds on a transaction when a consumer uses a credit card for payment.
U.S. merchants that intend to surcharge are required to:
Notify JPMorgan Chase Bank at least 30 days in advance of beginning to surcharge.
Limit surcharging to credit cards only (no surcharging debit and prepaid cards) and limit the amount to your merchant discount rate for the applicable credit card surcharged. The surcharge cannot in any event exceed 4% (even in cases where the merchant’s average discount rate exceeds 4%)
Disclose the surcharge as a merchant fee and clearly alert consumers to the practice at the point of sale – both in store and online – and on every receipt.
Ensure the merchant’s POS application supports the data elements in the authorization and settlement records.
Merchants should also consider whether they comply with all applicable state or federal laws. Currently, 10 U.S. states have surcharging restrictions including California, Colorado, Connecticut, Florida, Kansas, Maine, Massachusetts, New York, Oklahoma and Texas.
- Please contact John Layman to determine if you would be eligible and what specific rules you would have to follow. As an alternative it might be better to determine all costs of doing business and add that total into your goods or services that you are selling. This is the best way to recoup those costs and it is a better customer friendly model.
- In order to accept credit card payments, either from a physical store or a store on the Internet, you need to have a merchant account id assigned by an acquiring financial institution. This is a requirement for physical stores as well as stores on the Internet. An acquiring financial institution contracts with merchants to enable them to accept credit card transactions. In order to take credit card payments over the web using your browser and Transport Layer Security (TLS) you will need a merchant credit card account ("Merchant Account") that is specifically meant for Internet-based transactions. You may already have a merchant ID for handling your phone/fax orders, but a separate merchant is required to do e-commerce business. JPMorgan Chase Bank is the University's financial institution, so they assign the merchant account for internet applications. You must check with Information Security & Access Management (ISAM) and the Treasurer's Office before you purchase a new e-commerce system. The acquiring financial institution records the daily credit card sales for your merchant account and transfers that information to the University for posting to your PeopleSoft Financials General Ledger account. When implementation of your application is underway, the e-commerce team will ask you for the information that is needed to request a merchant account ID.
Please complete our online form. Once the request is received by the Office of the Treasurer, it will be initiated for completion. If you need a TouchNet Marketplace merchant, please contact email@example.com.
- The first step is to obtain the American Express merchant ID for your new retail merchant account.
- Once it has been established, the request is forwarded to our financial institution, JPMorgan Chase Bank, so that they can establish the Visa/MasterCard/Discover merchant ID and have the terminal set up and delivered to the department.
- Once the Visa/MasterCard/Discover merchant ID has been established, the PeopleSoft financials feed will be established so that the revenue and expenses are fed correctly into the general ledger for your merchant.
- Once the terminal arrives at your processing location it should already be programmed (dial 9, auto batch close, etc.). You should just be able to plug it in (power and phone line if dialup) and it should work to your specific specifications.
- If for some reason you are having an issue with your card reader, please contact the IT helpdesk at 573/882-5000 and firstname.lastname@example.org to trouble shoot the phone line or call JPMorgan Chase Merchant Services helpdesk at 888-886-8869 option 3, option 3.
- Please complete our online merchant update request form. Once the request is received by the Office of the Treasurer, it will be initiated for completion. Once the update has been completed, the Treasurer’s Office will notify the department that originated the update request.
- To request a new credit card machine, please fill out the new credit card machine form and email the form to John Layman.
- There is a possibility that you can "swap-out" your old machine that has stopped working for a new machine. If your old machine will need to be swapped-out then a new machine will be shipped to you and upon receipt of it you will need to return the older swipe terminal model in the box provided. The box will also include a UPS Call Tag for pickup with instructions. The following items must be returned in order to complete the swap out process: Terminal, Power Cord, and Cables. A swap-out costs less than a regular machine order.
- If you are not able to "swap-out" your machine then please mail the old machine to: Attn. John Layman, 118 University Hall, Columbia, MO 65211
- Please contact the JPMorgan Chase Merchant Support Desk at 888-886-8869 option 3, option 3 to request a swap out of the broken terminal. The swap out will cost $50. When they call the Support Desk, they will need to provide the serial number from the broken terminal and you will also need to know your merchant number.
- Most terminals are dial up communication but some are IP communication or wireless. The communication method for a new machine depends on which type you request. Below are the manuals and quick reference guides for each terminal available through JPMorgan Chase Bank. For additional information see; what is the ECC and how does it work and how to use the invoice function to post revenue to the GL using different MO Codes per transaction.
- Vx520 (dial-up, supports the 2 digit code) [Can accept Chip and PIN without the external Vx805]
- Vx680 3G (cellular, supports the 2 digit code) [Can accept Chip and PIN]
- Ingenico MOVE 5000 4G (cellular, supports the 2 digit code) [Can accept Chip and PIN]
- Related Links
- If you have questions concerning your setup, please contact John Layman.
- EMV stands for Europay, MasterCard and Visa, a global standard for inter-operation of integrated circuit cards (IC cards or "chip cards") and IC card capable point of sale (POS) terminals and automated teller machines (ATMs), for authenticating credit card and debit card transactions. EMV transactions improve security against fraud compared to magnetic stripe card transactions by the use of PIN and cryptographic algorithms.
- Contactless payment systems are credit cards and debit cards, key fobs, smartcards or other devices that use radio-frequency identification for making secure payments. The embedded chip and antenna enable consumers to wave their card or fob over a reader at the point of sale.
- For a merchant to accept EMV or contactless payments they need to have the correct terminal and an additional PIN pad. This is a list of all the possible combinations:
- VeriFone Vx520 with Vx805 PIN Pad
- VeriFone Vx520
- VeriFone Vx680
- Ingenico MOVE 5000 4G
- For a merchant to accept EMV or contactless payments they need to have the correct terminal and an additional PIN pad. This is a list of all the possible combinations:
- Many terminals have the invoice function turned on. The invoice field consists of 10 characters. If you do have this, the account code is the first two digits of the invoice number and then the time of day entered twice as the other 8 digits. So for example, account code 03 and if the time of day was 12:37 pm, the invoice you would want to enter would be 0312371237.
- The ECC stands for Electronic Credit Card. This is a PeopleSoft application that takes the end of day file from the card processor (First Data Merchant Services) and posts it to the general ledger (GL). If you have the invoice field turned on then the ECC takes that information that was entered and uses the first two digits and places the revenue into the MO code and PS account associated with that 2 digit code. To request an update to the ECC please contact John Layman at 573-882-3318
- If your invoice function has been turned on and your ECC account codes have been established then you need to enter a unique invoice number for the transaction. The invoice field consists of 10 characters. The account code as the first two digits of the invoice number and then the time of day entered twice as the other 8 digits. So for example, account code 03 and the time of day was 12:37 pm, the invoice you would want to enter would be 0312371237.
- If the invoice function is not turned on then a squencial number through the day for your batch will automatically populate the invoice. This number could help you with your reconciliation process.
- Credit Card Terminals can have a two-digit code added to the terminal download. For example, if the merchant has five (5) clerks, each clerk will be assigned a two digit number by the merchant. Some merchants use the last two digits of the clerks social security number as their cc terminal login. The clerk logs into the terminal using their two-digit code and now the sales and credits are identifiable by the clerk’s two-digit code. Reporting can be done in ClientLine and sorted by the clerk number. To have your terminal programmed for this step you need to call JPMorgan Chase Merchant Services at 888-886-8869 option 3, option 3.
- If you do not have a merchant number but you have infrequent events or other occasional uses for a machine, then you can contact John Layman and arrange to have a terminal reserved and set up for your event. You would need to pick up the machine and return the machine to 118 University Hall.
- Please complete the Loaner Request Form
- All reports are located within Cognos, https://reports.umsystem.edu/
- Please see the following links for more information concerning internal controls.
- Here is a link to the policy for records retention.
- Please report any and all security incidents and security weaknesses to the information security officer for your campus.
- In almost all cases, the refund should be processed back to the same card that was originally processed. In some cases, the card may have expired. If so, you will have to contact the customer to obtain the correct card information in order to process the refund. It is not a good idea to refund in cash or check. Without an offsetting credit, the card issuing bank has no evidence of a refund and may still pursue to have a chargeback reverse the sale. In this case, you run the risk of having two refunds processed.
- Ways to protect against staff issuing refunds that should not have been processed:
- Credit card terminals can have a two-digit code added to the terminal download. For example, if the merchant has five (5) clerks, each clerk will be assigned a two-digit number by the merchant. Some merchants use the last two digits of the clerks social security number as their terminal login. The clerk logs into the terminal using their 2 digit code and now the sales and credits are identifiable by the clerk's two-digit code. Reporting can be done in ClientLine and sorted by the clerk number. The manager who runs the report will need to look for fraud patterns, refund with no sale, same card number receiving numerous credits. The report identifies refunds that may warrant further investigation. The merchant should be looking for things like a refund that was run to one card numerous times or at an unusual time.
- ClientLine reporting: Login to Clientline - > Select "research" tab -> Run refunds with no sales report
- Here is a link to the credit card costs page.
- Yes, the new One Card is Chip and PIN.