||This section outlines policies and procedures pertaining to the authorization granted to University departments/units and affiliates, hereon referred to as merchants, to accept bank/credit cards as a form of payment for services performed or for merchandise sold. Merchants are subject to and must comply with this policy and the guidelines in the exhibits to this policy.
|Mark Barton, Bursar
Exhibit A - Definitions
Exhibit B - New Department/Unit Bank Card Checklist
Exhibit C - Merchant Bank/Credit Cards Acceptance Agreement
Exhibit D - Payment Card Industry Standards PCI-DSS Questionnaires
Exhibit E - UA Information Security Policy
- Per Arizona Board of Regents (ABOR) 3-102, the responsibility for the collection of monies in connection with University activities is delegated to the Vice President, Financial Services, who, in turn, delegates this responsibility to the Financial Services Office-Bursar’s Office (Bursar’s Office). The Bursar should be contacted regarding any deviations from policies and procedures stated herein.
- Only the Bursar’s Office has the delegated authority to execute agreements on behalf of the University in connection with banking-type services and regulate the use of bank/credit card services.
- Services for processing bank/credit cards, depositing cash receipts and any specialized programs or services (e.g. shopping carts, electronic check payment, third party applications) that process directly or have the ability to authorize bank/credit card transactions for payment of University sales and services must have written permission from the Bursar’s Office. Merchants may use only service providers, approved by Procurement and Contracting Services and the Bursar’s Office, that meet payment card and acquiring bank certifications, regulations and requirements.
- Merchants must agree and adhere to all federal, bank/credit card regulations, payment card industry (PCI) data security standards, and University policies and standards, including without limitation the UA Information Security Policy and the standards and procedures established under it, in the acceptance processing and storing of bank/credit card transactions as outlined in the “Merchant Bank/Credit Cards Acceptance Agreement” and the PCI standards located online at https://www.pcisecuritystandards.org/
- Merchants may not accept bank/credit cards or authorize or complete settlement for transactions of other University department/units or affiliates without written authorization from the Bursar’s Office.
- Bank/credit cards may be accepted by a merchant for University gifts and donations. The merchant must contact the University of Arizona Foundation for the specific processes to report the donations and/or gifts.
- A merchant that plans to receive revenue from external sales or services and provide taxable goods to customers outside the University should contact their Financial Services Office fund accountant to discuss sales tax requirements. Merchants should also refer to and be familiar with Financial Services Manual 8.11-Sales Tax and 6.17-Administrative Service Charge Policy.
- Merchants that accept bank/credit cards and/or electronic payments for gifts, goods or services must designate a full time University employee who will have primary authority and responsibility for department/unit compliance of ecommerce and bank/credit card transaction processing. This individual will be referred to in the remainder of this policy statement as the Merchant Responsible Person or “MRP.” All MRPs will be responsible for the department/unit complying with all security measures established by the payment card industry, the UA Information Security Office, the “Merchant Bank/Credit Cards Acceptance Agreement” and this policy.
- Merchant’s must review and sign the “Merchant Bank/Credit Cards Acceptance Agreement” upon their request for merchant status. With their signature, the department/ unit’s head and MRP acknowledge that they understand and agree with the terms and responsibilities outlined in the agreement. This agreement must be renewed annually.
- No University employee, contractor or agent who obtains access to bank/credit card or other personal payment information in the course of conducting University business may sell, purchase, provide, or exchange said information in any form including but not limited to imprinted sales slips, carbon copies of imprinted sales slips, mailing lists, tapes or other media obtained by reason of a card transaction to any third party other than to University’s acquiring bank, depository bank, Visa, MasterCard or other bank/credit card company or pursuant to a government request. All requests to provide information to any party outside of the merchant must be coordinated with the Bursar’s Office and the UA Information Security Office.
- Merchant must use a University authorized service provider to process all ecommerce transactions or web based transmissions of transactions (software based). If a department/unit believes that it has a significant business case or processing requirement that cannot be achieved using an authorized service provider and wishes to utilize an alternative, it must initiate a written request to the Bursar’s Office for approval of use. The Bursar’s Office will review the request with Procurement and Contracting Services and notify the department/unit of approval or rejection of service provider use. If approved, the department/unit and service provider are responsible to meet all PCI-DSS requirements and documentation.
- If the merchant chooses not to utilize the provided ecommerce gateway and an alternative ecommerce gateway or software is necessary, the gateway and service provider must be included on either the Visa Global Registry of Service Providers, or PCI Security Standards Council List of Validated Payment Applications. In addition, the alternative service provider must also be approved by the acquiring bank, the Bursar's Office and Procurement and Contracting Services. The third party service provider must also comply with all University policies.
- All service providers that share cardholder data or that could affect the security of the cardholder data must sign an agreement that outlines the security responsibilities of the service provider and the University. The service provider must agree to provide information requested from the University or its PCI Qualified Security Assessors (QSA) to verify security due diligence and PCI-DSS compliance.
- All ecommerce websites that redirect or link to an authorizing gateway must perform quarterly external vulnerability scans through a PCI Approved Scanning Vendor (ASV) and annual internal scans through University provided applications. External scans must be performed after significant network or website changes. All “high” (rating of 4 or more) vulnerabilities must be resolved within 30 days and rescanned until passing results are achieved.
- Upon request of the Bursar’s Office, the merchant will complete annual PCI-DSS Self-Assessment Questionnaire (SAQ) and supporting documentation including network security scans deemed necessary by the UA Information Security Office, Bursar’s Office or payment card industry. The merchant will be responsible for the costs of such service. The service will include assistance to the merchant in understanding and completing the SAQ.
- A Merchant’s ability to offer bank/credit card payment is conditioned on compliance with the PCI-DSS. The merchant is responsible for complying and maintaining PCI-DSS standards. If the merchant fails compliance, the merchant is responsible for correcting deficiencies to bring the merchant into compliance as directed by the Bursar’s Office and the UA Information Security Office. Failure to comply with PCI standards will result in withdrawal of the merchant’s ability to accept bank/credit cards.
Procedures for Establishment and Maintenance of Card Services
- Requests to accept bank/credit cards by University departments/units and affiliates must be made by completing and submitting an application checklist and signed “Merchant Bank/Credit Cards Acceptance Agreement” to the Bursar’s Office. The checklist contains the following information:
- Department/unit name
- Department/unit merchant name. This will be the name which appears on the customer’s bank card statement and receipt
- Department/unit head
- Merchant Responsible Person, business contact (if different) and IT contact Information
- Department/unit’s physical and statement address
- Telephone and fax number
- List of bank/credit card companies that will be accepted (Visa, MasterCard, American Express, Discover)
- Statement regarding the purpose of accepting bank/credit cards
- Department/unit’s UAccess Financials account number and object codes for revenue and expenses to which any debits and credits, charge-backs and discount fees will be charged
- Fund accountant name
- Security, privacy information statements
- Department/unit’s refund policy
- Any other information required or requested by the acquiring bank or card brand.
- Upon review of the request, the Bursar’s Office will prepare and submit all documentation to the acquiring bank and card companies to establish the merchant account, order the merchant terminal and notify the merchant of the assigned merchant number.
- Fees and Billing:
- Discount fees, card interchange rates, equipment rentals, and banking network access fees are deducted monthly from the University bank account. FSO - Cash Accounting allocates these costs to merchants based on the designated account number and object code, approved by the department/unit’s fund accountant. A merchant statement is provided monthly by the acquiring bank and card brands.
- As provided by the acquiring bank agreement, surcharges and convenience fees cannot be charged to the customer in order to absorb the cost of accepting bank cards unless certain rules and regulations are followed.
- Credit Chargebacks:
- FSO - Cash Accounting and the merchant will receive chargeback notifications by mail, fax or online merchant account access from the acquiring bank, American Express or Discover.
- Merchants must respond directly to the chargeback notifying entity within the “respond by” date provided in the chargeback notification. Merchants must provide the requested information or appropriate documentation to demonstrate the legitimacy and appropriate processing of the original transaction. The acquiring bank has sole authority to determine if the chargeback will be reversed and the cash receipts returned to the merchant.
- Upon receipt of a chargeback reversal notification and entry, FSO - Cash Accounting will perform appropriate accounting entries to reflect the chargeback reversal.
- The Bursar’s Office is responsible for:
- Reviewing and initiating requests from University departments/units and affiliates to establish a merchant account and accept bank/credit cards as a form of payment for services performed or for merchandise sold by such units and affiliates.
- Providing information and assistance to University departments/units and affiliates that are analyzing the responsibilities and costs of accepting bank/credit cards as a form of payment.
- Selecting and ordering terminals and other equipment and coordinating all compliance activities for the merchant.
- Coordinating all merchant compliance activities that are required or directed by University policies, payment card industry, UA Information Security Office, and acquiring bank standards.
- FSO - Cash Accounting is responsible for:
- Reconciling the depository bank account to the general ledger cash account monthly.
- Maintaining procedures to ensure the appropriate and timely recording of deposits onto the general ledger.
- Administration of the University’s centralized payment process.
- All merchants are responsible for:
- Following security measures established by the payment card industry, UA Information Security Office and Financial Services policies.
- Performing all periodic compliance activities requested by the UA Information Security Office in coordination with the Bursar's office in a timely manner.
- Recording all card transactional activity on the general ledger within three (3) business days of settlement.
- Reviewing monthly merchant statements for accuracy. Inaccurate charges must be reported to the Bursar’s Office within 60 days of statement date.
- Notifying the Bursar’s Office immediately when accounts are no longer needed and should be deactivated.
- Responding to chargeback notifications and bank card company inquires within chargeback notification letter deadlines.
- Insuring that no cardholder information is stored electronically in any database, application, fax machine or system.
- Following the responsibilities and guidelines in the exhibits included within this policy.
Security Breach Response
- All suspected and/or confirmed security compromises must be reported immediately to the UA Information Security Office and the Bursar’s Office - Banking & Merchant Services via the UA Information Security Office website, http://security.arizona.edu/report-incident Additionally, merchants must follow the Incident Handling Standard and Guidelines available on the UA Information Security Office website.
- If a security breach is confirmed by the UA Information Security Officer and the Bursar’s Office, the Bursar’s Office will be responsible for alerting the merchant acquiring bank, the payment card associations and other merchant regulatory entities deemed necessary of the confirmed security breach. The UA Information Security Office will be responsible for providing the security breach information to all government agencies required by statute.
- University of Arizona Financial Services Manual:
- Policy 8.10 Cash Receiving
- Policy 8.11 Sales Tax
- UA Information Security Policies and supporting standards
- Bank Card Merchant Security Requirements:
- Visa U.S.A. Cardholder Information Security Program (CISP)
- MasterCard International Site Data Protection (SDP) Program
- American Express Data Security Standards (DSS)
- Discover Information Security and Compliance (DISC) Program
- Payment Card Industry (PCI-DSS) Standards
- Payment Application Best Practices ( PABP)
- Arizona Revised Statute (A.R.S.) 44-7501 – Notification of Breach of Security System
- Approved Service Providers:
- PCI Security Standards Council Validated Payment Applications
- Visa Global Registry of Service Providers