Handbook of Business Procedures

6.4. CREDIT CARD COLLECTIONS

A. INTRODUCTION

University of Texas Colleges, Schools, and Units (CSUs) that accept credit cards as a form of payment for goods and/or services must receive approval from the University's Credit Card Compliance Team (CCCT) before purchasing, or contracting for purchase, any systems involved in processing credit card transactions. As a condition of approval, merchants must agree to comply with all requirements of the Payment Card Industry Data Security Standards (PCI DSS), as well as the University specific controls outlined within this policy. 

B. TERMINOLOGY

Attestation of Compliance (AOC)

An Attestation of Compliance (AOC) is a document that declares an organization's compliance with the Payment Card Industry Data Security Standard (PCI DSS). It serves as documented evidence that the organization's security practices effectively protect against threats to cardholder data. This document is typically completed by a Qualified Security Assessor (QSA) or the business itself.

Cardholder Data

At a minimum, cardholder data consists of the full Primary Account Number (PAN). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date, and/or service code.

Chargeback

A chargeback is a reversal of funds transferred between a customer's credit card account and a merchant. It occurs when a customer disputes a transaction, and the issuing bank returns the funds to the customer. Chargebacks can happen for various reasons, such as fraudulent transactions, billing errors, or disputes over the quality of goods or services.

Credit Card Discount Rate

A credit card discount rate is a percentage of gross sales collected by the credit card processor from the merchant each time the merchant accepts payment via credit card. Discount rates vary by credit card company (MasterCard, Visa, American Express, and Discover) and by classification of merchant. The current card brand rates and fees are published here. UT Austin departments that do not physically have the credit card to swipe through a point-of-sale terminal are classified as "Emerging Market."

Merchant

For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard, or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers.

Payment Gateway

A payment gateway is a technology used by merchants to authorize credit or debit card purchases from customers. It facilitates the transfer of payment information between the merchant and the acquiring bank, ensuring secure and encrypted transactions. Payment gateways are used both in physical stores (via POS terminals) and online stores (via checkout portals).

Payment Processor

A payment processor is a company that handles the transaction between the merchant and the customer's bank. It processes the payment information, verifies the transaction, and ensures the funds are transferred from the customer's account to the merchant's account.

Payment Card Industry Data Security Standard (PCI DSS)

The PCI DSS is an industry standard that sets technical and compliance standards for protecting cardholder data. PCI DSS is supported by VISA, MasterCard, Discover, and American Express, and applies to everyone that stores, processes, or transmits cardholder data. Failure to comply with PCI DSS may result in substantial fines and increased auditing requirements if a breach occurs. The full text of the standard and other supporting documents is available at PCI Security Standards.

Point-of-Sale (POS) System

A point-of-sale (POS) system is a computer-based system that processes payments over a secure network. Credit card sales made via POS systems are generally considered card present transactions, meaning the payer and card are physically present at the time of the transaction.

Self-Assessment Questionnaire (SAQ)

A Self-Assessment Questionnaire (SAQ) is a formal report of an organization's compliance with the Payment Card Industry Data Security Standard (PCI DSS). It evaluates whether a merchant or service provider has taken the necessary measures to secure cardholder data and documents its overall security posture. There are nine different SAQ formats - the selection of which depends on a merchant's specific processing method(s) and cardholder data environment - each consisting of a series of questions that help merchants evaluate their security practices and identify areas that need improvement.

Settlement

A settlement is a procedure in which a merchant requests that some or all authorized transactions be processed by a credit card processor. This processing includes charging the customer's credit card and transferring the money owed to the merchant.

Terminal

A terminal is a machine for electronically processing credit card payments. Terminals may process cards by card swipe, EMV chip or chip and pin, NFC (tap to pay), or by manual key entry of the credit card number. Payment information may be transmitted over phone lines (cellular or analog only) or the Internet via a PCI compliant network.

Third-Party Service Provider

A Third-Party Service Provider (TPSP) is a business entity that is not a payment brand, and is not directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded.

C. DEPARTMENTAL RESPONSIBILITIES FOR CREDIT CARD PROCESSING

If a department decides to manage its own credit card collections, the department is responsible for physical and electronic security of credit card information, costs associated with credit card transactions, and following established accounting procedures. Authorization is required from Accounting and Financial Management before any department-controlled method of credit card collection may be set up.

Security

Physical Security

Departments are to keep all copies of credit card information confidential and protected from misuse. Current records are to be locked in file cabinets. Only authorized personnel should have access to keys to file cabinets containing credit card information. Discarded daily detail of credit card information is to be shredded. Outdated records are to be marked "For confidential disposal-shred" and should be retained and destroyed in accordance with the official University Records Retention Schedule (see section D2 of this Part for more information). Please note that these requirements are the minimum standard, and additional requirements may apply depending on the nature of the credit card processing taking place. Please work with the Credit Card Compliance Team to ensure that your solution meets all applicable physical standards for PCI DSS.

Electronic Security

Electronic storage of credit card information for UT devices is not permitted. Departments needing to retain cardholder data for legitimate business purposes must choose physical means of storage instead of digital and adhere to all requirements outlined in the Physical Security section above.

If a department at any point in the past, stored confidential credit card information on a local hard drive or other local media, these devices must be securely destroyed once official University Records Retention Schedule requirements are met (see rule ASLL454).

Records Retention

Both paper and electronic records are to be stored securely for the current fiscal year plus three years in accordance with the official University Records Retention Schedule records series AALL454 Detail-Credit Card Transaction (The University of Texas Records Retention Schedule (UTRRS)). For more information, refer to the Handbook of Business Procedures:

• Part 20. Records Management
• Part 20.5 Disposition of Records - General Information

Processing of Transactions

Departments must use a credit card processing system that is certified by UT Austin's credit card processor (currently Global Payments).

Costs

Departments are responsible for all costs associated with credit card processing, including but not limited to setup fees, monthly maintenance fees, bank fees, discount rate fees, and per transaction fees. The current fee structure can be found on the PCI Compliance and Merchant Services Wiki.

Departments are responsible for handling their own voids, returns, and chargebacks, and will incur all costs associated with such transactions.

Settlement

Departments must settle batches daily with a printed settlement report which lists total collected for each card type.

Vouchering

Departments must create a VC1 for each day's business and deliver it to the Bursar's Office or email departmental.deposits@austin.utexas.edu with the backup (VC1 printout & settlement report) attached for approval by the end of the next business day. More than one day's business cannot be combined into one VC1.

Reconciliation

Each credit card company will send a statement of activity, which departments are required to reconcile with deposit records and forward to Accounting and Financial Management - Cash Management (campus mail code k5300) or by email: AustinDL-oa.cmcc@austin.utexas.edu by the 20th of each month. Departments can also pull their monthly statements from Global Merchant Portal and American Express website.

D. REQUIREMENTS FOR CREDIT CARD PROCESSING

In order to comply with the Payment Card Industry Data Security Standard (PCI DSS) and UT System Rules and Regulation, the following requirements apply to any and all credit card processing taking place on behalf of the University or any College, School, or Unit (CSU) therein.

Payment Processor

The University of Texas System has contacted with Global Payments to provide credit card processing for all credit card merchants within the UT System; any TPSP must use Global Payments as the credit card processor or have a processor exception request approved by UT System.

Merchant of Record

The CSU, not the TPSP, must be the merchant of record (own the merchant account) unless an exception has been granted by UT System.

PCI Compliance

All CSUs processing credit cards must complete an annual compliance process to certify that their business processes, systems, and any vendors or Third-Party Service Providers (TPSP) are PCI Compliant. This process requires the completion of a Self-Assessment Questionnaire by the CSU, and the collection of additional documentation if a TPSP is involved in payment processing.

For CSU contracting with TPSP, all vendors involved in the payment collection or eCommerce process must be PCI Compliant, as verified by their current Attestation of Compliance D for Service Providers (AOC D-SP). Both the Attestation of Compliance for Report on Service Providers and Attestation of Compliance for Self-Assessment Questionnaire D for Service Providers are acceptable. If the ACO is not signed by a QSA, the TPSF must also provide documentation of a current passing quarterly network scan for an Approved Scanning Vendor (AVS).

The department must validate the TPSP's compliance annually and provide updated documentation to the CCCT in order for their TPSP to remain in good standing with the University. Non-compliant vendors will not be allowed to continue handling credit card payment or services on behalf of the University.

Hosting

In order to maintain PCI Compliance, specific requirements for both custom and vendor-provided solutions must be observed. For CSUs building custom eCommerce solutions, please reach out to the Credit Card Compliance Team for guidance on connecting to the University's Credit Card API. No department may build or maintain an eCommerce site that provides checkout functionality (i.e. any interface allowing credit card entry) on University servers or using university resources.

If using a TPSP, the TPSP must provide a network diagram that shows all cardholder data flows across systems and networks. This diagram must include the encryption and transport protocols and hosting information that proves the application and related services are architected in a manner that is compliant with the PCI DSS. The vendor and department should attest that no elements of the solution being implemented will be hosted on University of Texas servers. Sample redacted diagrams can be accessed via Box and provided to vendors as an example if desired.

Information Security Office Approval

The Information Security Office (ISO) must evaluate and approve any eCommerce solution prior to implementation; this includes both custom UT-developed or maintained systems and vendor-purchased solutions.

The CSU must contact the ISO for an application assessment and provide proof of ISO approval to the Credit Card Compliance team before any eCommerce product or service can be approved for use at the University.

Credit Card Compliance Team Approval

The Credit Card Compliance Team will need to approve the TPSP or custom solution from a PCI DSS compliance perspective. No final action can be taken without approval from the Credit Card Compliance Team.

If approved by the ISO and the Credit Card Compliance Team, the CSU will be required to complete a Self-Assessment Questionnaire (SAQ) annually to confirm their process is compliant with the PCI DSS, along with securing all necessary compliance documentation from any TPSP involved in the credit card acceptance process.

Additional Requirements for Administrative Entry of Cardholder Data

If UT personnel will be entering credit card transactions on behalf of their customers, whether via a POS device, credit card terminal, or website that provides an administrative interface, additional requirements will apply. For POS devices and terminals, see the requirements for Card-Present (In Person) Transactions; for web-based applications, the following conditions must be met:

• The credit card transactions must be processed on dedicated workstation. This computer or laptop must be configured to prevent all activities and access not related to credit card processing (e.g. no email or web browsing capabilities) and must be isolated from other locations or systems by use of a VLAN (or similar means). An allowlist must be configured to restrict access only to endpoints required for running credit card transactions. CSUs should work with their respective networking resources to ensure that the configuration and installation of all equipment is completed in a PCI compliant manner.
• The workstation cannot have software installed that could store cardholder data (e.g. batch processing, store-and-forward, or employee monitoring/keylogging software), and must not have any attached hardware devices that are used to capture or store cardholder data (e.g. card readers).  ​
• The computer/laptop cannot be Wi-Fi enabled.  All network connections must be made through a wired connection.
• The department must complete the SAQ C-VT (instead of the SAQ A or A-EP required for other eCommerce merchants) annually.

These requirements increase the cost and complexity of accepting credit cards via eCommerce channels, so the convenience of this practice should be weighed against the additional PCI requirements.   

E. METHODS FOR CREDIT CARD PROCESSING

Credit card merchants are permitted to use both eCommerce and card-present solutions for processing credit card transactions, and the same merchant can offer multiple channels for card acceptance without requiring multiple merchant IDs. The decision to offer eCommerce vs. card-present payment processing will depend on each CSU’s specific business requirements. 

eCommerce

Departments may use vendor-hosted or in-house developed eCommerce solutions to provide shopping cart or online store functionality. Departments may not host any elements that directly facilitate credit card entry (e.g. no “checkout” pages or card entry forms can be hosted on University servers or maintained by University employees). 

Both custom and vendor solutions must meet all PCI Data Security Standards and certify their compliance annually.

Custom Solutions

If the department wishes to build a custom eCommerce solution, the Credit Card Compliance Team must approve of the site’s design and sign off on its implementation prior to accepting payments. Engage with the CCCT’s technical experts early to review available options and schedule a design review for approval before beginning any custom development efforts. 

Site design and development must take into consideration the full requirements of the current PCI DSS, and any CSU building a custom eCommerce solution must have an in-house development team to provide ongoing service and support or have a contract with the University’s Web and Consulting Services.

Prior to going live, both the CCCT and the ISO must approve the eCommerce application from compliance and security perspectives, respectively. Depending on the user experience and payment flow of the website, additional security measures such as quarterly scanning by an Approved Scanning Vendor (ASV) may also apply.

Vendor Solutions

All TPSP must comply with the requirements outlined in subsection D. REQUIREMENTS FOR CREDIT CARD PROCESSING. In order to satisfy these requirements, the department should request the following documentation from any vendor under consideration and provide it via email to the Credit Card Compliance Team at creditcards@austin.utexas.edu:

• Confirmation that the vendor can use Global Payments as the credit card processor
• Confirmation that the CSU (not the TPSP) will be the merchant of record
• A current and valid AOC D-SP; no other AOC version will be accepted
• A data flow diagram including encryption protocols and hosting details
• A responsibility matrix clearly indicating vendor, merchant, and joint areas of responsibility for each PCI DSS requirement 

A sample engagement email is available on the PCI Compliance and Merchant Services Wiki should CSUs wish to use it for initial vendor outreach. 

Card-Present (In Person) Transactions

Card-present solutions involve physical transactions where the credit card is swiped, inserted (also called “dipped”), or tapped at a point-of-sale (POS) terminal. These transactions are typically conducted in-person and provide an additional layer of security through the use of EMV chip technology and PIN verification.

POS Terminals and Systems

Credit card collection using a Point of Sale (POS) terminal is for departments where the customer is present for the card to be swiped, or for departments that do not process a large volume of transactions and only need to process occasional admin-entered credit card payments. A card can be swiped/dipped/tapped on a terminal if the customer is present, or the credit card number can be hand-keyed into the terminal. Basic terminals are available for rent or purchase through Global Payments; these options, along with their current costs, can be found on the PCI Compliance and Merchant Services Wiki.

Note: a merchant’s discount rate classification is dependent on whether the majority of cards are swiped or keyed into the terminal as opposed to conducted via eCommerce methods. 

TPSP-Provided POS Systems

Departments are allowed to purchase or rent terminals directly from TPSP as well as the options available through Global Payments if their specific business needs require a different solution.

The terminal must be EMV-enabled, capable of printing receipts, and must be connected via cellular or analog phone line or a PCI compliant network (this includes VOIP solutions). 

TPSP-provided POS systems must be approved by the Information Security Office and Credit Card Compliance Team prior to purchase, rental, and use. The department must provide both the ISO and CCCT information about the type of equipment and how it will be used and must provide a data flow diagram as outlined in the Vendor Solutions section above. The department should also be prepared to provide the ISO with a sample device for further testing if requested. 

Dedicated Workstations/Slim Terminals

In rare situations, card-present transactions may need to be conducted using a laptop or other workstation that is configured to allow credit card entry by users. In these instances, the requirements in the section entitled Additional Requirements for Administrative Entry of Cardholder Data for administrative card entry apply. 

Departments may also borrow a cellular terminal from the Office of Accounting if they have an event that requires their normally eCommerce process to accommodate card-present transactions. Please email creditcards@austin.utexas.edu for more information on borrowing a cellular terminal.

Costs for Credit Card Processing

The college, school or unit (CSU) is responsible for all costs associated with credit card processing. All fees are subject to change without notice. The following fees, where applicable, will be charged to the designated CSU expense account each month by the Cash Management section in Financial and Accounting Management.

• Card brand discount rates and fees
• Surcharges based on card type (e.g. Reward or Business/Corporate cards)
• Usage fees
• Chargeback fees
• Payment gateway fees
• Bank fees

The current fee structure is available on the PCI Compliance and Merchant Services wiki.

The merchant is not allowed to pass on the cost of accepting credit cards to the customer in the form of a convenience fee unless the merchant is only accepting payments for 1098-T eligible expenses. Permission to charge a convenience fee must be granted by the Office of Accounting and Financial Management.

Requesting a Merchant Account

Once all requirements above are met and the CSU is ready to begin processing credit card transactions, the CSU must complete and submit the New Merchant Request form. 

All vendor information must be known and approved, and the form must be signed by a Dean, Director, Assistant or Associate Dean or Director, Chief Business Officer, or equivalent before the request will be processed by Cash Management and submitted to Global Payments for creation of the new Merchant ID (MID).

New Merchant Requests can take 3-4 weeks once submitted to Global Payments, and the CSU is encouraged to plan their requests in advance to ensure that the merchant is created with sufficient time for testing prior to going live. 

Please direct all questions concerning merchant accounts to the Credit Card Compliance Team at creditcards@austin.utexas.edu.
 

Part 6. Cash Handling - Table of Contents