It is very important that all credit card information be safeguarded. Safeguarding credit card information is vital to ensure compliance withÌý.ÌýAll departments that collect credit card payments must ensure all staff members adhere to these standards.
Currently the University accepts MasterCard, Visa, Discover, & American Express for departmental charges.
Before a department may accept credit card payment transactions for University-approved events, aÌýmerchant accountÌýmust be established.
If you have any questions about this process, please contact the PCI Compliance Specialist atÌýpci@odu.edu.
TouchNet is the platform used for online storefronts which accept electronic payment on behalf of Â鶹´«Ã½. Before a department may accept credit card payment transactions for University-approved events or services, aÌýmerchant accountÌýmust be established. The forms required to initiate this process are listed below. Please review ourÌýTouchNet Best Practices GuideÌýgot guidance and assistance.
For more information on the TouchNet, please contact ourÌýPCI Compliance Specialist.
Â鶹´«Ã½ Merchant Establishment Form
Before any department may accept credit card payment transactions, a merchant account must be established. To do so, please submit a completeÌýÂ鶹´«Ã½ Merchant Establishment FormÌýat least 30 days prior to the desired date the department will begin accepting card payments.
Please Note: This form must be signed by a Department Budget Unit Director.
Â鶹´«Ã½ Merchant ID Request Form
After a department has been approved as a merchant by the University Controller, the department must then submit anÌýÂ鶹´«Ã½ Merchant ID Request FormÌýto identify specific banking and account information about the merchant account so that an account number can be requested from the University's merchant services provider, Bank of America. University policies and guidelines apply to all merchant departments.
Please Note: This form must be signed by a Department Budget Unit Director.
All merchant departments requiring an online uStore must submit aÌýTouchNet User Request FormÌýto be approved by the Office of Finance.ÌýThis form must be signed by a supervisor.
Please Note:ÌýDepartments must check the boxes below "Marketplace Roles" to agree to notify ITS and the Office of Finance if the department is selling taxable items, if the department will be shipping the items, and/or if the request is a change request.
If you collect Credit Card Payments on behalf of Â鶹´«Ã½, you areÌýrequiredÌýto complete the PCI Training annually. Please contact the Â鶹´«Ã½ PCI Compliance Specialist/Designee atÌýpci@odu.eduÌýfor Payment Card Training.
Contact ourÌýPCI Compliance SpecialistÌýwith any questions.
TheÌýÌýwas developed by the PCI Security Standards Council to enhance cardholder data security and provide baseline technical and operational requirements to protect account data. It was created by the PCI Security Standards Council (PCI SSC), which is comprised of the five major credit card brands (American Express, Discover, JCB International, Mastercard, and Visa). Â鶹´«Ã½ is committed to these standards.
All employees of the University who are involved in the accepting, processing, or reconciling of payment card transactions are required to comply with all payment card security guidelines.ÌýFor more information, please visit theÌý
Â鶹´«Ã½ merchants accept Mastercard, Visa, American Express, and Discover for departmental charges. All Â鶹´«Ã½ employees accepting, processing, or reconciling online or in-person payment card payments from these major card companies must follow PCI Compliance Requirements as distributed by the Office of FinanceÌýPCI Compliance Specialist.ÌýAll employees must complete theÌýPCI Security and Confidentiality Agreement trainingÌýbefore handling credit card data.
The requirements are specific and may vary per each merchant department. Merchant departments must work with our PCI Compliance Specialist to determine their specific compliance responsibilities. All employees within each department responsible for accepting online or in-person payment card payments must complete and submit any additional required forms. The original forms are reviewed annually and must remain readily available within each merchant department.
Please contact theÌýPCI Compliance SpecialistÌýwith any questions or to obtain a copy of PCI Compliance Requirements for your department.
- Any organization that is processing credit or credit cards
- Employees who handle payment card data in preson at the point of sale, through mail orders, telephone orders, or online via an e-commerce website
- All employee(s) who receive or transmit cardholder data physically on a paper form or electronically on an e-commerce site
- Employee(s) that utilize a system that processes or stores cardholder data
- Employee(s) that use a device connected to other systems that process or store cardholder data
The outcome of PCI non-compliance will severely impact the University and its Stakeholders. The incident will have the following result:
- If a breach occurs and the merchant or Â鶹´«Ã½ is found to be non-compliant, the individual card brands can assess fines up to $500,000 per breach.
- Â鶹´«Ã½ will be responsible for notifying all victims. And the card brands may require the University to pay card replacement costs or reimburse all fraudulent purchases.
- A forensic investigation may be required and conducted by a PCI-approved firm.
- The card brand may require Â鶹´«Ã½ to validate as a Level 1 merchant, which brings increased assessment requirements and costs. In addition, the monthly fee per department will vary on the volume of transactions per year.
- The card brands can also remove Â鶹´«Ã½'s ability to accept and process cards or charge higher processing fees.
- The reputational damage and loss of trust from customers who may not want to do business with the University again due to lack of security will devastate our industry.
The PCI DSS rules and regulations are mandatory for all merchants and employees with access to cardholder data. Therefore, compliance at Â鶹´«Ã½ is compulsory and must be administered and adhered to daily. If a merchant or employee (s) violates the PCI DSS rules, the Controller's Office may terminate the department's merchant account.
Â鶹´«Ã½ Visitor's Log
All merchant departments that have payment card terminals are required to keep a currentÌýVisitor LogÌýwith the terminal, which is used to maintain a physical audit trail of visitor activity to the facility where cardholder data is transmitted.
Â鶹´«Ã½ Daily Use/Tamper Log
All merchant departments with payment card terminals are required to protect these devices and to physically inspect them for tampering or device substitution with thisÌýform.
Clover Role & Designation Form
All Merchants that have employees that require access to their department's Clover Flex terminal must submit this form, which assists the PCI Compliance Specialist in assigning individuals access to the department's Clover Flex.ÌýThis form must be signed by a supervisor.
At the end of every calendar year, PCI DSS requires the Office of Finance to collect Self-Assessment Questionnaires (SAQs) from each merchant on campus. The SAQs may be found on theÌýÌýwebsite.
Bank of America and CampusGuard representatives notifies the Office of Finance about SAQ specifics, due dates, and completion requirements. The PCI Compliance Specialist will be in touch with each merchant department with these specifics annually.
All cashiering transactions performed by University departments must be processed through the Cashiering Office in the Office of Finance. Departments responsible for collecting money must adhere to all applicable state and University policies and procedures.
Please visit ourÌýDepartmental DepositÌýpage for requirements and details on reconciliation reporting and revenue deposits.
Identity Theft Information
A Red Flag is a transaction that a reasonable person should suspect that they may be interacting with an individual using someone else's identity. Learn how to protect yourself and others from crime.