FN07 Electronic Payments - Credit Cards
Policy Steward:Associate Vice President for Finance and Corporate Controller>
- General Responsibilities
- Credit Card Processing
- Further Information
- Cross References
To outline the University's Policy on the acceptance of electronic payments, specifically credit cards, as a form of payment by University areas or departments. For the purpose of this policy, the term "credit cards" shall also be construed to include "credit-card-branded," "debit cards" and "check cards." Only units which have established merchant accounts approved through the Corporate Controller's Office are permitted to accept credit cards as payment.
Online systematic acceptance of other forms of electronic payments, such as wires, EFTs and ACHs, must be approved by the Corporate Controller. The use of third-party payment services, such as PayPal, to process payment for goods or services offered by any University unit are not permitted, unless explicitly approved by the Corporate Controller.
Units which have a need to accept credit cards as a form of payment must carefully weigh the benefits and costs related to credit card processing. Security requirements for credit card data are strict and if not enforced, can result in significant monetary fines as well as damage to the reputation of the unit and the University. The Budget Executive in the unit must approve the establishment of all merchant accounts and related terminal IDs within their area of responsibility. Prior to approval, the Budget Executive must consider technical, financial and administrative issues and costs arising from the acceptance of credit cards versus the business need for accepting such payments.
All revenues received through electronic payments must be for the benefit of Penn State and should be processed as outlined in Policy FN01 - Processing Cash Revenues. Penn State University does not permit the acceptance of electronic payments on websites which are hosted on Penn State computers and served by Penn State networks or servers, including PSU-provided personal webspace, unless the area has an approved merchant account. If an individual has the need to accept electronic payments on PSU-provided personal webspace (for example, in support of an academic journal), payment processing should be managed through Penn State’s eCommerce solutions. The individual may not collect or store electronic payment information through the personal website which is part of the Penn State network. In no case may electronic payments, even through third-party vendors, be accepted for any commercial enterprise which results in personal gain to the individual involved as outlined in Policy AD95 - Information Assurance and IT Security.
The University has a responsibility to its customers to protect credit card information, as well as to comply with the Payment Card Industry Data Security Standards (PCI DSS). The only credit card data that can be retained, on paper or electronically, is the last 4 digits of the card number, the expiration date and the card type. Other credit card data, including the full card number, CVC2/CVV2/CID data, PIN/PIN block and track data from the full magnetic stripe, cannot be stored, post authorization. This applies to all University systems, including the AIS eCommerce server, any University servers used or hosted by a third-party, as well as locally maintained systems, including databases, spreadsheets, email, imaging systems, and paper files. Exceptions must be specifically approved by the Corporate Controller.
The University also has a responsibility to protect any other payment information that may be personally-identifying information, as covered in Policy FN23- Identity Theft Detection, Prevention and Mitigation Program.
All University units with merchant accounts, including all terminal IDs tied to a merchant account, are responsible for the following:
- Compliance with all merchant rules established by the credit card companies which apply to the unit, which are available for review on the PSU Merchant Management website;
- Compliance with Payment Card Industry Data Security Standards (PCI DSS), including completion of the annual self-assessment questionnaire;
- Completion of required testing of security systems, network processes, and scheduling of quarterly scans, if processing credit cards through a network;
- Establishment of clear policies regarding returns and refunds, in compliance with University policy and merchant rules; and
- Notification to Security Operations and Services (SOS) of potential breaches.
Special charges or discounts resulting in a price differential between a credit card transaction and a transaction paid by cash or check are not permitted. Merchants must incorporate all costs related to credit card processing into fees charged for goods and services. The only exceptions are for a convenience fee for student account payments through eLion, or exceptions permitted under the conditions of the credit card merchant rules which have been reviewed and approved by the Corporate Controller. For example, merchants are not permitted to charge an additional fee if a payment is made by credit card versus cash or check.
Compliance- Merchants who are not compliant with approved security, storage, and processing procedures per both University and PCI DSS standards will have merchant accounts revoked or suspended.
Security Issues- The unit's network connection may be disabled due to breach or other security issue. Employees involved in breaches of credit card information are subject to the full range of sanctions, including loss of computer or network access privileges, disciplinary action, suspension, termination of employment and possible legal action. Some violations may constitute criminal offenses under local, state or federal laws. The University will carry out its responsibility to report such violations to appropriate authorities.
University units that wish to accept credit cards as a form of payment must first collaborate with the Financial Officer and IT leader for the administrative area to determine if applying for an account is appropriate. In some cases, a unit may have a merchant account, but may have a need to set up a unique Terminal Identification (TID) under that merchant account for a particular unit. If agreement is reached that a merchant account and/or terminal is appropriate, the unit must apply by completing a Credit Card Processing Merchant Request (available on GURU). This application must be completed in full, with the required signatures obtained. The Financial Officer is responsible for forwarding the request to the Corporate Controller's Office for final approval and processing.
Units applying for a merchant account or terminal ID must have a clear business purpose for processing credit card transactions, and will need to identify annual expected dollar volume, transaction volume and expected means of receiving credit card information (in person, phone, fax, mail, web). Units are responsible for all setup, operations, and maintenance costs, including security and breach management. On the application form, the unit must indicate which credit card processing will be used. Applications for merchant accounts may be denied if it is determined that another unit should be processing such payments, for example:
- Only the Bursar and Outreach may process credit card transactions for fees on the student account.
- Conferences and other programs with an external audience must be arranged through Outreach, per Policy AD03 -Conducting Educational Programs Using the Name of the University .
If an application for a new merchant account or terminal ID is approved, the Corporate Controller's Office will coordinate with the credit card processor to establish a new merchant account (or terminal ID). The Corporate Controller's Office will notify the Financial Officer when the account is established.
If any changes are made in how credit card transactions are processed (i.e., move from POS terminals to AIS eCommerce Services), a revised Credit Card Processing Merchant Request must be submitted and approved.
It is the responsibility of the area that accepts credit cards to assure that all credit card sales are recorded on area and University accounting records. The selling unit must establish strict internal controls and reconciliation methods to assure that credit card sales have been properly recorded on central University records. In addition, credit card sales must be reported to the University on a Report of Cash Receipts (ROCR), through the appropriate Student Financial System reporting channels, or through the Report of Electronic Cash Receipts (RECR) available for those processing through AIS eCommerce services. Credit card sales must be reported to the University the same day or the following business day that they are reported to the contracting bank (upon settlement).
Units who no longer have a need for a merchant or terminal ID must contact the Corporate Controller's Office, through their Financial Officer, to formally terminate the merchant ID or terminal ID. The Corporate Controller's Office will notify other offices, such as AIS eCommerce Services and Security Operations and Services, as well as contacting the processor to close the account. Units are responsible for maintaining records for three years even though the merchant account or terminal ID has been closed.
Selling units which participate in credit card sales must offer an equitable exchange or return policy. In cases where the customer wishes to return a purchase for credit, or receive a refund for unused services, a credit must be issued via the same credit card that was used to process the original sales transaction. Refunds by cash are not permitted. Refunds by check are permitted only when a credit cannot be issued through the original credit card processing resources. Refer to Policy FN08 - Refunds for guidance on refunds by check.
As a merchant, units are required to keep a written record of all customer complaints where a credit card was used for payment. The follow information must be included in your written record for future reference:
- Cardholder’s name
- The units reference number, account number, or order number (not the full credit card number)
- The date and time the cardholder asserted the claim
- The nature of the claim
- The action taken to resolve the dispute (this section should be very detailed)
This documentation should be kept with your original transaction information so that everything is together and can be accessed in the future if needed.
Handling of cardholder complaints/disputes must follow the specific procedures as required by the Merchant Services Agreement and comply with the Fair Credit Billing Act. The University processor should be contacted with any questions regarding the handling of cardholder complaints.
Chargebacks must be responded to in a timely basis. More detail on chargeback procedures is available on the PSU Merchant Management website.
For questions, additional detail, or to request changes to this policy, please contact the Office of the Corporate Controller.
- More detailed information about the processing of credit card sales is available on the PSU Merchant Management Website.
- Policy AD95 - Information Assurance and IT Security
- Policy FN01 - Processing Cash Revenues
- Policy FN08 - Refunds
- Policy FN23 - Identity Theft Detection, Prevention and Mitigation Program
- Report of Cash Receipts (ROCR)
- Report of Electronic Cash Receipts (RECR)
Most recent changes:
- September 10, 2018 - Editorial changes to correct hyperlinks and remove redundant Date Approved, Date Published, and Effective date.
Revision History (and effective dates):
- September 25, 2013 - Editorial changes. Addition of policy steward information, in the event that there are questions or requests for changes to the policy.
- September 21, 2011 - Editorial change in PURPOSE section, second paragraph, to clarify approval requirements for other forms of electronic payments, such as wires, EFTs and ACHs.
- November 30, 2010 - Significant changes have been made to bring this policy in line with current University and industry practices.
- March 30, 2004:
- Significant changes have been made to bring this policy in line with current University and industry practices.
- The Corporate Controller's Office and Administrative Information Services (AIS) administer the only resources authorized for establishing merchant accounts and processing credit card payments at Penn State. Individuals and areas are not permitted to make alternative arrangements.
- Added Financial Officers to approval process for allowing areas to accept credit cards.
- Use of the AIS eCommerce system was added.
- Now allows surcharges to be added for credit card payments but under eLion only.
- "Office of Administrative Systems" changed to "Administrative Information Services" and the "Associate Treasurer" to "Corporate Controller's Office."
- The DEPOSIT section was deleted since paper credit card slips are no longer used with the advent of electronic processing.
- Editorial changes for clarity.
- January 24, 2000 - The section INTERNET/INTRANET SALES was added.
- September 16, 1992 - Added the section LIMITATIONS, and revised wording regarding the Report of Cash Receipts.
- March 27, 1991 - Limited holding of credit card slips to no more than three days.
- May 31, 1989 - Changed "Assistant Treasurer" to "Associate Treasurer."
- January 22, 1988 - Under the section CONTROL AND REPORTING, added provisions for the Integrated Student Information System. Under the DEPOSIT section, added provision for electronic data capture.
- November 21, 1986 - Changed " Director of Financial Management" to "Assistant Treasurer." Expanded charges to be absorbed by department to include any bank charges. Other editorial changes for clarity.
- August 15, 1986 - Minor editorial changes for clarity.
- July 25, 1983 - Redesignated from CS07 to FN07.
- September 3, 1980 - New Policy.
Date Approved:November 29, 2010>
Date Published:September 25, 2013>