Credit Card Acceptance & PCI Compliance

Overview

Credit card information, like all other private information, is sensitive data that should be secured and handled in a way that is consistent with the highest industry standards and regulations. Due to the credit card payments received by Ball State, we are considered a merchant and subject to the Payment Card Industry Data Security Standards (PCI-DSS).

The BSU PCI Compliance Committee was created to ensure the University's continued compliance with the appropriate version of the PCI-DSS. The Committee has developed, and will update as necessary, the Credit/Debit Card Handling Procedure to ensure all University credit card acceptance operations remain in compliance with the PCI-DSS.

PCI-DSS compliance is very serious and failure to take appropriate actions or abide by the regulations can have severe and interminable consequences. Due to the importance of compliance, annual training must be undertaken by all areas with exposure to credit cards. Failure to participate in training may result in the removal of all credit card functions in your area.

All University departments and affiliated organizations wishing to accept credit cards as a form of payment must have prior approval by the PCI Compliance Committee. The Requirements and Forms tab below outlines the application process.

If you have any questions, please contact the PCI Compliance Committee (view email).

Requirements and Forms

Annual Requirements

P2PE PCI DSS Attestation of Compliance - to be completed by credit card location department leaders
PCI Training - to be completed by all credit card stakeholders:

Quarterly Requirements

Complete quarterly Credit Card Terminal Inspection Logs (PDF) - a log needs to be completed for each terminal. Send completed logs to view email.

Miscellaneous Requirements

In accordance with the Credit/Debit Card Handling Procedure, Approved Charging Departments are responsible for developing their own internal credit card procedures (download).
Approved charging departments should use the Credit Card Authorization Form (PDF) when recording credit card information received via telephone, secure fax, or mail. Departments are expected to process the transaction as soon as reasonably possible (but no later than two business days) before permanently redacting the sensitive cardholder data received from the cardholder (sensitive cardholder data includes the full card number, card type, and card expiration date).
To accept bank card transactions, a department must be approved as an Approved Charging Department. To establish a new Approved Charging Department, the Dean, Director, or unit head does the following:
1. Sign-in to www.bsu.edu/helpdesk.
2. Go to 'Request Services.'
3. Go to 'Compliance & Security.'
4. Click on 'Credit Cards - Approved Charging Department Request.'
5. Complete the form and submit; upon approval, the area is now approved to accept bank card transactions.

Credit Card Dos and Donts

Do

review the Credit/Debit Card Handling Procedure
develop and adhere to an internal card handling procedure
keep the terminal in constant view of those designated as ‘guardians’ of the terminal when in use
keep the terminal in a secured, locked location when not in use
maintain a terminal inspection log (PDF) for each of your terminals
inspect terminals for tampering and update inspection logs prior to each day’s use; inspect each terminal at least once each quarter (April, July, October, January) even if terminal has not been used
send inspection logs to view email each quarter (send in April, July, October, January)
process EMV cards using the EMV slot (have customers ‘dip’ their cards) instead of swiping the card
if processing from information on the Credit Card Authorization Form, redact sensitive cardholder data (full card number, expiration date, card verification codes), by physically removing all but the last four digits of the card number, as soon as you process a transaction
ensure staff complete PCI compliance training each year; ensure new staff complete training prior to working with credit cards
cease processing on a terminal if you suspect any signs of tampering and contact view email
keep original transaction documentation for a period of 18 months
complete requirements listed in the Requirements and Forms tab above

Don't

record cardholder information on any form other than the approved Credit Card Authorization Form
use a marker to cross out sensitive cardholder data; such data should be physically redacted
retain sensitive cardholder data for a period exceeding two days
process card information received, or send card information details, through unsecured means, like e-mail or voicemail
manually key credit card information if the card is present; use the EMV slot on the terminal instead
touch a customer’s card unless necessary (if handling a customer card is necessary, keep the card in the customer’s line of sight)
process credits or returns without appropriate supervisor approval (supervisors should enter passwords on terminals)
have someone who processes card transactions also be the person who reconciles those transactions
upgrade, replace, or dispose of any equipment without first contacting view email
process credit cards on a terminal you suspect has been tampered with; contact view email

E-Commerce

E-commerce is defined as a transaction of buying or selling goods and services online. This tab outlines the supported methods of e-commerce at Ball State University, costs involved, training materials, and documentation on getting started with a new e-commerce site.

Supported Vendors

Ball State University only has one payment processor that is supported and properly vetted for PCI Compliance, CASHNet. You can create e-commerce sites directly in CASHNet (Storefront or Checkout); or we can integrate with third party vendors to accommodate specialized needs. Some examples of CASHNet integrations include: Tix.com to manage seating for our theater, StarRez manages student housing information, and T2 assigns parking permits/citations. These third party vendors start the transaction with the customer, then redirect the customer to CASHNet for payment collection. Once the payment has been received, CASHNet will send a response back to the vendor system to reconcile records. This ensures that all of the burden of security resides solely within CASHNet. No department is permitted to use any external payment processors (like PayPal or Square) without the expressed consent from view email.

E-Commerce Costs

All credit card transactions will incur fees from the credit card companies. When we create e-commerce sites, we must decide whether we want to absorb those fees or pass them off to the customers. For domestic credit cards, the online credit card processing charge is 2.85% (with a minimum of $3.00) when you pass fees and 2.4% when you absorb fees. International credit cards are charged 4.25% in both methods. If you decide to absorb the fees, there will be a chargeback assessed against your revenue account at the beginning of each month (for the previous month's purchases). If your department is not able to absorb any costs, Transact Payments can be configured to pass those fees onto the customer. Your accounts will not show the fees passed to the customers, but they will display on your Transact Payments reports (as CONVFEE) and on the customer's credit card statements. If your department utilizes a third party vendor as a front-end of an e-commerce transaction, they may charge additional fees for their service.

Another consideration when dealing with credit card transactions, is the cost of data breaches. If there is a case of fraud in which Ball State University is found to be guilty of poorly handling credit card data, we could incur fees of up to $200 per breached card number. This includes forensic investigations ($50,000 - $100,000), repairs, new software/hardware/personnel investments, victim communication and credit monitoring, legal expenses, bank reimbursements, bank and card brand fines (up to $500,000 from each card brand). We would have to hire an external investigator for at least one year (approx. $50,000). We may also get penalized by our acquirer in the form of increased credit card processing fees, or even the cancellation of our contracts entirely. This is why it is very important that Ball State University is never found to be in the "scope" of a credit card data violation. If we utilize only approved payment processors, like CASHNet, and follow the procedures outlined in the Credit/Debit Card Handling Procedure, we should be safe from such litigation.

Dos and Don'ts of E-Commerce

E-commerce dos and don'ts are similar to the normal Credit Card Dos and Don'ts (tab above), except for these additional concerns:

Dos

Review the Credit/Debit Card Handling Procedure document carefully.
Create a link on your departmental website that points to either a CASHNet eMarket, or a vendor's portal website.
You can create index cards with the URL, or QR code, that directs customers to the appropriate website for payment.
You can instruct customers to find a random computer for payment (do not point to any specific computer); or better yet, ask them to use their own personal device (like a cell phone, tablet, or laptop).
Review the PCI-DSS training (PDF) document, then ensure that you and your relevant staff members complete the annual PCI Training (Requirements tab above) online.

Don'ts

If you have a user account in a system that collects, stores, and/or processes credit card data (like CASHNet); you must not share your username/password with anyone else.
You must not enter any credit card data into the credit card processing system on behalf of a customer. Doing so places your computer in scope of PCI compliance because it would be considered a "Virtual Terminal" for payments. Hackers could target your computer with key logging software that can look for credit card numbers that are entered and send them to an external server for storage without your knowledge. The only way to ensure this never happens is to never enter credit card data from a Ball State computer.
Along those same lines, you cannot designate a bank of computers for customers to use on-site. In doing so, you would make those computers "Virtual Terminals," which is prohibited by the Credit/Debit Card Handling Procedure

Sales Tax

Sales of tangible personal property as part of a proprietary activity by the University are generally subject to sales tax. Please see the Sales Tax Collection Matrix (PDF) for a complete breakdown of collection responsibilities based on the purchaser.

A large exception to the proprietary activities rule is the sale of food directly to or for the primary benefit of students. Such sales may take place on an exempt basis as long as certain conditions are met.

For more information please see the Procedure for Collecting, Paying and Reimbursing Sales Tax.

Instructional Documents

The following documents will explain how to perform common functions in CASHNet. Feel free to download and disperse them to all relevant staff members.

Getting Started

Once you have read and understand all of the materials presented above, you will need to download the following forms. You are not required to make any changes or submit these forms to the PCI Committee. Just be aware of how credit card data is handled by CASHNet and make sure you are not circumventing the security provided by the system.

When you are ready to start your new site, please fill out the following questionnaire to the best of your ability. Someone from the PCI Committee will contact you within 3-5 business days with more information. From there we will need to request all necessary Detail Codes in Banner and create a test site for you in CASHNet. Please allow up to two weeks for the site to be live and accepting payments.

eMarket Questionnaire

After your site has been moved to the production server you will need at least one employee to have access to Cashnet. This will allow your department to run reports, fulfill orders, and process refunds. To gain access to Cashnet, you will need to do the following:

Complete the PCI Compliance Training by clicking on the link below.
Login to bsu.edu/helpdesk
Navigate to: Request Services > Security Access > CASHNet (you may need to click the Show More button to expand the list).
After you fill out the first few boxes you will be asked to select the appropriate security class(es). Select eMarket Access (Reporting & Refunds).
In the eMarket Site (ex. EMS123 or ESS123) field, type in the site name that was given to you when your site went live. If you are unsure of the site name, please enter the URL of your site.
Your request will be sent to us automatically and we will e-mail you if we have any questions.
Once you have access to Cashnet, please download the documents in the Instructional Documents section above.

Troubleshooting

Below are some common issues which may arise regarding credit card processing:

eCommerce

If you are receiving a high volume of calls/e-mails stating that the link to your site is not correct or is not working, double-check your URL/web address to CASHNet. If the link you see/provide includes phrases like 'BrowseCatalog' or 'selfserve' in the URL you are providing, the URL is incorrect.

The URL should start with https://commerce.cashnet.com/BALL_* (an example would be: https://commerce.cashnet.com/BALL_EMS001). You cannot copy URLs from the web address bar; you must start with the original URL which was e-mailed to you when your site went live. If you no longer have that URL/web address, please contact view email.

Credit Card Terminals

If the icons indicated below are not green in color, that would mean there is an issue with the functionality that icon represents. In the example below, the terminal does not currently have Ethernet connectivity since the Ethernet icon is white in color.

Before reviewing the below, we recommend you restart your device if you encounter any issues. If at that point, the problem persists, see the resolutions, below:

Troubleshooting Guide
Problem:	What to Do:
My terminal does not have Ethernet connectivity, or my internet icon is white or red.	1. See if another device, like a laptop, can connect to the same port as the one used for the terminal. If another device can connect, contact view email and someone will take a look at the device. 2. Swap the Ethernet cable for another one and restart.
My terminal is displaying a red 'B' icon instead of a blue one.	This typically means that the base is not connected to power. Ensure the base is connected to the transformer and the transformer is connected to an outlet, and then restart the device. If that doesn't work, see if another device gets power from the same outlet. If that device does draw power from that outlet, contact view email and someone will inspect the device.
My terminal is not charging.	1. Ensure the base is connected to the transformer and the transformer is connected to an outlet, and then restart the device. Ensure the lightning bolt icon appears in the upper-right hand corner of the device which shows your battery life. 2. If no lightning bolt icon, be sure the terminal is resting on the base with no obstructions between the terminal and the base. If that doesn't work, see if another device gets power from the same outlet. If that device does draw power from that outlet, contact view email and someone will inspect the device.
My terminal is displaying a blue screen regardless of how many times I restart the device.	Contact view email and someone will be out to take a look. It's possible the device is damaged and needs returned/replaced.
When processing a transaction, I receive a 'FAILURE' message followed by a number.	Please review this list (PDF) of terminal error codes and complete the action in the last column of the list. Contact view email where necessary.
My settlement report from my terminal has an amount which is greater than the total sales for the day in question.	It is possibly due to an offline transaction. This occurs when a transaction is stored by the credit card terminal and not processed immediately because the terminal is not connected to Ethernet. Offline transactions attempt to process automatically the next time the terminal is connected to Ethernet. To get your actual sales for the day, obtain your regular settlement totals report (Config>Transactions>Print Settlement Totals Only) and then subtract the total from the 'Print Offline Settlement Only' report (Config>Transactions>Print Offline Settlement Only).

Office of University Controller

Administration Building (AD), room 301
Ball State University
Muncie, IN 47306

Hours: 8 a.m.-5 p.m. Monday-Friday
Summer - 7:30 a.m.-4 p.m.

765-285-8444

765-285-5519