Establishing a Payment Card Merchant Account
Top Left Corner Top Right Corner
Last Updated: June 2008

Responsible University Officer:
  • Treasurer

Procedure Contact:
Bottom Left Corner Bottom Right Corner

PROCEDURE

General information on accepting payment cards

The University of Minnesota offers a variety of banking services. One of those services is the accepting of payment cards by University departments. The information that follows helps to accomplish that task.

The first thing to consider before you begin is the cost of offering this service. View the payment card merchant rates for further information.

A second consideration before you begin is your obligation to safeguard private cardholder information, regardless of the method you choose to accept payment cards. Cardholder information is classified as private data by the University of Minnesota and must be handled in a secure manner. For more information on private data and related policies, visit the Privacy and Data Security website. Any information obtained during the processing of a payment card transaction that identifies individual consumers and their purchases (payment card account number, expiration date, name, address, social security number, etc.) must be protected.

In April 2000, Visa announced the launch of its Cardholder Information Security Program (CISP) - a program that defines a standard of care for securing Visa cardholder data. . CISP was adopted by the payment card industry in January 2005 and is now referred to as PCIDSS (Payment Card Industry Data Security Standards). Compliance with PCIDSS is required of all organizations that store, process or transmitcardholder data. Our bank can assess fines for failure to comply with the program, and can remove the University's ability to accept payment cards as a form payment for products and services  Additionally, the Office of External Sales has the authority and responsibility to inactivate a unit's payment card merchant account if it determines that the unit is not in compliance with the University's payment card policies or if the unit creates significant risk that is not appropriately mitigated. On an annual basis all merchants are required to complete an online compliance survey (a sample of the PCIDSS Survey).

Please contact the Office of External Sales to open a new merchant account or for information on compliance requirements.

Determine method of accepting payment card transactions

Payment card transactions can be either internet-based or non-internet-based. Internet-based transactions are accepted via the internet (usually through a web-site, on-line process or swipe terminal that connects to the internet while non-internet-based  transactions do not use the internet for processing.

Decisions as to the method of payment card acceptance will be affected by :

  • Business need (e.g. your customers require on-line registration)
  • Transaction costs (payment card fees and equipment lease)
  • Compliance costs (equipment purchase, network connections, locked storage, etc.)
  • Work flow within your unit

If a department would like to accept payment cards via the Internet, the following is required;

  • a website
  • a webmaster to support the maintenance of the website
  • a toll free 1-800 phone number (optional)

If these requirements cannot be met, departments must process payment card transactions using a swipe terminal or computer software.

Internet-based Payment Card Transactions

1. Does the department have a webmaster to support the internet site?

A webmaster is a person responsible for maintaining and updating the internet site. Support for the website means: development, maintenance, and updating. If you need to arrange internet support, contact JaWS. If you cannot arrange internet support you cannot accept internet payment card transactions.

2. Complete the Payment Card Merchant Account Application (UM1609).

Download the Payment Card Merchant Account Application (UM1609)  and forward to the Office of External Sales. Email is preferred, but mail and fax are acceptable.

Your department has requested the opening of a University of Minnesota Payment Merchant Account. As a result, your department may have access to payment card numbers, expiration dates, and demographic cardholder information. As a condition of maintaining a Merchant Account, your department must:

  • Designate a department Merchant Manager (designated person must read, understand, and sign the Payment Card Merchant Authorization Department Merchant Manager Form)
  • Agree to abide by the 12 PCIDSS standards as well as the University of Minnesota's and any other applicable laws, policies, or standards as they apply to cardholder information.  Available at: https://www.pcisecuritystandards.org/tech/index.htm
  • Have all employees with access to credit card data complete the Employee Non-Disclosure Form (UM1623)
  • Effective July 2005, have all new hires, transfers, reassignments, or promotions with access to more than one payment card number at a time undergo a criminal background check – including a credentials and references check – prior to beginning work. Please contact your department HR representative to initiate this process.
  • Have the Merchant Manager attend PCIDSS Training. Contact the Office of External Sales for the next available session.

3. Webmaster should go to the appropriate website and download the implementation guide.

Once you have received confirmation that your payment card merchant account has been set up, you can proceed with setting up your website to accept payment cards.

Download the implementation guide from www.YourPay.com. You must choose from one of the 3 download options that best fits your website configuration. A brief description of the 3 options follows below:

YourPay API
YourPay APISM is a tool for the merchant who needs a custom Ecommerce solution. The YourPaySM service application-programming interface (API) provides SSL security, fraud protection measures, plus tax and shipping calculators and an automated Electronic Soft goods Download (ESD) module. The YourPay API includes access to YourPay.com service. The YourPay API service processes payments through a Web site or other custom commerce application, and is best suited for larger merchants with programming expertise. Server management is required.

YourPay Connect
YourPay ConnectSM is a solution for e-commerce payments to a merchant’s Web site. It provides the merchants with Web payments, complete with SSL security and fraud protection measures. Merchants need to develop an order form, and HTML tags. YourPay Connect comes with access to YourPay.com service It is used when the merchant has limited Web development expertise. No secure Web server is required to use the YourPay Connect.

YourPay.com
YourPay.com is an online payment service for a point-of-sale (POS) face to face, mail order- telephone order capability. It is a PC-based solution. The YourPay.com service enables merchants to process payment card transactions via any computer connected to the Internet. It generates reports on sales; return authorizations and reports through the LinkPoint Secure Payment Gateway.

The installation guide contains the proper scripts and instructions on how to implement them. The scripts allows the website to communicate with the processor (Wells Fargo) to authorize batch and settle payment card transactions (see the implementation guide for more information).

4. Webmaster receives an ID, administrator password and URL from YourPay.com.

You will be notified once the Office of External Sales has received your new payment card merchant account numbers. At that point you will forward your email address and 1-800 number (if available) to the payment gateway. The payment gateway then builds the account and sends an email to the webmaster with the URL, User ID, and administrative password. If you do not receive this information, contact the Office of External Sales.

The webmaster should log on to the URL with the User ID and password and follow the instructions to complete the account setup.

5. Run test transactions on the website

The department and the Webmaster process test payment card transactions to verify the website and payment module are working correctly.

Do not use real cardholder data for test transaction. Read the Implementation Guide to see how to run test transactions.

OIT Security needs to run a scan of the new IP address prior to the website going “live”. To accomplish this, you need to register your server as "Critical" with OIT Security by filling out the Critical Server ID form. For more information contact oit.security@umn.edu.

If the test transactions fail and it is a script problem, contact YourPay.com.

If the test transactions fail and it is an account problem, contact the Office of External Sales.

6. Payment card transactions can be accepted via the internet. The website can go live.

All staff with access to payment card data must review and understand the privacy website, understand and sign the Employee Non-Disclosure form, and pass the criminal background check (if they have access to more than 1 credit card number at a time).

Continue on to the Document and Deposit Sales procedure.

Non-Internet-based Payment Card Transactions Processed Via Cash Register

A Point of Sale (POS) electronic register with payment card processing module is necessary to process transactions via a cash register.

1. Is the cash register vendor certified?

The cash register has to be certified to work on FirstData’s CardNet/North platform.
Further, all software vendors need to be validated as upholding the best-practice standards outlined by PCIDSS. Validated software vendors are listed under CISP-Validated Payment Applications.

If not, the vendor must choose to certify current software or change to a certified software

If the vendor's current software is not certified they can choose to have the software certified or the department needs to change to software that is currently certified. Contact the Office of External Sales ot verify your vendor’s certification status.

2. Complete the Payment Card Merchant Account Application and Payment Card Merchant Authorization Department Merchant Manager Forms.

Download the Payment Card Merchant Account Application (UM1609) and forward to the Office of External Sales.

Your department has requested to open a University of Minnesota payment card Merchant Account. As a result, your department may have access to payment card numbers, expiration dates, and demographic cardholder information. As a condition of maintaining a Merchant Account, your department must:

  • Designate a department Merchant Manager (designated person must read, understand, and sign the Payment Card Merchant Authorization Department Merchant Manager Form (UM1624))
  • Agree to abide by the 12 PCIDSS standards as well as the University of Minnesota's and any other applicable laws, policies, or standards as they apply to cardholder information.  Available at: https://www.pcisecuritystandards.org/tech/index.htm
  • Have all employees with access to credit card data complete the Employee Non-Disclosure Form (UM1623)
  • Effective July 2005, have all new hires, transfers, reassignments, or promotions with access to more than one payment card number at a time undergo a criminal background check – including a credentials and references check – prior to beginning work. Please contact your department HR representative to initiate this process.
  • Have the Merchant Manager attend PCIDSS Training. Contact the Office of External Sales for the next available session.

3. Department receives welcome kit from Wells Fargo.

The welcome kit includes:

  • Supply of payment card forms (to be used if register is inoperable or the payment card doesn't swipe properly)
  • Information about the merchant number and terminal ID. Contact the register vendor and tell them they can complete the payment card setup in the terminal.

Use this information and follow the instructions to complete the register setup.
The department will also receive welcome kits from Discover and American Express.

4. Process test payment card transactions.

The department and the webmaster process test payment card transactions to verify the register is working correctly. Read the Implementation Guide that you received from the bank, Wells-Fargo, to see how to run test transactions. Do not use real cardholder data for test transactions.

OIT Security needs to run a scan of the new IP address prior to opening the website. To accomplish this, you need to register your server as "Critical" with OIT Security by filling out the Critical Server ID form available at: http://www1.umn.edu/oit/security/guideline/OIT__12594_REGION1.html. For more information contact oit.security@umn.edu.

If the test transactions fail, contact the register vendor. The vendor will determine the problem and help find a solution.

5. Payment card transactions can be accepted via the register. The register can go live.

All staff with access to payment card data must:

  • review and understand the privacy website
  • understand and sign the Employee Non-Disclosure form
  • pass the criminal background check (if they have access to more than 1 credit card number at a time).

Continue on to the Document and Deposit Sales procedure.

Non-Internet-based Payment Card Transactions Processed Via Terminal or Software

1. Determine equipment needed.

Traditional payment card sales can be accepted using a payment card terminal (non-internet swipe terminal) or computer software/Yourpay.com. In order to help you decide which option fits your business process best, an Interactive Fee Comparison Spreadsheet has been developed. Simply enter an estimate of all your business process parameters into the cells with RED characters on each of the first two worksheets (Internet-Desktop and Swipe Terminal). The spreadsheet will automatically calculate:

  • your Cost per Transaction
  • Estimated Annual Cost
  • Percent Cost per Sales Dollar
  • Estimated Annual Revenue
  • Percent Cost per Average Transaction

These numbers will not only help in your equipment decisions but also aid in budgeting and setting product pricing. Contact the Ofiice of External Sales for help in using this tool or deciding which option works best with your process. Once the decision is made, continue on to the next step.

2. Complete the Payment Card Merchant Account Application.

Download the Payment Card Merchant Account Application (UM1609) and complete the form and forward to the Office of External Sales. Email is preferred, but mail and fax are acceptable.

Your department has requested to open a University of Minnesota Payment Card Merchant Account. As a result, your department may have access to payment card numbers, expiration dates, and demographic cardholder information. As a condition of maintaining a Merchant Account, your department must:

  • Designate a department Merchant Manager (designated person must read, understand, and sign the Payment Card Merchant Authorization Department Merchant Manager Form (UM1624))
  • Agree to abide by the 12 PCIDSS standards as well as the University of Minnesota's and any other applicable laws, policies, or standards as they apply to cardholder information.  Available at: https://www.pcisecuritystandards.org/tech/index.htm.
  • Have all employees with access to credit card data complete the Employee Non-Disclosure Form (UM1623).
  • Effective July 2005, have all new hires, transfers, reassignments, or promotions with access to more than one payment card number at a time undergo a criminal background check – including a credentials and references check – prior to beginning work. Please contact your department HR representative to initiate this process.
  • Have the Merchant Manager attend PCIDSS Training. Contact the Office of External Sales for the next available session.

3. Equipment is delivered or setup information is communicated to department.

If the department is using a terminal they will receive a welcome kit from Wells Fargo Merchant Services that includes the terminal and training information as well as a support phone number to help set up and train employees on the use of the terminal. Standard equipment options are listed in the Standard Equipment and Software Options for Bankcard Processing jobaid.

If the department will be using a PC based system, they need to 1) buy software off the shelf or from Wells Fargo Merchant Services or 2) access Yourpay.com. The software must be CISP compliant (Wells Fargo software is CISP compliant), Standard PCIDSS compliant options are listed in the Standard Equipment and Software Options for Bankcard Processing jobaid.

For questions, contact the Office of External Sales.

4. Setup the terminal or load the software and test payment card transactions.

The department needs to test payment card transactions to verify the terminal or software is working correctly. Do not test with real credit card data.  
For terminal training or answers to terminal problems please contact the Wells Fargo 1-800 help desk number located on the side of your terminal. If computer software tests fail contact the software vendor.

5. Bankcard transactions can be accepted.

Continue on to the Document and Deposit Sales procedure. 

 

Procedure FEEDBACK



Did this Procedure successfully answer your questions?
Yes No

Additional Comments


Email Address (So we can get back to you if we have questions about your comments.)