Applicability: University of Washington

Standard Title: OMS Standard - Accepting Payments

PDF Version: oms-standard-accepting-payment.pdf

Purpose

This standard establishes the requirements for payment acceptance of all UW Merchants accepting payment cards. All prospective University merchants are required to comply with this standard, and applicable Payment Card Industry Data Security Standards (PCI-DSS), in accordance with Administrative Policy Statement APS 35.1.

Scope

This standard applies to any University merchant accepting payment cards.

Requirements

1. All merchants will accept American Express, Discover, Visa and MasterCard
2. Available methods of accepting payments ALL CARD DATA MUST BE SWIPED, INSERTED, OR ENTERED THROUGH A CERTIFIED P2PE PAYMENT CARD TERMINAL; OR BY THE CUSTOMER THROUGH AN OMS APPROVED E-COMMERCE SYSTEM.
   1. Card Present Transactions
      1. In-person
         • All efforts must be made by the merchants to have the customer swipe or insert their own cards on the payment terminal as the preferred method of accepting in-person payments.
         • OMS is working to provide terminals for temporary use events. (This bullet to be updated when contract is signed with vendor)
      2. Self-service/kiosk
         • If the P2PE payment card terminal is in a kiosk, the device must be physically secured to the kiosk and inspected for tampering daily utilizing the OMS Inspection Log.
      3. Near Field Communication (NFC)
         • For all Card Present Transactions, if the terminal or Point of Sale device are capable, merchants must accept NFC payments
         • Examples of NFC: Google Pay, ApplePay, etc. 
   2. Card-Not-Present Transactions
      1. Mail or other payment form collected on paper (not including fax)
         • Written payment card data must be authorized immediately, or within one business day of receipt. Any payment card numbers that are kept overnight must be locked in a secure area with limited, need to know access.
         • After the transaction is authorized, all but the last four digits of the payment card number must be redacted appropriately (see OMS Standard – Merchant Responsibilities) or removed from the form and cross-cut shredded.
      2. Phone
         • Phone payments may be accepted over the following methods:
           • Analog phone line
           • Cloud 3rd party Voice over Internet Protocol (VOIP) approved by OMS
           • Pass the transaction to a 3rd party Interactive Voice Response (IVR) system approved by OMS
             • If the employee stays on the phone line during the IVR process, a Dual Tone Masking process must be used (DTMF).
         • Payment card information should only be written down if card data cannot be immediately entered directly into the P2PE device.
         • Written payment card data must be authorized immediately, or within one business day of receipt. Any payment card numbers that are kept overnight will be locked in a secure area with limited, need-to-know access.
         • After the transaction is authorized, all but the last four digits of the payment card number must be redacted appropriately (see OMS Standard – Merchant Responsibilities) or removed from the form and cross-cut shredded.
      3. E-commerce
         • E-Commerce transactions are cardholder-initiated transactions.  University employees must not process transactions through their E-Commerce application on behalf of the cardholder. 
         • E-Commerce sites must use CAPTCHA. CAPTCHA assists in preventing the fraudulent “testing” of payment cards which may result in financial and reputational loss to the merchant and University.
   3. Prohibited methods of accepting payments
      1. Fax
         • UW Merchants must not accept credit card payments via fax
         • If payment card data is received, ensure the data is purged from the fax and network (you may have to contact IT support to do this)
         • Cross-cut shred the fax
         • Do not print the fax (if stored electronically) or process the payment. Contact the customer and arrange a different method of payment.
      2. Email
         • UW Merchants must not accept credit card payments via email
         • If payment card data is received, the email must be deleted immediately from the email box and the deleted folder.
         • Do not print the email or process the payment. Contact the customer and arrange a different method of payment.
      3. Entering payment card data on behalf of the customer through a University issued device other than an approved Point-of-Sale or card reader device (i.e. typing payment card information into a web terminal through a keyboard attached to University computer) is not allowed.
   4. Charging convenience/surcharge/service fees
      1. UW Merchants will not charge convenience or surcharge fees
      2. Merchants may enroll in card brand tuition surcharge fee programs such as VISA Government and Education Program.

Links

• OMS Glossary
• Becoming a Merchant
• Payment Card Acceptance Administrative Policy Statement
• Payment Card Industry Data Security Standard

Administrative Information

Version: 1.4

Date Established: Aug 7, 2019 

Date Effective: Dec 15, 2020

Next Review Date: Jan 1, 2024

Contact: Office of Merchant Services – pcihelp@uw.edu