Applicability: University of Washington

Standard Title: OMS Standard - Accepting Payments

PDF Version: oms-standard-accepting-payment.pdf

Purpose

This standard establishes the requirements for payment card acceptance at UW. All current and prospective University merchants are required to comply with this standard, and applicable Payment Card Industry Data Security Standards (PCI-DSS), in accordance with Administrative Policy Statement APS 35.1.

Scope

This standard applies to any University merchant accepting payment cards.

Requirements

1. All merchants will accept American Express, Discover, Visa and MasterCard
2. Approved methods of accepting payments ALL CARD DATA MUST BE TAPPED, INSERTED, SWIPED, OR ENTERED THROUGH A CERTIFIED P2PE PAYMENT CARD TERMINAL; OR BY THE CUSTOMER THROUGH AN OMS APPROVED E-COMMERCE SYSTEM.
   
   1. Card Present Transactions
      1. In-person
         1. All efforts must be made by the merchants to have the customer tap, insert or swipe their own payment card or NFC device (e.g. iPhone, Android Phone) on the P2PE payment card terminal
         2. For one-time or special events, OMS has P2PE terminals available for temporary use
      2. Self-service Kiosk
         1. P2PE payment card terminal must be physically secured to the kiosk
         2. It is recommended the kiosk be physically secured to a wall, floor, etc.
         3. Kiosk P2PE payment card terminal must be inspected daily for tampering and results recorded using an OMS Inspection Log.
      3. Near Field Communication (NFC)
         1. When the terminal or Point of Sale device are capable, merchants must accept NFC payments
            1. Examples of NFC: Google Pay, ApplePay, Samsung Pay, etc.
   2. Card-Not-Present Transactions (Mail, Phone, Ecommerce)
      1. Mail or other payment forms collected on paper (not including fax)
         1. Mail payments must be collected through the University central lockbox provider or a Merchant Services approved process that meets PCI DSS requirements.
      2. Phone
         1. Phone payments may be accepted over the following methods:
            1. Pass the transaction to a 3rd party Interactive Voice Response (IVR) system approved by OMS
               1. If the employee stays on the phone line during the IVR process, a Dual Tone Masking process must be used (DTMF).
               2. Calls originating from an unsecured line (not using IVR) cannot be transferred. Customers must either be instructed to call a secure payment phone line (number) or be called back from a secure payment phone line.
            2. Analog phone line
      3. E-commerce
         1. Ecommerce transactions are cardholder-initiated transactions.  University employees are not permitted to process transactions through their Ecommerce application on behalf of the cardholder.
         2. Ecommerce sites must use CAPTCHA.  CAPTCHA reduces the risk of fraudulent payment card “testing” which may result in financial and reputational loss to the Merchant and University. 
      4. Retaining Card Holder Data (CHD)
         1. See Data Retention in OMS Standard – Merchant Responsibilities 
         2. CHD must never be stored electronically 
         3. Written payment card data must be authorized immediately, or within one business day of receipt.  Any payment card numbers that are kept overnight must be locked in a secure area with limited, need to know access. 
         4. After the transaction is authorized, the three digit security code, expiration date, and all but the last four digits of the payment card number must be redacted appropriately or removed from the form and cross-cut shredded. 
3. Prohibited methods of accepting payments
   1. Fax
      1. Do not process the payment 
      2. Contact the customer and arrange an approved method of payment 
      3. Cross-cut shred the paper copy
      4. Do not print the fax if delivered electronically (eFax) 
      5. Fax Machine: Delete from the device and network (you may have to contact IT support to do this)
      6. eFax: The eFax email must be deleted immediately from the email inbox and deleted folder
   2. Email
      1. Do not process the payment
      2. Do not print the email
      3. Contact the customer and arrange an approved method of payment 
      4. The email must be deleted immediately from the email inbox and the deleted folder 
   3. Voicemail
      1. Do not process the payment
      2. Contact the customer and arrange an approved method of payment 
      3. The voicemail must be deleted immediately from the voicemail inbox and the deleted folder
   4. Entering payment card data on behalf of the customer through a University issued device other than an approved Point-of-Sale or card reader device (i.e. typing payment card information into a web terminal through a keyboard attached to University computer) is not allowed
4. Charging convenience/surcharge/service fees
   1. UW Merchants are not permitted to charge convenience or surcharge fees
   2. Merchants may enroll in card brand tuition surcharge fee programs such as VISA Government and Education Program.

Links

• OMS Glossary
• Becoming a Merchant
• Payment Card Acceptance Administrative Policy Statement
• Payment Card Industry Data Security Standard

Administrative Information

Version: 1.6

Date Established: Aug 7, 2019 

Date Effective: Dec 15, 2020

Next Review Date: Jan 1, 2026

Contact: Office of Merchant Services – pcihelp@uw.edu