eCommerce and Merchant Services
Learn about best practices, Michigan State University standards, and available tools for accepting credit and debit card payments at MSU.
Many of you received a notice because one or more of your ecommerce solutions is partially-outsourced (e.g., CASHNet Checkout store). As required in the past three years, your source code must first be reviewed before the online Self-Assessment Questionnaire (SAQ) can be completed.
As a courtesy, we included some of the developers that assisted with providing the source code last year. Please share this request with the appropriate people.
What is occurring? Annual PCI Attestation
Each merchant location that accepts payment cards must complete an online SAQ every year. MSU cannot assert compliance with our acquiring bank until a SAQ is completed for each merchant.
Because your store is defined as partially outsourced, there are preliminary steps you need to perform in order to qualify for SAQ A.
How do I qualify to use SAQ A? Submit Code for Review
- Please refer to the documentation you provided last year to qualify to use SAQ A. The code needs to be revalidated annually.
- Send documentation of your webpage code to the Cashier’s Office at PCIDSS@ctlr.msu.edu – deadline 4/20/18
- Your documentation must include:
- the web server’s IP address
- the web address of your ecommerce site, and
- the URL of your payment/checkout page.
- Source code:
- Must contain a plain ASCII HTML file of the entire web page, as produced by pressing Ctrl-U (View page source) in either Firefox, Chrome, or Internet Explorer. Copy and paste this into Windows Notepad or a similar plain text editor and save.
- In your e-mail, provide the line number for the location in the code where your web page directs the student/customer/donor to the payment processor. The Ctrl-U (View source) function in your web browser provides the line numbers on screen.
- Please include the four-digit store number (e.g., 3123) in the subject line of the email.
Why do we need to do this?
Technical requirements to qualify for SAQ A when partially outsourced
- Your payment or checkout page must be served from an MSU-hosted web site.
- This page is usually the last page the customer interacts with before the processor's payment page is displayed in the customer's browser.
- Your payment/checkout page which transfers the customer to the processor (CASHNet or Authorize.Net or other payment processor approved by the Cashier’s Office) must use either a URL redirect (static link or redirect link, e.g. an HTTP 302 response code) or an iFrame. Your page must not use an HTML <FORM> using either GET or POST to the processor.
- Depending on your specific implementation, it may not be possible to capture the HTML of this page (HTTP 302 response code). In that case, you should provide source code for the redirect page and the HTML of the page immediately preceding the redirect page.
- Thank you for your continuing efforts to keep MSU PCI compliant!
- Please contact the Cashier’s Office at 517-355-5023 or firstname.lastname@example.org if you have any questions.
As always, any changes made to the source code of the payment/checkout page throughout the year must also be reviewed again.
What are the next steps?
After the code review is complete, you will be notified that you are eligible to complete SAQ A.
Please contact the Cashier’s Office at 517-355-5023 or email@example.com if you have any questions.
Thank you for your continuing efforts to keep MSU PCI compliant!