eCommerce and Merchant Services

Learn about best practices, Michigan State University standards, and available tools for accepting credit and debit card payments at MSU.

Announcement

Many of you received a notice because one or more of your ecommerce solutions is partially-outsourced (e.g., CASHNet Checkout store).  As required in the past three years, your source code must first be reviewed before the online Self-Assessment Questionnaire (SAQ) can be completed.

As a courtesy, we included some of the developers that assisted with providing the source code last year.  Please share this request with the appropriate people.

What is occurring?  Annual PCI Attestation

Each merchant location that accepts payment cards must complete an online SAQ every year.  MSU cannot assert compliance with our acquiring bank until a SAQ is completed for each merchant.

Because your store is defined as partially outsourced, there are preliminary steps you need to perform in order to qualify for SAQ A. 

How do I qualify to use SAQ A?  Submit Code for Review

Why do we need to do this?

Technical requirements to qualify for SAQ A when partially outsourced

  1. Your payment or checkout page must be served from an MSU-hosted web site.
  2. This page is usually the last page the customer interacts with before the processor's payment page is displayed in the customer's browser.
  3. Your payment/checkout page which transfers the customer to the processor (CASHNet or Authorize.Net or other payment processor approved by the Cashier’s Office) must use either a URL redirect (static link or redirect link, e.g. an HTTP 302 response code) or an iFrame. Your page must not use an HTML <FORM> using either GET or POST to the processor.
  4. The URL redirect or iFrame must be created server side and may not be created client side via JavaScript or any other script running in the customer’s browser.
  5. Depending on your specific implementation, it may not be possible to capture the HTML of this page (HTTP 302 response code). In that case, you should provide source code for the redirect page and the HTML of the page immediately preceding the redirect page.   
  6. Thank you for your continuing efforts to keep MSU PCI compliant!
  7. Please contact the Cashier’s Office at 517-355-5023 or pcidss@ctlr.msu.edu if you have any questions.

As always, any changes made to the source code of the payment/checkout page throughout the year must also be reviewed again.

What are the next steps?
After the code review is complete, you will be notified that you are eligible to complete SAQ A.

Please contact the Cashier’s Office at 517-355-5023 or pcidss@ctlr.msu.edu if you have any questions.

Thank you for your continuing efforts to keep MSU PCI compliant!