Before Getting Started
Accepting payment (credit/debit) cards is convenient for both customers and departments. The Cashier's Office will assist you with all aspects of card acceptance. Before deciding to accept payment cards, be prepared to follow policies and procedures that will ensure:
- Financial Integrity: Revenue and expenses are properly recorded and accounted for
- Security & Risk: The method of card acceptance is secure and does not put undue risk on the university or its constituents
- Compliance: The method of card acceptance is compliant with the PCI DSS (Payment Card Industry Data Security Standard)
There are multiple ways to accept payment cards. Which method(s) to use depends on the business purpose/event and how your customers will interact with you.
- Will your customers present their payment cards in-person, over the phone, via US mail, or online?
- Are you selling goods or services, or registering attendees for a conference/event?
- Is this a one-time or ongoing need to accept payment cards?
In order to be compliant with MSU policy regarding acceptance of credit cards, there needs to be a PCI steward, signed merchant or usage agreement, and a current PCI self assessment questionnaire (SAQ) on regardless of method(s) used.
Any requests made through Cashier’s Office will need time for processing and implementation, the time will vary based on the method selected.
You can review the allowable methods below or download the information.
Overview: Why the process method matters
A Unit that accepts payment cards (credit or debit cards) is defined as a Merchant and must comply with the MSU Merchant Services Policy and all the applicable Payment Card Industry Data Security Standard (PCI DSS) requirements. All people, processes, systems, solutions, devices, and applications that are involved in processing payment cards are included in the scope of what needs to be compliant.
Compliance is easier and less costly to achieve and maintain when the processing method chosen is one which meets the business needs with the minimal scope. This approach will also reduce the University’s overall risk and effort to maintain compliance. Furthermore, compliance is evaluated at the University level such that noncompliance by one University location causes the entire University to be noncompliant.
MSU Cashier's Office
- Must pre-approve all processing methods, service providers, terminals types, and methods of connectivity.
- Will cancel or deactivate any Merchant found to be noncompliant with this policy or the PCI DSS.
Allowable methods of accepting payment cards
eCommerce, Centrally Supported Applications
- Storefront – Customer transaction and payment page are both hosted on the Cashnet server.
- Checkout – Customer transaction is handed off to Cashnet at the point of payment.
- Merchant website source code must be reviewed at least annually by PCI Team.
- Due to increased security risks, no new Checkout type of stores are allowed.
- Enterprise version of an outsourced event management application.
- MSU Cashier’s Office manages access to create events under MSU’s enterprise account.
Card Present Stand-alone Card Terminals – for Face-to-Face and Mail Orders
- Applicable Environments
- Stand-alone card terminals.
- These are NOT smart devices with a dongle. It must be a card terminal specifically built to only accept payment cards.
- Appropriate for Merchants that process orders received via US mail or by fax.
- Note that the fax machine must connect via a dedicated phone line; it cannot be on a network that is connected to the Internet.
- The fax machine cannot be used for any other purpose except to receive card numbers.
- Device Options
- PCI-Validated P2PE (Point-to-Point Encryption) Device
- Specially designed pre-approved card devices that operate on wireless or cellular transmission.
- A P2PE device is a card terminal specifically built to only accept payment cards. The device can stand alone or connect to another device (e.g., PC, laptop, smart device).
- Card Terminal (connected via Cellular)
- Stand-alone card terminal configured to connect via a cellular plan only.
- Ethernet Card Terminal (connected via dedicated IP line)
- Must have a properly configured hardware firewall or preferably, connect to the centrally managed VLAN.
- Contact the MSU Cashier’s Office for acceptable models, line installation, and approval
- Card Swipe Terminal (Loaner)
- Stand-alone terminals available to Merchants with intermittent, short-term volume.
- Optional models include P2PE or cellular.
- Available on first-come, first-serve basis for a small usage fee.
Methods not allowed
- Wireless (Wi-Fi) – unless used with pre-approved P2PE device.
- Smart phones, tablets, or any similar digital device – unless used with pre-approved P2PE device.
- Any solution in which payment card data is entered by an MSU representative (employee, volunteer, etc.) on behalf of a customer/donor into an MSU-owned device connected to the Internet – unless used with pre-approved P2PE device.
- MSU-owned device connected to the Internet that is offered to customers for the purpose of entering their own payment card data (e.g., kiosk).
- Any application/solution/service/device that is not specifically validated as being PCI compliant.
- Any other application/solution/service/device that has not been approved for general campus use by the MSU Cashier’s Office or that is not listed in this document under Allowable Methods.
eCommerce at MSU
Manual of Business Procedures, Section 17