Before Getting Started
Accepting payment (credit/debit) cards is convenient for both customers and departments. The Cashier's Office will assist you with all aspects of card acceptance. Before deciding to accept payment cards, be prepared to follow policies and procedures that will ensure:
- Financial Integrity: Revenue and expenses are properly recorded and accounted for
- Security & Risk: The method of card acceptance is secure and does not put undue risk on the university or its constituents
- Compliance: The method of card acceptance is compliant with the PCI DSS (Payment Card Industry Data Security Standard)
There are multiple ways to accept payment cards. Which method(s) to use depends on the business purpose/event and how your customers will interact with you.
- Will your customers present their payment cards in-person, over the phone, via US mail, or online?
- Are you selling goods or services, or registering attendees for a conference/event?
- Is this a one-time or ongoing need to accept payment cards?
In order to be compliant with MSU policy regarding acceptance of credit cards, there needs to be a PCI steward, signed merchant agreement, and a current PCI self assessment questionnaire (SAQ) on regardless of method(s) used.
Any requests made through Cashier’s Office will need time for processing and implementation, the time will vary based on the method selected.
You can review the allowable methods below or download the information.
Overview: Why the process method matters
A Unit that accepts payment cards (credit or debit cards) is defined as a Merchant and must comply with the MSU Merchant Services Policy and all the applicable Payment Card Industry Data Security Standard (PCI DSS) requirements. All people, processes, systems, solutions, devices, and applications that are involved in processing payment cards are included in the scope of what needs to be compliant.
Compliance is easier and less costly to achieve and maintain when the processing method chosen is one which meets the business needs with the minimal scope. This approach will also reduce the University’s overall risk and effort to maintain compliance. Furthermore, compliance is evaluated at the University level such that noncompliance by one University location causes the entire University to be noncompliant.
Allowable methods of accepting payment cards
- Wired network or phone lines are allowed. Wi-Fi is not allowed.
- Centrally Supported Application – CASHNet
- Storefront – Customer transaction and payment page are both hosted on the CASHNet server.
- Checkout – Customer transaction is handed off to CASHNet at the point of payment. However, due to increased security risks, no new Checkout type of stores are allowed.*
- Card Swipe Terminal (Land line)
- Stand-alone dial-out swipe device attached to an analog phone line. This is the preferred method when card is present.
- Also appropriate for Merchants that process orders received via US mail, over the phone, or by fax. Note that the fax machine must connect via a dedicated phone line; it cannot be on a network that is connected to the Internet
- Mobile Card Swipe Terminal (Cell phone plan, GSM connectivity)
- A specific model, approved by the Controller’s Office, stand-alone swipe device that connects via a cell phone plan and has wireless (Wi-Fi) capabilities disabled.
- Note that this is not a cell phone, but a device that uses a cell phone technology.
- Ethernet Card Swipe Terminal (IP-Ethernet)
- Must have a properly configured hardware firewall.
- Contact the Cashier’s Office for acceptable models.
- Card Swipe Terminal (Loaner)
- Standard, land-line dial-out swipe device available to Merchants with intermittent, short-term volume. Merchant must provide analog phone line.
- Available on first-come, first-serve basis for a small monthly fee.
*Note: Effective November 1, 2016 with PCI DSS version 3.2, CASHNet Checkout stores will be subject to more stringent requirements. Units with Checkout stores should try to convert to CASHNet Storefronts or begin securing their web apps and environment per PCI DSS version 3.2 immediately.
Methods not allowed
- Wireless (Wi-Fi)
- Smart phones, tablets, or any similar digital device.
- Any solution in which payment card data is entered by an MSU representative (employee,volunteer, etc.) on behalf of a customer/donor into an MSU-owned device connected to the Internet.
- MSU-owned device connected to the Internet that is offered to customers for the purpose of entering their own payment card data (e.g., kiosk).
- Any application/solution/service/device that is not specifically validated as being PCI compliant.
- Any other application/solution/service/device that has not been approved for general campus use by the MSU Controller’s Office or that is not listed in this document under Allowable Methods.