Before Getting Started

Accepting payment (credit/debit) cards is convenient for both customers and departments. The Cashier's Office will assist you with all aspects of card acceptance. Before deciding to accept payment cards, be prepared to follow policies and procedures that will ensure:

There are multiple ways to accept payment cards. Which method(s) to use depends on the business purpose/event and how your customers will interact with you. 

In order to be compliant with MSU policy regarding acceptance of credit cards, there needs to be a PCI steward, signed merchant agreement, and a current PCI self assessment questionnaire (SAQ) on regardless of method(s) used. 

Any requests made through Cashier’s Office will need time for processing and implementation, the time will vary based on the method selected.

You can review the allowable methods below or download the information. 

Overview: Why the process method matters

A Unit that accepts payment cards (credit or debit cards) is defined as a Merchant and must comply with the MSU Merchant Services Policy and all the applicable Payment Card Industry Data Security Standard (PCI DSS) requirements. All people, processes, systems, solutions, devices, and applications that are involved in processing payment cards are included in the scope of what needs to be compliant.

Compliance is easier and less costly to achieve and maintain when the processing method chosen is one which meets the business needs with the minimal scope. This approach will also reduce the University’s overall risk and effort to maintain compliance. Furthermore, compliance is evaluated at the University level such that noncompliance by one University location causes the entire University to be noncompliant.

Allowable methods of accepting payment cards

eCommerce, Centrally Supported Applications
  1. Cashnet
    1. Storefront – Customer transaction and payment page are both hosted on the Cashnet server.
    2. Checkout – Customer transaction is handed off to Cashnet at the point of payment.  However, due to increased security risks, no new Checkout type of stores are allowed.
      1. Note:     Effective November 1, 2016 with PCI DSS version 3.2, Cashnet Checkout stores are subject to more stringent requirements. Units with Checkout stores should try to convert to Cashnet Storefronts or begin securing their web apps and environment per PCI DSS version 3.2.1 immediately
  2. Eventbrite
    1. Coming soon!  Contact the Cashier’s Office.

 

Card Present Stand-alone Card Terminals – for Face-to-Face and/or Mail/Phone Orders

  1. Applicable Environments
    1. Stand-alone dial-out card terminals.
    2. Appropriate for Merchants that process orders received via US mail, over the phone, or by fax.  Note that the fax machine must connect via a dedicated phone line; it cannot be on a network that is connected to the Internet.
    3. These are NOT smart devices with a dongle.  It must be a card terminal specifically built to only accept payment cards.
    4. Requires pre-approval from MSU Cashier’s Office
  2. Device Options
    1. PCI-Validated P2PE (Point-to-Point Encryption) Device
      1. Specially designed pre-approved card devices that operate on wireless or cellular transmission.
      2. A P2PE device is a card terminal specifically built to only accept payment cards.  The device can stand alone or connect to another device (e.g., PC, laptop, smart device).
      3. Requires pre-approval from MSU Cashier’s Office.
  3. Card Terminal (connected via Analog or Cellular)
    1. Stand-alone dial-out card terminal attached to an analog phone line or cellular plan. 
    2. Appropriate for Merchants that process orders received via US mail, over the phone, or by fax.  Note that the fax machine must connect via a dedicated phone line; it cannot be on a network that is connected to the Internet.
  4. Ethernet Card Terminal (connected via dedicated IP line)
    1. Must have a properly configured hardware firewall or connect to the centrally-managed VLAN.
    2. Requires pre-approval from the MSU Cashier’s Office.
    3. Contact the Cashier’s Office for acceptable models, line installation, and approval process. 
  5. Card Swipe Terminal (Loaner)
    1. Stand-alone terminals available to Merchants with intermittent, short-term volume.
    2. Optional models include P2PE, cellular, and analog.  Merchant must provide analog phone line if applicable.
    3. Available on first-come, first-serve basis for a small monthly fee.

Methods not allowed

  1. Wireless (Wi-Fi) - – unless used with pre-approved P2PE device
  2. Smart phones, tablets, or any similar digital device.
  3. Any solution in which payment card data is entered by an MSU representative (employee,volunteer, etc.) on behalf of a customer/donor into an MSU-owned device connected to the Internet.
  4. MSU-owned device connected to the Internet that is offered to customers for the purpose of entering their own payment card data (e.g., kiosk).
  5. Any application/solution/service/device that is not specifically validated as being PCI compliant.
  6. Any other application/solution/service/device that has not been approved for general campus use by the MSU Controller’s Office or that is not listed in this document under Allowable Methods.