University Treasurer

There are a number of options available for processing credit card transactions for your unit, including Web-based and desktop applications, point of sale (POS) devices, and off-site options. Each type of processing requires different types of equipment, which can be rented or purchased. 

All equipment orders must come through the Cash Management Office (CMO), who is available to discuss costs with you before you order.

About Wireless Devices

Currently, Elavon offers the Sprint network for wireless rentals and/or purchases. (Wireless international terminals are available for purchase only.) Sprint has very limited coverage in the Ithaca area, especially in many places around our campus. Several locations were tested to validate this statement. The CMO has contracted through Elavon with another provider of POS terminals for the Verizon network; this product is only available as a purchase, accompanied by a one-year contract with Verizon. It would be wise to consult with the CMO before making a decision on what wireless option would be the best choice for your operations.

When ordering, you must provide your name, the unit's name and mailing address, and the account number to charge.

• For Merchant IDs (MIDs), allow three weeks. If you're ordering an MID for a Web site, make sure that the site is available to be reviewed; this is an Elavon requirement before they can issue a Web MID
• For POS terminals, allow 1-2 weeks
• For POS terminals with the Verizon network, allow 3-4 weeks, minimum

Top

Units are responsible for all charges associated with processing credit cards. Discount rates are negotiated by the CMO for the Cornell community. Equipment and software costs are charged at the end of the month to the appropriate MID on the same journal that posts transactions fees to the unit's general ledger account.

Top

Options

You may use credit card readers to process credit card transactions in a point-of-sale (card present) environment or for processing transaction requests received by other means, such as online or by phone.

There are three types of credit card readers, all of which have card swipe, key pad entry, and printer/receipt capabilities.

Phone Based/Dial-UP

• Rental or purchase options
• Can be set up for one or multiple MIDs
  

IP-Based

• Rental or purchase options
• Set up to work over the Internet
• Must be attached to the CIT supplied Firewall box
  

Cellular

• Rental or purchase options
• Use the Verizon Data Network (requires a monthly fee)
  
• Models for domestic and world-wide use
  

For a list of approved, PCI-compliant card readers, see the Elavon Web site.

For information on proper handling and security measures for using credit card readers, see the “Procedures, Ithaca Campus - Methods of Processing Transactions,” section of University Policy 3.17, Accepting Credit Cards to Conduct University Business.

Disposing of Old Card Reader Equipment

For proper procedure on disposing of old card reader equipment, contact the CMO.

Back

This is the required method for credit card orders received through the internet. Our preferred hosted payment solution is Elavon’s Virtual Merchant.

Virtual Merchant is a complete, hosted payment solution for face-to-face and e-commerce transactions. Easy to use and economical, Virtual Merchant efficiently and cost-effectively processes payments through your Internet-connected PC. All payment information is hosted and stored by Elavon, minimizing your data security and association compliance concerns. It also integrates with multiple shopping cart applications for e-commerce environments.

With Virtual Merchant, you can view pending and settled batches, and credit settled transactions using the “Return” feature while viewing an individual transaction. The CMO can also grant access to approved staff for viewing pending and settled batches.

Setup Information

Contact the CMO to have Virtual Merchant processing setup for your MID(s). You will first be set up with a test account to build and test your process. When you are ready, your MID(s) will be given production access.

Notes:

• If Cornell staff members or representatives are processing credit card transactions on behalf of customers, units are required to place the Web server and desktop systems used to perform those transactions on a PCI-compliant network. The Cornell IT Security Office maintains such a network and will advise and assist departments to utilize that network or create and maintain their own network. Any desktop systems used must contain only software required for credit card processing; no other applications or software are allowed on the desktop systems.
• If Virtual Merchant does not allow for the type of processing that your unit’s business rules dictate, contact the CMO for approved alternatives.
• You may contract with approved vendors to develop your secure Web site; however, refer to the Third-Party Solutions section for details on the required steps before engaging in such a business relationship.
  

Cost

• One-time setup fee of $149
• Ongoing, monthly processing fee of $12.50

Back

If a desktop system is used to process credit card transactions, that system is considered in-scope for PCI. Therefore, the system must conform to all PCI DSS requirements. The desktop system must be dedicated to processing credit cards and cannot perform any other role.

To satisfy the network and monitoring requirements, all desktop systems must reside behind the central PCI-compliant network. The system will be firewalled on that network, and the traffic will be monitored according to the DSS. T he IT Security Office (ITSO) will assign an address in RFC1918 address space to all systems connected to the network.  The addresses will be obfuscated via Network Address Translation (NATing) and its traffic will be filtered to allow the system to communicate only with the specific resources required to perform credit card transactions.

Only systems involved in credit card processing will exist on this network. The systems cannot be part of an out-of-scope, active-directory domain; a managed AV environment; or any other management infrastructure.

When a new system needs to be provisioned, the department provisioning the system will contact ITSO to request a new PCI-compliant subnet. The exact network architecture needed will be decided, and based on that discussion, provisioning of a firewall to link the new subnet into the PCI-compliant network will occur. The department is responsible for any costs involved in obtaining the firewall or creating or modifying the network infrastructure.

Desktop Requirements

• Antivirus software that is updated regularly
• Firewall software, either the default firewall included with the operating system or a third-party package
• Intrusion detection software (can be coupled with the firewall software)
• Integrity monitoring software, such as Tripwire, that is monitoring critical system files
  

Additional Requirements

• System passwords must conform to the rules stated in University Policy 3.17, Accepting Credit Cards to Conduct University Business.
• Operating systems and applications must be regularly updated with vendor-supplied critical security patches within one month of the patches being published. All patches are tested before they are deployed. 
• Any system used to process credit card transactions must be dedicated to processing credit cards. These systems must not be used as general productivity systems.
• Access to the system must be restricted only to those staff members whose job requires such access.
• Physical security to the system must be restricted and monitored.
• System logging must be enabled and reviewed regularly. For example, for Windows systems, the System, Application, and Security logs are all enabled. The audit history must be  maintained for one year, with at least three months available for immediate analysis.
• System clocks must be synchronized via Network Time Protocol (NTP).

Back

Cornell University has contracted with Tompkins Trust Company to provide lockbox services for units that have a large volume of incoming remittances and/or limited staff, which makes segregation of duties difficult and/or impossible. Credit card payments are processed at the bank in a PCI-compliant environment. Units are encouraged to use this service for customers that are still mailing in payments to the university. The lockbox staff will process a unit’s remittances daily, and at the end of processing each day, will provide a PDF file to the unit that contains all processed material. No prohibited information will be included in this PDF file. Display of credit card numbers will be limited to the first four and last four digits for identification purposes. All refunds will be processed by the bank.

Forms

• Lockbox Application
  
• Tompkins Trust Company – Lockbox Credit Card Refund Form

Back

If a unit chooses to engage the services of a third-party vendor to store, process or transmit cardholder data...

• The vendor must be on the PCI list of approved vendors
• The unit must consult first with the CMO so that the CMO can review and approve the unit's reasons for using a vendor that is not our preferred provider.
• The unit must obtain a Report on Compliance (ROC) from the vendor before any contract is signed, and thereafter collect an ROC each year when they are recertified. This document must be kept on file for audit purposes and a copy must be remitted to the CMO annually.
• Supply Management Services (SMS) must review and approve all contracts. SMS will make certain that the contract has protective language in the event of a compromise and/or a failure on the vendor's part to recertify during the terms of the existing contract.

For additional information on credit card processing via secure Web sites, see the “Procedures, Ithaca Campus - Methods of Processing Transactions” section of University Policy 3.17, Accepting Credit Cards to Conduct University Business.

Understand that you can outsource your processing, but you cannot outsource your liability.

Back