There are a number of options available for processing credit card transactions for your unit, including Web-based and desktop applications, point of sale (POS) devices, and off-site options. Each type of processing requires different types of equipment, which can be rented or purchased.
All equipment orders must come through the Cash Management Office (CMO), who is available to discuss costs with you before you order.
About Wireless Devices
Currently, Elavon offers the Sprint network for wireless rentals and/or purchases. (Wireless international terminals are available for purchase only.) Sprint has very limited coverage in the Ithaca area, especially in many places around our campus. Several locations were tested to validate this statement. The CMO has contracted through Elavon with another provider of POS terminals for the Verizon network; this product is only available as a purchase, accompanied by a one-year contract with Verizon. It would be wise to consult with the CMO before making a decision on what wireless option would be the best choice for your operations.
When ordering, you must provide your name, the unit's name and mailing address, and the account number to charge.
Units are responsible for all charges associated with processing credit cards. Discount rates are negotiated by the CMO for the Cornell community. Equipment and software costs are charged at the end of the month to the appropriate MID on the same journal that posts transactions fees to the unit's general ledger account.
You may use credit card readers to process credit card transactions in a point-of-sale (card present) environment or for processing transaction requests received by other means, such as online or by phone.
There are three types of credit card readers, all of which have card swipe, key pad entry, and printer/receipt capabilities.
For a list of approved, PCI-compliant card readers, see the Elavon website.
For information on proper handling and security measures for using credit card readers, see the “Procedures, Ithaca Campus - Methods of Processing Transactions,” section of University Policy 3.17, Accepting Credit Cards to Conduct University Business.
For proper procedure on disposing of old card reader equipment, contact the CMO.
This is the required method for credit card orders received through the internet. Our preferred hosted payment solution is Elavon’s Virtual Merchant.
Virtual Merchant is a complete, hosted payment solution for face-to-face and e-commerce transactions. Easy to use and economical, Virtual Merchant efficiently and cost-effectively processes payments through your Internet-connected PC. All payment information is hosted and stored by Elavon, minimizing your data security and association compliance concerns. It also integrates with multiple shopping cart applications for e-commerce environments.
With Virtual Merchant, you can view pending and settled batches, and credit settled transactions using the “Return” feature while viewing an individual transaction. The CMO can also grant access to approved staff for viewing pending and settled batches.
Contact the CMO to have Virtual Merchant processing setup for your MID(s). You will first be set up with a test account to build and test your process. When you are ready, your MID(s) will be given production access.
If a desktop system is used to process credit card transactions, that system is considered in-scope for PCI. Therefore, the system must conform to all PCI DSS requirements. The desktop system must be dedicated to processing credit cards and cannot perform any other role.
To satisfy the network and monitoring requirements, all desktop systems must reside behind the central PCI-compliant network. The system will be firewalled on that network, and the traffic will be monitored according to the DSS. T he IT Security Office (ITSO) will assign an address in RFC1918 address space to all systems connected to the network. The addresses will be obfuscated via Network Address Translation (NATing) and its traffic will be filtered to allow the system to communicate only with the specific resources required to perform credit card transactions.
Only systems involved in credit card processing will exist on this network. The systems cannot be part of an out-of-scope, active-directory domain; a managed AV environment; or any other management infrastructure.
When a new system needs to be provisioned, the department provisioning the system will contact ITSO to request a new PCI-compliant subnet. The exact network architecture needed will be decided, and based on that discussion, provisioning of a firewall to link the new subnet into the PCI-compliant network will occur. The department is responsible for any costs involved in obtaining the firewall or creating or modifying the network infrastructure.
Cornell University has contracted with Tompkins Trust Company to provide lockbox services for units that have a large volume of incoming remittances and/or limited staff, which makes segregation of duties difficult and/or impossible. Credit card payments are processed at the bank in a PCI-compliant environment. Units are encouraged to use this service for customers that are still mailing in payments to the university. The lockbox staff will process a unit’s remittances daily, and at the end of processing each day, will provide a PDF file to the unit that contains all processed material. No prohibited information will be included in this PDF file. Display of credit card numbers will be limited to the first four and last four digits for identification purposes. All refunds will be processed by the bank.
If a unit chooses to engage the services of a third-party vendor to store, process or transmit cardholder data...
For additional information on credit card processing via secure Web sites, see the “Procedures, Ithaca Campus - Methods of Processing Transactions” section of University Policy 3.17, Accepting Credit Cards to Conduct University Business.
Understand that you can outsource your processing, but you cannot outsource your liability.