Please download the attached word file and submit via SNOW
BUS49 Evaluation Instructions – Please carefully review the info below prior to completing questionnaire
This document is an evaluation for prospective units asking for authorization to accept cards payments. It describes conditions and requirements for a merchant using a P2PE device and P2PE processing.
Credit cards payments processing information can be accessed on Blink: http://blink.ucsd.edu/finance/cash/credit-debit-cards/index.html
UCSD policy governing cards processing is PPM 300-86
Prior to authorizing a campus unit to accept credit or debit card payments, to become a ‘merchant’, current policies require the evaluation of the points below. (BUS-49, UC Policy for Cash and Cash Equivalents Received).
· Regardless of the method of payment selected, cardholder data –CHD- (card number, cardholder’s name, address, expiration date, card authentication code, etc.) cannot be stored in electronic format. If required by the business process and on a need-to-know basis only the last four digits of the card can be stored in paper. Paper containing CHD must be shredded immediately.
· At all times, merchants are mandated to comply with Payment Card Industry Data Security Standards (PCI-DSS), Payment Application Data Security Standard (PCI-PA DSS), PIN Transaction Security (PCI-PTS), with UCSD Network Security Policy (specific questions about network security issues should be directed to firstname.lastname@example.org, (858) 534-1857).
· For Card Present Data –face to face-; and/or for key-entering of Card Not Present data –Mail Orders or Telephone Orders (MOTO). P2PE APPROVED DEVICES, P2PE processing.
· Data received by fax, email or text messages cannot be accepted or processed.
· The merchant never stores credit card data in electronic formats.
Card readers: Point to Point Encryption (P2PE) provided by BlueFin Systems requires compatible card readers. For card present or MOTO processing the P2PE approved terminal is PAX S500 (cost of device $304.00, plus $35.00 one-time encryption key injection). Monthly cost of P2PE-Bluefin processing is $25.00 per device.
This terminal connects via Internet, using an Ethernet jack. https://www.bluefin.com/about/resources/p2pe-devices/pax-s500/
PCI-DSS validation and certification requirements:
· The cost of the annual validation of compliance will be determined when enrolling the merchant in the University’s Qualified Security Advisor (QSA)/Approved Scanning Vendor (ASV) tracking and attestation tool.
PCI-DSS version 3.2. revision 1.1. annual validation requirements:
Merchant using P2PE processing are required to complete a Self Assessment Questionnaire (SAQ) TYPE P2PE of 33 questions
Payment Card Industry Data Security Standards (PCI-DSS). In addition to UCSD network and computer security requirements (UCSD Network Security Policy), the merchant is mandated to maintain compliance with PCI-DSS requirements. Periodically, merchants are required to validate and certify that they have security around credit card processing and are responsible protecting personal credit card information. Third parties providers of services that collect, process, store, or transmit credit card data must be compliant with PCI-DSS requirements.
(PCI-DSS), signer of this document is notified and agree to be bound by PCI-DSS requirements.
In your responses, please provide detailed descriptions of processes, resources, estimates, procedures, antecedents, funding, etc.
1.) Method of Payment - Please describe handling, protection of storage and disposition of paper containing CHD.
2.) Describe services and/or goods for accepting credit cards payments.
3.) Cost-benefit Analysis (explain). Is the volume of transactions sufficient to justify the costs of offering payment by credit or debit card?
Cost-benefit Analysis - Some estimated costs are:
1. P2PE processing costs $25.00 monthly per device.
2. For any method of payment, card and bank charges are 2.30% (average) of each transaction.
3. PCI-DSS annual validation, third-party charges, cost will be determined when the merchant is enrolled in the UC’s
4. QSA/ASV attestation tool. For a SAQ P2PE merchant estimated charges are around $500.00/year.
4.) Also, provide detailed explanation of the source of funding to absorb the cost of processing credit cards. Please include the Oracle fund number.
5.) Business Process. Is the unit able to develop and maintain a business process that provides a secure and controlled environment for the handling of credit and debit cards according with current policies and procedures? For example, are procedures in place to protect personal, sensitive information from disclosures, including compliance with the state privacy standards (California Civil Code §§1798.29 and 1798.82) and similar regulatory requirements?
Accounting of credit cards transactions.
It is the responsibility of the department to process receipts to clear the balance in the clearing account for authorized and settled transactions originated in the sale of services or goods. It is recommended to reconcile transactions and prepare Oracle receipts on a weekly basis.
The ARCO team will also record charges and fees originated by credit cards activities to the departments OFC chart string.
Reconciliation reports and certification of this asset account must be sent, quarterly, to General Accounting (Balance Sheet Control Coordination, mail code 0953).
· Will the business process include capabilities to capture and provide transactions data for the timely and accurate record keeping and reconciliation of transactions? Business Process (explain):
Important. Opening a merchant account will take approximately 15 to 20 business days, since the approval of the request.
ARCO Merchant Services wil perform the necessary steps for setting up merchant numbers and an Authorize.net account if needed.
Relationships with third party providers and technical and systems matters are responsibility of the merchant; i.e. webpage design or development, contracting issues with third-parties, connectivity or interface issues with the Internet payment gateway, systems/servers operation and maintenance, compliance with data security requirements, etc.
Authorized Signature (requesting department):
Email the completed Evaluation BUS49 to Aurea Webb (email@example.com) Thank you.