Payment Card Processing – Swipe and Web specifics.
- Swipe terminals are typically used for face-to-face transactions and utilize a hard-wired phone connection. Swipe terminals may also be used to manually enter mail order or telephone order transactions, where your customer is registering for an event or function, and the department does not have a website that accepts registrations or payments. A swipe terminal is the most secure method of transmitting cardholder data and the cost of the machine is minimal. The security issue with using swipe terminals is protecting the customer’s account number from exposure and misuse.
- Website development and design is a departmental responsibility. Typically, the website will supply information about the event or products. The department can also opt to collect registration information on their site, process this information, and provide reports to the department or choose E-Pay @UVA to collect the registration information (see What is a Merchant Account) In order to comply with PCI standards, the application must NOT capture, store or transmit the actual credit card number. This function is managed through the website’s connection to the University Gateway (E-Pay @ UVA) or your third-party provider.
- For information regarding the development of a departmental website, if the Resources do not exist at the department level, please see "What other options do I have for a website, registrations or payment card processing?" for options.
- Wireless/cellular terminals obtained through our Processor, Elavon, can be used for remote, day of check-in events. There are additional security considerations that must be satisfied to protect cardholder equipment/data.
- You must maintain a chain of custody document for each terminal. Non-employees should not be allowed to use wireless terminals because they have not gone through the background checks that are required for employees, nor are they bonded or insured. For more information, please contact Payment Card Services.
- Mobile options using a P2PE (point to point encrypted swipe terminal) and a SMART device, may currently be available through a third-party provider. A mobile solutions with a SMART device is currently not available through UVA. Consult Payment Card Services for assistance as once the mobile solution issues are http://fro.vpfinance.virginia.edu/system/files/Recon@.docxresolved, the collection of personal data at an event by a Third-Party then becomes an issue. Payment Card Services: FAQs, Procedures, & Forms Page | 5 o The dongle is compliant, but consider the smart device that you are plugged into and when the dongle fails and you revert to the app on your smart device, all bets are off and you are in an unsecure environment. Read the articles below.
- Please review:
- Accepting Mobile Payments with a Smartphone or Tablet Securing Account Data with the PCI Point-to-Point Encryption Standard
- Securing Account Data with the PCI Point-to-Point Encryption Standard
- CampusGuard News – Mobile Payment Technologies: Balancing Security with Convenience
- Campus Guard News – Mobile Device Security
- Please review:
The other issue is a policy one concerning collection and depositing of funds into a University bank account for University Funds. Square wants personal data and bank account information.
- PayPal/Cvent/Eventbrite/Contracted Event Vendors: University and University-related merchants are NOT currently permitted to utilize services such as PayPal or other third-party credit card service providers without authorization from Payment Card Services.
- These types of relationships usually utilize click-through agreements. These agreements are contracts and they may contain language that is prohibited by State statutes. PayPal has thus far refused to negotiate with Procurement Services to revise the language. PayPal-Payflow Pro may be allowed in certain situations. Please contact the Payment Card Services for information.
- These same barriers may exist with other third-party negotiations. These issues, as well as security and PCI compliance, make contracting with third-parties difficult.