SECTION 17: Acceptance of Electronic and Online Payments

Last updated: February 2008

Introduction
Credit/Debit Cards
ACH
1. ACH Overview
2. Processing
Glossary of Terms

I. Introduction

Electronic payments are generally one of the most efficient means of receiving payment for goods or services provided. Administrative Information Services (AIS) has written a front-end application called webCredit to process both credit/debit cards and ACH (a direct debit to a customer's bank account). As with any business transaction, there are responsibilities and risks that a department assumes to ensure they receive the proper amount while adhering to contractual and/or legal regulations. These responsibilities vary depending on the method of payment. The two types of payments covered in this section, credit/debit cards and ACH, are governed by two very different sets of rules. While webCredit can accept both types of payments, only credit/debit cards can be accepted in-person. ACH transactions must be initiated online by the customer; they cannot be entered manually into webCredit. It is important to understand how the various rules and processing methods impact departmental procedures and accounting.

The Cashier's Office acts as a liaison, as needed, between the departments, the processing company and occasionally, the card companies. The Cashier's Office Manager can answer questions and help identify issues such as cost, processing options (online, swipe, software) and general procedures.

The decision of whether or not to accept credit/debit cards and/or ACH resides with each department. However, the Controller's Office must approve any new locations or applications.

Return to Top

II. Credit/Debit Cards

Payment Card Industry Data Security Standard
1. Effective 6/30/2005, all merchants must be PCI DSS compliant.
2. The PCI DSS was developed cooperatively by Visa and MasterCard. The PCI DSS provides specific framework for creating, maintaining and protecting a secure payment card environment. It has been endorsed and adopted by all the major card companies with which MSU does business. Pursuant to these agreements, MSU is contractually required to comply with the PCI DSS.
3. Each merchant is financially responsible for the cost of becoming compliant.
4. If a merchant is found to be noncompliant at the time of a breach, the card companies can impose large penalties. Each merchant is financially responsible for any penalties or costs associated with a breach.
5. Each merchant and webCredit location must complete an annual PCI Self-Assessment Questionnaire. There are several versions, so contact the Cashier's Office to determine which one is applicable.
6. The PCI DSS document and further information can be found at the PCI Security Standards Council.
7. Each merchant is strongly encouraged to review the not only the PCI DSS, but also the PCI DSS Security Audit Procedures, and the University Requirements for Merchant Units that Accept Payment Cards - PDF file.
8. MSU Classification of Merchant Card Processing Environments — Because some of the PCI DSS requirements only apply to certain card processing environments, MSU has defined two (2) types of card processing environments, based on the compliance efforts required for each.
  1. Simple Compliance — This includes merchants that do not store, process or transmit cardholder data electronically.
    1. Use of webCredit exclusively is considered a simple compliance environment if there is no other department-based electronic storage of payment card numbers.
  2. Complex Compliance — This includes merchants that do store, process or transmit cardholder data electronically on department-controlled desktops computers or servers.
    1. MERCHANTS MUST REQUEST CONTROLLER'S OFFICE APPROVAL BEFORE ENTERING INTO AN AGREEMENT TO USE ANY APPLICATION, SYSTEM OR PROCESS THAT INVOLVES ELECTRONIC STORAGE OR TRANSMISSION OF CARDHOLDER DATA.
9. Departments are required to complete a Merchant Request to Continue Accepting Payment Cards Agreement for each individual merchant number or webCredit location. A copy of the Agreement will be sent whenever a new merchant number or webCredit location is created. The Agreement must be signed by the Dean, Director, Chairperson, or Executive Manager and returned to the Cashier's Office.
10. The complete set of University polices and procedures for accepting payment cards can be found at University Requirements for Merchant Units that Accept Payment Cards - PDF file
Overview
1. Security — As a merchant, you accept responsibility for the accuracy and confidentiality of the information you and your staff collect in order to process a sale.
  1. Card numbers should not be stored unless there is a strong business need to do so.
  2. Requiring the Card Security Code (CSC) number is strongly encouraged.
  3. Storage of the CSC or the magnetic stripe data is strictly prohibited.
  4. Wireless — Use of wireless technology to process payment cards is strictly prohibited.
  5. E-mail — Sensitive cardholder data should not be sent via e-mail.
2. Revenue — The funds due MSU as a result of card sales are credited at gross directly to MSU's bank account. How the revenue is credited to the department's general ledger account depends on the processing method. With webCredit, the depositing step is done automatically as JVE 73. For non-webCredit activity, the department must submit the Batch Settlement Report with a Deposit Receipt to the Cashier's Office. The dollar amounts deposited must match exactly with the funds received at the bank.
  Note: Do not submit documentation to the Cashier's Office that includes card numbers.
3. Expense — Expenses associated with card sales are billed to MSU on a monthly basis. They will be charged to the departmental ledger account in the month following the date of the sales transactions (e.g., April fees will be on May ledgers). The ledger reference is JVE 74 for swipe merchants and JVE 75 for webCredit merchants.
4. Card Types — MSU presently has contracts with Visa, MasterCard, American Express and Discover. Debit cards with a Visa or MasterCard logo are also acceptable.
5. Rates — Current rate tables are posted on the Cashier's Office Internet site.
  1. American Express is about 2.50% and Discover is about 1.70%. There is also a minimal per transaction fee. As of 2/2005 it is $.20 for each transaction.
  2. The Visa and MasterCard rates vary depending on many factors, including (but not limited to) whether the card was swiped, address verification, credit versus debit, and how timely the transaction was settled after it was authorized.
  3. The Visa credit rates range from 1.50% - 3.00% plus $.15-$.20 per authorization. The Visa debit rates range from 1.00% - 2.00% plus $.25-$.40 per authorization.
  4. The MasterCard credit rates range from 1.70% - 3.00% plus $.15-$.20 per authorization. The MasterCard debit rates range from 1.00% - 2.00% plus $.25-$.50 per authorization.
6. Chargebacks — Chargebacks occur when the customer does not believe the original charge was valid and instructs/requests the card company to reverse it. The funds are deducted from MSU's bank account. The Cashier's Office will debit the departmental account accordingly. It is the department's responsibility to make other payment arrangements with the customer.
7. Credits (Returns) — When a refund is authorized for a customer, it should be processed as a refund to the same card that was used for the original purchase. Departments will receive partial refund of fees when they process a credit back to the customer. The refund is netted against all other fees on the monthly JVE to distribute fees.
8. Record Retention — Generally, there is no reason to store card numbers. If the department does store card numbers, the maximum recommended retention is 18 months.
9. Help — For questions related to accounting or getting started, call the Cashier's Office at 355-5023. For questions related to processing specific transactions, call the processor's Help Desk at 1-800-848-3213. For technical support regarding webCredit, call the AIS Help Desk at 353-4420, ext. 311.
10. Glossary — There is a glossary of terms at section IV.
Processing Options
1. Online (webCredit)
  1. Recommended Use — This is the preferred method for all applications except when the card is present.
  2. Set-up — Is done online. Go to webCredit and provide the requested information. You will need to know the Common Unit Code (MAU and department name) of the department for which you are setting up this new location. webCredit was created by and is maintained by AIS. For additional information on webCredit, go to webCredit information.
  3. Options — All information provided at set-up, except the Store Identifier, can be subsequently changed.
  4. Access — Once set-up is complete, the security administrator for that department must prepare an Access Request Memorandum (ARM) form to authorize users for that certain location. The form should be printed, signed and submitted to AIS.
  5. Activation — The new location is activated (ready to accept transactions) when the Cashier's Office assigns a location number.
  6. Operations/Training — AIS routinely schedules webCredit training sessions as new locations are added. Contact the AIS Help Desk at 353-4420, ext. 311 for information.
  7. Card Types — All card types are already set-up and available for each location. Put a check mark in front of each card type the department wants to accept. There is no reason not to accept all types. Debit cards with a Visa or MasterCard logo are acceptable.
  8. Sell-through versus Authorize — “Sell-through” means that the transaction will be automatically marked for settlement once it is authorized. The option to “authorize” means that the department must manually mark all the transactions. Which is preferable depends on the nature of the department's activity. Sell-through is good for stores that provide a service immediately after payment is made (e.g., access to online articles). Authorize helps avoid duplicate charges due to customer error. Card policy states that a cardholder should not be charged until the goods or services are provided.
  9. Card Security Code (CSC) — It is strongly recommended that each location require this information.
  10. Costs — For departmental locations, there are no start-up, supply or minimum monthly costs. The cost components are discount fees, online processor fees and AIS support fees. Costs are distributed to all active locations based on their relative share of gross sales for that month. Departments pay only for the months in which they actually use webCredit and have gross sales activity. For budgeting purposes, the cost averages 2.5-3.0% of gross sales.
  11. Revenue — Revenue is automatically credited to the department's account for every day that transactions are processed on webCredit. The ledger reference is JVE 73 and the ledger description will indicate the location number. The location number is included so that it can be distinguished from other activities if there are multiple locations crediting revenue to the same ledger account. There is only one account per location, but there can be several locations going to the same account. The revenue account and revenue object code are provided during set-up, but can be changed at any time by anyone with access to change the store's configuration (referred to as Store Manager on the ARM form).
  12. Expense JVE — Expenses are charged to the departmental account on a monthly basis and appear on the ledger in the month following the sales activity to which the expenses apply. The ledger reference is JVE 75 and the ledger description will indicate the month and the location number. Just as with the revenue account, there is only one account per location, but there can be several locations using the same account for expenses.
2. Swipe (Electronic)
  1. Recommended Use — Preferred method only when card is present. Departments that process orders received via mail, phone or Internet should use webCredit.
  2. Set-up — Supply the following information to the Cashier's Office Manager via email, fax: 353-9640, or mail: 110 Administration Building.
    1. Brief description of business/sales that will be processed using credit cards.
    2. Contact person's name, mailing address, phone number and email address.
    3. MSU account number that will be charged for all applicable fees.
    4. A "best guess" as to whether the majority of the sales will have the credit card present or not (i.e., mail or phone orders).
    5. An estimate of the anticipated annual dollar volume.
    6. An estimate of the average individual transaction amount.
    7. Indicate whether department also wants to accept American Express and/or Discover. The standard set-up includes only Visa and MasterCard. Requesting American Express and/or Visa adds a few extra days to the start-up process. Please note that there are additional deposit procedures related to these two card types. See item II.C.2.h.for more information.
  3. Activation — The Cashier's Office staff will forward this information to the processor who then assigns a new merchant number. The hardware and instruction manuals will be sent directly to the requesting department, usually within two weeks. The department must contact the processing company at 1-800-848-3213 to activate the new merchant number on his machine.
  4. Operations — An operating manual will be sent to each merchant. It is important that each person who will process payments read the merchant's operating manual.
  5. Card Types — The basic machine will come programmed with only Visa and MasterCard. This includes regular credit cards and debit cards with the Visa or MasterCard logo. American Express and Discover must be specifically requested. If you choose to accept American Express and/or Discover:
    1. There is a programming fee (currently $25) if added after the initial set-up of the machine.
    2. American Express and Discover are processed separately and credited to MSU's bank account in a different manner than Visa and MasterCard.
    3. Departments must manually note the (Visa + MasterCard) combined total on the Batch Settlement Report. The American Express and Discover totals will already be listed separately.
    4. If a department has more than one terminal, they must include an adding machine tape of all terminals with the same date with separate totals for American Express and Discover.
  6. Costs — Charged to departmental account in the month subsequent to when incurred.
    1. Hardware — An Electronic Data Capture machine costs about $600.
    2. Supplies — Department should call 1-800-848-3213 to order paper supplies.
    3. Discount Fees — Comprised of a percentage and a fixed, per transaction fee. See section II.B.5. above.
  7. Revenue
    1. The department must settle and transmit a Batch Summary Report each day. The gross sales revenue is credited (deposited) directly into MSU's general operating bank account.
    2. To ensure that the sales revenue is allocated to the appropriate MSU ledger account, the department must submit a copy of the Batch Settlement Report with a Deposit Receipt form (see MBP, Vol. I, Section 15, exhibit 15-A) to the Cashier's Office.
  8. Revenue Detail
    1. Please note: a Transaction Total Report is not acceptable. If necessary, a copy of the Batch Settlement Report can be requested from the processing company at 1-800-848-3213.
    2. All documentation used for depositing purposes must include the Location #, Batch #, Date and Amount. These four items must be hand-written directly on the Batch Settlement Report if not automatically printed on the report.
    3. For departments accepting American Express and/or Discover, departments must manually note the (Visa + MasterCard) combined total on the Batch Settlement Report. The American Express and Discover totals will already be listed separately.
    4. For departments accepting American Express and/or Discover AND having more than one terminal, an adding machine tape of all terminals with the same date with separate totals for American Express and Discover must be included.
  9. Negative Revenue
    1. In the event that a particular Batch Settlement Report has a net credit (negative revenue), it should be submitted on the Departmental Deposit form with other positive revenue sources to offset it. The net revenue posted to any single account number on the top portion of the Departmental Deposit form must be a positive amount.
    2. If this is not possible, the net credit Batch Settlement Report (without a Departmental Deposit form) should be sent directly to the Cashier's Office Supervisor at 110 Administration Building. A Cash Paid-Out (CPO) entry will be created and a copy sent back to the department.
  10. Expense JVE — For all the costs listed in II.B.3.above.
    1. It will appear on departmental ledgers as JVE 74.
    2. An electronic version will be emailed to all departmental contacts. Contact the Office of Financial Analysis (353-9259) for questions about the expense JVE.
3. Software
  1. Departments may use purchased software to capture credit/debit card information. Most applications can interface with MSU's existing provider, but it is not required.
  2. All documentation used for depositing purposes must include the Location #, Batch #, Date and Amount, properly segregated by Visa and MasterCard combined, American Express and Discover.
  3. Contact the Cashier's Office manager for additional information.
4. Loaner Machines
  1. There are occasions when a department has a limited need for accepting credit cards in-person; for example, onsite registration for a one-time only or once-a-year conference. In cases where webCredit is not feasible, the Cashier's Office has two loaner machines available on a first-come-first-serve basis.
  2. There is $20 per month charge for use of the machine and the department is responsible for the discount fees. These fees will be included on the monthly JVE. Contact the Cashier's Office regarding machine availability and the sign-out process.
  3. The department is responsible for settling the transactions and submitting a Deposit Receipt to the Cashier's Office.
  4. The department is responsible for any chargebacks that result from transactions that were processed during the time it was borrowed. A Cash Paid-Out (CPO) entry will be created and a copy sent to the department.

Return to Top

III. ACH

Overview
1. Rules — Federal regulations direct how the banking system manages the ACH process, which in turn determines MSU's procedures.
2. Online Only — ACH acceptance is available online only through webCredit. Departmental staff cannot get the banking information over the phone or in the mail and then enter it for the customer. For additional information on webCredit.
3. Availability — Unlike credit/debit cards, an ACH transaction does not verify the availability of funds before processing the request and giving the seller credit. ACHs are treated the same as paper checks; that is, the funds are not truly valid until the ACH clears the issuer's bank account.
4. Revenue — The funds due MSU as a result of ACH sales are credited directly to MSU's bank account. The revenue is credited to the department's general ledger as JVE 80 via webCredit. There will be a JVE for each business day that an ACH batch is sent to MSU's bank.
5. Cost — The cost to process ACHs is minimal and centrally funded. There is no cost to departments.
6. Help — For questions related to accounting or getting started, call the Cashier's Office at 355-5023. For technical support regarding webCredit, call the AIS Help Desk at 353-4420, ext. 311.
7. Glossary — There is a glossary of terms at section IV.
Processing
1. Set-up — Is done within webCredit
  1. After a location is established (see instructions at section II.C.1.b. above) then someone with Store Manager access needs to go to the screen under Configuration, Finance.
  2. Click on the box in front of ACH, for “Payment Methods Accepted.”
  3. Provide a meaningful 8-character “ACH Description.”
2. Marking — Departmental staff must manually click on each ACH transaction for further processing.
3. Batch Processing — Every business day by 5pm, the Controller's Office will create an outgoing ACH batch of all marked transactions.
4. Operations/Training — AIS routinely schedules webCredit training sessions as new locations are added. Contact the AIS Help Desk at 353-4420, ext. 311 for information.

Return to Top

IV. Glossary of Terms

ACH — Actual initials stand for Automated Clearing House; however, the name is used here for a debit to a customer's bank account that is batched with similar transactions and sent to MSU's bank for automated processing similar to paper checks.

Authorized — The status of a credit/debit card transaction that has been approved by the processor for the amount requested.

Batch — One or more credit/debit card transactions grouped for settlement.

Batch Settlement Report — The report generated by a swipe machine after a credit/debit card batch has been successfully transmitted to the processor. Required by Cashier's Office as proof of deposit.

Card Company (or Association) — Visa, MasterCard, American Express or Discover

Card Processing Company (Processor) — Third-party provider that receives settled batch data from merchants and forwards it to the appropriate card companies (e.g., Visa, MC)

Cardholder — The customer; the person whose name appears on the card being used to purchase goods or services.

Chargeback — A transaction generated by the card company at the customer's request to take money out of MSU's bank account and return it to the cardholder.

Credit — A credit/debit card transaction generated by the merchant to return some or all of the original purchase amount back to the cardholder.

CSC — Customer (or Card) Security Code. The additional 3-4 digits usually on the back of a card (on front of American Express) that is not part of the card number. May also be referred to as CCC, CSSC or CVC. Used to minimize fraud.

Debit Card — Cards with the Visa or MasterCard logo are accepted and processed the same as credit cards.

Discount Fees — The fees a merchant pays to the credit card processing company for the service of processing credit/debit card transactions. Generally comprised of both variable (percentage) and fixed (per transaction) fee components. Generally stated as an “add-on” to the interchange rates.

Interchange Rates — The fees established by Visa and MasterCard for the service of paying the merchant immediately while extending credit to cardholders. Generally comprised of both variable (percentage) and fixed (per transaction) fee components.

Location — In webCredit, refers to a certain activity that the department defines. Each location is identified by a unique “store identifier” and is assigned a unique “location number” by the Cashier's Office. Same as “store.”

Mark — In webCredit, the act of identifying an authorized transaction for settlement. Can be manual or automatic for credit/debit cards and ACH.

Merchant — Any department that accepts credit cards, identified by a unique number that has been assigned by the credit card processing company via the Cashier's Office.

Merchant Number — The number assigned by a card company that uniquely identifies a specific location. In webCredit, there is one shared merchant number for all locations. Swipe merchants have individual merchant numbers for each swipe location. Visa and MasterCard share the same merchant number, but American Express and Discover issue separate merchant numbers.

Pending — In webCredit, the status of a transaction that has been authorized and marked but not yet settled.

Processor — See Card Processing Company

Settled — The status of a transaction once the card processing company has processed it. Could refer to a sale or a credit transaction. Settled transactions are those that will show on the cardholder's monthly statement.

Status (of credit/debit card or ACH transaction) — Can be authorized, pending, settled or void.

Store — In webCredit, same as location.

Store Identifier — A unique code name assigned to each store or location. It is comprised of the Common Unit Code and a 2-4 character name selected by the department.

Terminal — Another name for the electronic data capture machine or an individual PC on an automated software application.

Terminal Number — Each terminal is assigned a unique number by the card processor that is printed on receipts and reports so that transactions can be traced back to a specific terminal.

Transmit — The act of sending credit/debit card batch data for settlement.

Void — The status of a transaction that has been canceled prior to settlement. Voided transactions will not appear on the cardholder's monthly statement. Voiding is not an option after a transaction has settled.

webCredit — The front-end credit/debit card and ACH processing application written and maintained by AIS.

Return to Top