Michigan State University
Controller's Office

305 Administration Bldg
East Lansing, MI 48824
517 355-5020

SECTION 17:  Acceptance of Electronic and Online Payments EBS

Last updated: December 2010
  1. Introduction
  2. Payment (Credit/Debit) Cards
    1. Payment Card Industry Data Security Standard
    2. Overview
    3. Processing Options
      1. Central Online Application (CASHNet)
      2. Swipe (Electronic)
      3. Software Other Than Central Online Application
      4. Loaner Machines
  3. ACH
    1. ACH Overview
  4. Glossary of Terms

I. Introduction

Electronic payments are generally one of the most efficient means of receiving payment for goods or services provided. As with any business transaction, there are responsibilities and risks that a department assumes to ensure they receive the proper amount while adhering to contractual and/or legal regulations. These responsibilities vary depending on the method of payment. The two types of payments covered in this section, payment (credit/debit) cards and ACH, are governed by two very different sets of rules. Both types of payments can be accepted online, however, only payment cards can be accepted in-person, over the phone or through the mail. It is important to understand how the various rules and processing methods impact departmental procedures and accounting.

The Cashier’s Office acts as a liaison, as needed, between the departments, the processing company and occasionally, the card companies. The decision of whether or not to accept payment cards and/or ACH resides with each department. The Cashier’s Office Manager can answer questions and help identify issues such as cost, processing options (online, swipe, software) and general procedures.

The decision whether to accept payment cards and/or ACH resides with each department. However, the Controller’s Office must approve any new locations or applications.

Return to Top

II. Payment (Credit/Debit) Cards

  1. Payment Card Industry Data Security Standard
    1. Effective 6/30/2005, all merchants must be PCI DSS compliant.
    2. The PCI DSS was developed cooperatively by Visa and MasterCard. The PCI DSS provides specific framework for creating, maintaining and protecting a secure payment card environment. It has been endorsed and adopted by all the major card companies with which MSU does business. Pursuant to these agreements, MSU is contractually required to comply with the PCI DSS.
    3. Each merchant is financially responsible for the cost of becoming compliant.
    4. If a Merchant is found to be noncompliant at the time of a breach, the card companies can impose large penalties. Each Merchant is financially responsible for any penalties or costs associated with a breach.
    5. The PCI DSS document and additional information can be found at the PCI Security Standards Council
    6. Each Merchant is strongly encouraged to review the PCI DSS.
    7. Merchant Agreement – Each Merchant is required to complete a Merchant Agreement for each Merchant or Location in the Central Online Application. The Agreement will be provided by the Cashier’s Office. It must be signed by the Dean, Director, Chairperson or Executive Manager and returned to the Cashier’s Office.
    8. Employee Security Statement – Merchant must require each person with access to cardholder data (employee, volunteer, etc.) to verify in writing that they understand and accept responsibility for the cardholder data. A sample form can be found on the Cashier’s Office homepage.
    9. Assisted Payments – Assisted Payments occur when a staff member enters card numbers into a Merchant-owned workstation (computer). To be PCI-compliant, the workstation must be configured to allow access to only those applications necessary to process the card transaction. The workstation cannot allow email or Internet surfing. The workstation must have a hardware firewall device between it and any network to which it is attached. The workstation and firewall must have quarterly vulnerability scans. This requires the workstation and firewall to have fixed IP addresses. Complete information was addressed in a memo dated July 16, 2010.
    10. SAQ – Each Merchant is required to complete and submit to the Cashier’s Office a Self-Assessment Questionnaire (SAQ). There are five versions of the SAQ that correlate to the manner in which cards are accepted and the complexity of the Merchant’s card processing environment.
    11. Choosing the Appropriate SAQ – Review the SAQ Instructions and Guidelines. In summary, the five versions apply as follows:
      1. SAQ A – Customer enters own card number on Merchant’s third-party hosted website and Merchant does not electronically store cardholder data. Example: CASHNet eMarket Checkout or Storefront store without Assisted Payments.
      2. SAQ B – Merchant uses stand-alone, dial-out terminal and Merchant does not electronically store cardholder data. Example: Swipe.
      3. SAQ C – Merchant uses payment application connected to the Internet where staff member enters card number and Merchant does not electronically store cardholder data. Example: CASHNet eMarket Checkout store with Assisted Payments.
      4. SAQ C-VT – Merchant using only web-based virtual terminals and there is no electronic storage of cardholder data. Example: CASHNet eMarket Checkout store with Assisted Payments.
      5. SAQ D – All other Merchants not noted above or any Merchant that has electronic storage of cardholder data.
    12. Additional information can be found in the University’s set of policies and procedures for accepting payment cards.
  2. Overview
    1. Security – Merchant accepts responsibility for the accuracy and confidentiality of the information that staff collect in order to process a sale.
      1. Card numbers should not be stored unless there is a strong business need to do so. Disputing Chargebacks is not considered a strong reason.
      2. CSC – Requesting the Card Security Code (CSC) number at the point of transaction is strongly encouraged.
      3. Storage of the CSC or magnetic stripe data is strictly prohibited by PCI DSS.
      4. Wireless – Use of wireless technology other than cell phone networks is strictly prohibited.
      5. Email – Sensitive cardholder data should not be sent via email.
    2. Revenue – The funds due MSU as a result of card sales are credited at gross directly to MSU’s bank account. In most cases, the revenue is credited automatically to the department’s general ledger account(s). The timing of ledger entry varies, depending on the processing method. The Central Online Application deposits the daily payment card revenue the following business day. For swipe Merchants, the revenue is deposited the second business day. All other Merchants should use the Credit Card Receipt eDoc.

      Note: Full card numbers should not be entered into eDoc fields nor should any scanned documentation attached to an eDoc contain the full card numbers. Do not submit any documentation to either the Cashier’s Office or Accounting that contains a full card number.

    3. Expense – Expenses associated with card sales are billed to MSU on a monthly basis. They will be charged to the departmental ledger account in the month following the date of the sales transactions (e.g., April fees will be on May ledgers).
    4. Card Types – MSU presently has contracts with Visa, MasterCard, American Express and Discover. Debit cards with a Visa or MasterCard logo are also acceptable.
    5. Rates:
      1. American Express is about 2.50% and Discover is about 1.70%. There is also a minimal per transaction fee. As of 6/2009 it is $.08 for each transaction.
      2. The Visa, MasterCard and Discover rates vary depending on many factors, including (but not limited to) whether the card was swiped, address verification, credit versus debit, and how timely the transaction was settled after it was authorized.
      3. Current Visa and MasterCard rates are posted on the Cashier’s Office home page.
      4. Budget – Merchants are advised to budget about 3% for payment card expenses.
    6. Chargebacks – Chargebacks occur when the customer challenges the validity of the original charge and instructs/requests the card company to reverse it. The funds are deducted from MSU’s bank account. The Cashier’s Office will debit the departmental account accordingly. It is the department’s responsibility to make other payment arrangements with the customer.
    7. Credits (Returns) – When a refund is authorized for a customer, it should be processed as a refund to the same card that was used for the original transaction. Departments will receive partial refund of fees when they process a credit back to the customer. The refund is netted against all other fees on the monthly entry to distribute fees.
    8. Record Retention – Storing card numbers is discouraged, as there generally is not a strong business reason to store card numbers. If a Merchant chooses to store card numbers, the recommended retention is 6 months and never more than 18 months.
    9. Help – For questions related to accounting or getting started, call the Cashier’s Office at 355-5023. For questions related to processing specific transactions, call the processor’s Help Desk at 1-800-430-7161. For technical support regarding the Central Online Application, contact the AIS Service Desk at 884-3000 or ais311@msu.edu.
    10. Glossary – There is a glossary of terms at section IV.
  3. Processing Options
    1. CENTRAL ONLINE APPLICATION (CASHNet)
      1. Recommended Use - This is the preferred method for all Merchants except when the card is present.
      2. Information - For overview, options, forms, training, etc. go to the CASHNet homepage
      3. Access – Once set-up is complete, the security administrator for that department must prepare an Access Request Memorandum (ARM) form to authorize users for that certain Location. The form should be printed, signed and submitted to AIS.
      4. Assisted Payments – Occur when a staff member enters card numbers into a Merchant-owned workstation (computer).
        1. To be PCI-compliant, the workstation must be configured to allow access to only those applications necessary to process the card transaction. The workstation cannot allow email or Internet surfing. The workstation must have a hardware firewall device between it and any network to which it is attached. The workstation and firewall must have quarterly vulnerability scans. This requires the workstation and firewall to have fixed IP addresses. Complete information was addressed in a memo dated July 16, 2010.
        2. CASHNet supports the Assisted Payments function.
        3. Access to perform Assisted Payments must be requested on the ARM form and approved by the Cashier’s Office.
      5. Activation – The new Location is activated when the Merchant Request Form is received by the Cashier’s Office. Merchant will be notified by email after the Location has been set up.
      6. Training – AIS routinely schedules training sessions available at the LCTTP website.
      7. Card Types – All card types are already set-up and available for each Location. Debit cards with a Visa or MasterCard logo are acceptable.
      8. Card Security Code (CSC) – The 3-4 digits on the back of a card (on the front of an American Express card). It is strongly recommended that each Location require this information at the point of transaction. However, it should never be stored.
      9. Revenue
        1. Revenue is automatically credited to the departmental account for every day that transactions are processed on the Central Online Application.
        2. End-of-Day processing occurs at 6 PM every day. Any transactions occurring after 6 PM are credited to the next business day.
        3. The ledger description will indicate the Location number. The Location number is included so that it can be distinguished from other activities if there are multiple Locations crediting revenue to the same ledger account.
        4. The revenue account and revenue object code are provided during set-up, but can be changed at any time by someone with access to change the store’s settings (referred to as All Access on the ARM form).
      10. Cost
        1. There are no start-up, supply or minimum monthly costs.
        2. The cost components are discount fees, online processor fees and AIS support fees.
        3. Costs are distributed to all active Locations based on their relative share of gross sales in the Central Online Application for that month.
        4. Merchants pay only for the months in which they actually use the central online application and have gross sales activity.
        5. Expenses are charged to the departmental account on a monthly basis and appear on the ledger in the month following the sales activity to which the expenses apply. The ledger description will indicate the applicable month and Location number.
        6. For budgeting purposes, the cost averages 2.5-3.0% of gross sales.
    2. Swipe (Electronic)
      1. Recommended Use – Preferred method when card is present. Also appropriate for Merchants that process orders received via mail or phone.
      2. Set-up – Complete and return the New Merchant Request Form to the Cashier’s Office Manager via email: nelsonm@ctlr.msu.edu. Information to complete the form includes:
        1. Name for new Merchant.
        2. Contact person’s name, mailing address, phone number and email address.
        3. MSU account number and object code for automatic revenue deposits.
        4. MSU account number that will be charged for all applicable fees.
        5. An estimate of the anticipated annual dollar volume.
        6. An estimate of the average individual transaction amount.
        7. Whether department also wants to accept American Express. The standard set-up includes Visa, MasterCard and Discover.
      3. Activation – The Cashier’s Office staff will forward this information to the processor who then assigns a new Merchant number. The hardware and instruction manuals will be sent directly to the requesting department, usually within two weeks.
      4. Operations – An operating manual will be sent to each Merchant. It is important that each person who will process payments read the Merchant’s operating manual.
      5. Card Types – The basic machine will come programmed with Visa, MasterCard and Discover. This includes regular credit cards and debit cards with the Visa or MasterCard logo. American Express must be specifically requested.
      6. Costs – Charged to departmental account in the month subsequent to when incurred.
        1. Hardware – An Electronic Data Capture machine costs about $400.
        2. Supplies – Merchants should call 1-800-430-7161 to order paper supplies.
        3. Discount Fees – Comprised of a percentage and a fixed, per transaction fee. See section II.B.5. above.
      7. Revenue
        1. The Merchant must settle and transmit the data each day. The gross sales revenue is credited (deposited) directly into MSU’s general operating bank account.
        2. The Cashier’s Office will automatically deposit the sales revenue to a single MSU ledger account. The deposit will occur three days after the batch is settled and the settlement date will be noted in the line description. To capture the weekend, Monday’s posting will include Thursday and Friday activity, and Tuesday’s posting will include Saturday and Sunday activity.
    3. Software Other Than Central Online Application
      1. Merchants may use purchased software to process payment card activity. Most applications can interface with MSU’s existing processor, but it is not required.
      2. Use of any third party for processing, storing or transmitting payment card data must be approved by the Controller’s Office. All contracts must be forwarded to the Cashier’s Office for review.
      3. Merchants will be allowed to use only those service providers and applications that have been validated as being PCI-compliant. A list of validated solutions is available on the PCI Security Standards Council website.
      4. Revenue
        1. Merchants that interface with MSU’s processor will have the revenue automatically deposited as described in C.2.g.ii. above.
        2. Merchants that use a processor other than MSU’s will have to use the Credit Card Receipt eDoc to post the revenue. Documentation of the Batch Settlement Report must be attached to the CCR eDoc.
    4. Loaner Machines
      1. There are occasions when a department has a limited need for accepting credit cards in-person; for example, onsite registration for a one-time only or once-a-year conference. In cases where using the Central Online Application is not feasible, the Cashier’s Office has two loaner machines available on a first-come-first-serve basis.
      2. The department is responsible for ensuring that PCI DSS guidelines are followed.
      3. There is $20 per month charge for use of the machine and the department is responsible for the discount fees. These fees will be included on the monthly journal entry. Contact the Cashier’s Office regarding machine availability and the sign-out process.
      4. The department is responsible for settling the transactions in a timely manner. Contact the Cashier’s Office for instructions to post the revenue.
      5. The department is responsible for any Chargebacks that result from transactions that were processed during the time it was borrowed. An adjusting entry will be created as needed and routed to the department
Return to Top

III.  ACH

  1. Overview
    1. Rules – Federal regulations direct how the banking system manages the ACH process, which in turn determines MSU’s procedures.
    2. Online Only – ACH acceptance is available online only through the Central Online Application or other application. Departmental staff cannot accept the banking information over the phone or in the mail and then enter it on behalf of the customer. For additional information on CASHNet, go to the CASHNet webpage.
    3. Revenue – The funds due MSU as a result of ACH sales are credited directly to MSU’s bank account. The revenue is automatically credited to the department’s general ledger. There will be an entry for each business day that an ACH batch is sent to MSU’s bank. The end-of-day process occurs at 6 PM. Any transactions after that time will be posted as the next business day.
    4. Availability – Unlike payment cards, an ACH transaction does not verify the availability of funds before processing the request and giving the seller credit. ACHs are treated the same as paper checks; that is, the funds are not truly valid until the ACH clears the issuer’s bank account.
    5. Returns – In the event an ACH fails to be processed (e.g., nonsufficient funds, account not found, etc.), it is treated the same as a paper check and referred to the Cashier’s Office for collection. Refer to MBP Section 14.
    6. Cost – The cost to process an ACH is minimal and centrally funded. There is no cost to departments.
    7. Help – For questions related to accounting or getting started, call the Cashier’s Office at 355-5023. For technical support regarding the Central Online Application, contact the AIS Service Desk at 884-3000.
    8. Glossary – There is a glossary of terms at section IV.
Return to Top

IV.   Glossary of Terms

ACH (Automated Clearing House) – Refers to an individual debit to a customer’s bank account that is batched with similar transactions and sent to MSU’s bank for automated processing similar to paper checks.

Assisted Payments – where Merchant staff or representative (e.g., volunteer) enters card numbers on a Merchant-owned computer. The computer must be a Dedicated Workstation (see definition below).

Authorized – The status of a credit/debit card transaction that has been approved by the processor for the amount requested.

Batch – One or more payment card transactions grouped for settlement.

Batch Settlement Report – The report generated by a swipe machine after a payment card batch has been successfully transmitted to the processor.

Card Company (or Association) – Visa, MasterCard, American Express or Discover.

Card Processing Company (Processor) – Third-party provider that receives settled batch data from Merchants and forwards them to the appropriate card companies (e.g., Visa, MC).

Card Security Code (CSC) – The additional 3-4 digits usually on the back of a card (on front of American Express) that is not part of the card number. May also be referred to as CCC, CSSC or CVC. Used to minimize fraud when the card is not present.

Cardholder – The customer; the person whose name appears on the card being used to purchase goods or services.

Cardholder Data – Defined for PCI DSS purposes as the full card number. Also includes any identifying data if used or stored along with the card number (such as name, expiration date, address, etc.).

Central Online Application – The common online payment application for which set-up and training are centrally supported. Current application is CASHNet.

Chargeback – A transaction generated by the card company at the customer’s request to take money out of MSU’s bank account and return it to the cardholder.

Credit – A payment card transaction generated by the Merchant to return some or all of the original purchase amount back to the cardholder.

Debit Card – Cards with the Visa or MasterCard logo are accepted and processed the same as credit cards.

Dedicated Workstation – A Dedicated Workstation is required whenever card numbers are entered into a computer (workstation), a process referred to as Assisted Payments (see definition above). To be PCI-compliant, the workstation must be configured to allow access to only those applications necessary to process the card transaction. The workstation cannot allow email or Internet surfing. The workstation must have a hardware firewall device between it and any network to which it is attached. The workstation and firewall must have quarterly vulnerability scans. This requires the workstation and firewall to have fixed IP addresses. Complete information was addressed in a memo dated July 16, 2010.

Discount Fees – The fees a Merchant pays to the credit card processing company for the service of processing credit/debit card transactions. Can be comprised of both variable (percentage) and fixed (per transaction) fee components. Often stated as an “add-on” to the Interchange Rates.

Interchange Rates – The fees established by Visa and MasterCard for the service of paying the Merchant immediately while extending credit to Cardholders. Generally comprised of both variable (percentage) and fixed (per transaction) fee components.

Location – In the Central Online Application, refers to a certain activity that the Merchant defines. Each Location is identified by a unique location number by the Cashier’s Office. Same as Store.

Merchant – Any department that accepts payment cards, identified by a unique number that has been assigned by the credit card processing company or the Cashier’s Office. In the Central Online Application it is the same as Location.

Merchant Number – The number assigned by a card company that uniquely identifies a specific activity. In the Central Online Application, there is one shared Merchant number for all Locations. Swipe Merchants have individual Merchant numbers for each swipe location. Visa, MasterCard and Discover share the same Merchant Number, but American Express issues a separate Merchant Number.

Pending – In the Central Online Application, the status of a transaction that has been authorized but not yet settled.

Processor – See Card Processing Company

Self-Assessment Questionnaire

Settled – The status of a transaction once the Card Processing Company has processed it. Could refer to a sale or a credit transaction. Settled transactions are those that will show on the Cardholder’s monthly statement.

Status (of credit/debit card or ACH transaction) – Indicates which stage of the process a transaction is in. It can be authorized, pending, settled or void.

Store – In the Central Online Application, same as Location.

Store Identifier – A unique code name assigned to each store or location. It is comprised of the Common Unit Code and a 2-4 character name selected by the department.

Terminal – Another name for the electronic data capture machine or an individual PC on an automated software application.

Terminal Number – Each terminal is assigned a unique number by the card processor that is printed on receipts and reports so that transactions can be traced back to a specific terminal.

Transmit – The act of sending payment card batch data for settlement on a swipe terminal.

Return to Top