Cash Handling and Banking Services

ACCEPTING CREDIT CARDS FOR PAYMENT

Cash Handling and Banking Services home Bank Deposit Handling Credit Card Merchant Services Electronic Payments Human Subject Prepaid Card Program Petty Cash Program

All campus departments must receive written approval from the Campus Credit Card Coordinator before either accepting payment via credit card or signing any agreements involving credit card services/equipment.

This requirement is in accordance to UC BUS-49 policy, Section VI, Page 10 (PDF).

The campus department must adhere to the following requirements when seeking approval:

  • Prepare a business case including a cost benefit analysis that demonstrates the volume/size of transactions justify the costs;
  • Demonstrate ability to fully comply  with all Payment Card Industry Data Security Standards;
  • Meet BUS-49 policy, Section XIII, Page 31 (PDF) and UC Berkeley Procurement Policy for contracts and agreements.
  • Transact only through payment gateways support by the University of California Office of the President.

The Credit Card Coordinator will review departmental needs and recommend the most efficient and cost effective method available to process transactions for events, dining, tickets, merchandise and fees. The Coordinator can assist with:

  • Identifying card acceptance/payment solutions
  • Complying to PCI Data Security Standards
  • Conducting vendor due diligence
  • Meeting acquirer/processor setup requirements
  • Deploying best practices
  • Conducting training

Centrally-Supported Solutions

The following grid is a summary of centrally-supported credit card payment solutions for UC Berkeley

Credit Card Payment SolutionsCustomer InteractionsFor Consideration:

Swipe Point of Sale (POS) Terminal

  • Dial-up (analog)
  • Cellular
  • IP or Ethernet Connectivity
  • Face to Face
  • Mail Order/Telephone Order
  • Equipment purchase or rental must be from Bank of America Merchant Services for Dial-up and Cellular solutions
  • Requires  landline  (dial-up) or cellular service from supported carrier
  • Equipment purchase and associated services must be from Bluefin Payment Systems for IP solution

Online - CyberSource

Re-direct (Hosted Order Page or Secure Acceptance) integration method 

  • Card not present; customer enters card information online via customer-owned device.
  • May require  IT technical expertise

Online – RegOnline

(Event management and registration application)

  • Card not present; customer enters card information online via customer-owned device.
  • May require  IT technical expertise

Please request a “Merchant Setup Request” application and submit to MerchantSupport@berkeley.edu.


Solutions Requiring Review by the Campus Compliance Team

The following table lists more complex credit card payment acceptance solutions that require a substantial investment of resources to set up and maintain. These solutions carry a significant level of information risk for the campus. To obtain approval for these solutions, campus departments must submit additional documentation above and beyond the standard approval process outlined above. The campus compliance team is comprised of colleagues from the Controller’s office and Information Security. The following factors will inform the evaluation of proposed solutions for accepting credit cards:

  • Extent to which the proposed solution reduces overall information risk to the University;
  • Whether the proposed solution creates significant operational efficiency (i.e., significantly reduces costs/increases revenue);
  • Whether the solution meets unique departmental needs/requirements.

Credit Card Payment solutions:

Customer Interactions:

For Consideration:

POS System

Inventory management, dynamic reporting, multiple points of sales.

  • Face to Face
  • Card not present; customer enters card information online via customer-owned device

 

  • Requires business case approval by Credit Card Coordinator
  • Requires extensive and very costly set of security measures to comply with PCI DSS
  • Requires interface/processing through FDMS Nashville platform
  • Requires risk assessment from Coalfire Security Inc. (estimated costs:  $5,000 - $25,000)
  • Requires PCI DSS validation through a Report on Compliance (ROC) from a qualified QSA.
  • Requires inclusion on Visa and MasterCard registry of certified service providers
  • Requires inclusion on PCI security site for payment applications
  • Requires contract review and approval from compliance team prior to contract execution through campus procurement team
  • Requires approval from UCOP or a UCB Controller Variance to policy
  • May require annual Coalfire Security, Inc. assessment
  • Required lead time is  an estimated 3 – 12 months

Online -  CyberSource

Non-HOP/Secure Acceptance Web/Mobile integration method through CyberSource

  • Card not present; customer enters card information online via personal device
  • Same as POS

Online – Other

Non-centrally supported Payment Gateway

  • Card not present; customer enters card information online via personal device
  • Same as POS

Please request a “Non-Centrally Supported Payment Solution” application and submit to MerchantSupport@berkeley.edu.


Non-Approved Solution

The following grid shows a  credit card payment solution that is not approved:

Non-approved solution:

For Consideration:

Virtual Terminal

Merchant should never manually enter credit card information through campus workstations or other non-secure devices. This  practice will expose the campus to significant risk and violates campus policy and PCI DSS protocol.