Â鶹´«Ã½

Skip to main content

Merchant Card Services and E-commerce

All Â鶹´«Ã½ merchant accounts must be authorized by Treasury and Investments and the SLU PCI Compliance Committee. The department must demonstrate a valid business need for a merchant account and demonstrate certain business operation and financial management criteria.

Â鶹´«Ã½ accepts Visa, MasterCard, Discover and American Express via e-commerce solutions, third-party gateways, standard terminals and wireless terminals. Please review the Merchant Card Policy (PDF) for more information on credit card processing.

A merchant account is required to accept receipts from credit and debit card transactions. All merchant accounts are created through the University's merchant services provider contract with Fiserv. To establish a merchant account, or make changes to an existing merchant account, complete the Merchant Services Account Request/Maintenance form (PDF).

Credit Card Training

Only authorized and properly trained individuals can process credit card transactions and access systems or reports containing credit or debit card data. Employees with access to cardholder data or who are involved in credit card processing must complete credit card security training upon hire and annually.

Employees will be notified of their annual training via email. Employees who do not complete the credit card training within 30 days of the initial notification will have all credit card processing privileges removed, and the respective dean or vice president will be notified.

Contractors, volunteers and other individuals who are not University employees and who plan to accept or process credit or debit cards on behalf of Â鶹´«Ã½ must also be trained prior to taking on their credit and debit card handling duties and annually after that. It's the responsibility of the merchant manager to notify Treasury and Investments at merchantservices@slu.edu of any non-employee processing or handling credit or debit card data.

If you have requested to borrow a special events credit card terminal, email merchantservices@slu.edu to be added to the PCI training. This training must be completed before you can begin processing credit card transactions on behalf of the University. 

Credit Card Security Tips

Credit Card Data Usage and Retention

  • Storage and retention of credit card data must be the minimum length necessary to meet University and/or regulatory requirements.
  • University policy prohibits retaining or storing the cardholder's full credit card number, the three-digit CVV code or the PIN verification value.
  • At a minimum, the credit card number must be rendered unreadable for all stored or retained data.
  • Media or storage containers with cardholder data must be labeled "confidential."
  • Cardholder data may not be sent via email unless it is encrypted.
  • Cardholder data must be secured against unauthorized removal and stored in a secured area.
  • Any movement of cardholder data must be communicated to and preapproved by the Treasurer's Office.

Physical Access

  • All physical areas containing cardholder data must have limited access.
  • The preferred method of storage of cardholder data is a locked container.
  • These areas must not be accessible to the public.
  • All visitors to these areas must be escorted at all times by an employee with legitimate access.
  • It is the department's responsibility to ensure the visitor's access to the area is authorized and logged for audit purposes.
  • Visitors include employees, temporary employees, consultants or contractors.

Third-party Access

  • Third parties with access to cardholder data must be contractually obligated to comply with the payment card industry security requirements.
  • The third party must provide documentation to the University of their compliance level.

Credit Card Deposit Processing

  • The completed Ad Hoc Bank Transaction should show the total credit card deposit by credit card type and the supporting documentation should agree to the completed form.
  • Attach transaction summary, settlement batch or close report with the individual card type subtotals to the Ad Hoc Bank Transaction.
  • Do not send cardholder receipts with the Ad Hoc Bank Transaction.
Credit Card Acceptance

Â鶹´«Ã½ will accept MasterCard, Visa, Discover and American Express bank credit cards for payment of miscellaneous charges at University locations approved by the Treasurer's Office. 

Departments processing charges by bank credit card must do so electronically using a terminal and printer or e-commerce product approved by the Treasurer's Office.

Valid MasterCard, Visa, Discover or American Express transactions may be accepted at approved locations; however, the University is not liable for improper use. The department is responsible for recovering chargebacks from the customer incurred due to invalid charges.

The University's depository account will be credited within two business days after the bank card transactions have been submitted to the bank. Departmental accounts will be credited upon receipt of an Ad Hoc Bank Transaction.

The bank charges a fee for each credit card transaction to the University. The cost associated with the acceptance of bank credit cards for payment will be allocated to the departments by the Controller's Office. Bank merchant numbers are used to record fee allocations.

Contact the Treasurer's Office to request authorization to accept bank credit cards for payment.

Procedures

Enter the card information into the credit card terminal.

With card:

  • Swipe the card through the card reader.
  • Verify the customer name, card number, and expiration date as they appear on the terminal screen.
  • Enter the amount of the charge.
  • Verify the transaction has been accepted and a receipt has been generated.
  • Obtain the signature of the cardholder on the transaction receipt.

Without card:

  • Enter the card number into the terminal.
  • Verify the customer name, card number, and expiration date as they appear on the terminal screen.
  • Enter the amount of the charge.
  • Verify the transaction has been accepted.

At the end of each business day, submit the batch of daily transactions to the bank via a modem to charge the customer's bank card and credit the University's depository account.

  • Run a batch report of daily transactions from the terminal.
  • Departmental supervisors should review the report and verify all transactions on the report are accurate and appropriate. Initial any credits identified on the batch report.
  • Transmit batch transactions to the bank.
  • Complete an Ad Hoc Bank Transaction.
  • Maintain detail batch reports and receipt forms in an organized manner in the department.

SLU PCI Committee

Â鶹´«Ã½ accepts credit card payments as a convenience to its customers and is committed to protecting and preserving the privacy and security of payment card data collected and processed to conduct University business operations. Saint Louis University has a fiduciary responsibility to patients, students, donors, customers and payment card processors to comply with the Payment Card Industry Data Security Standards (PCI DSS) when handling payment card transactions.

The PCI Compliance Committee was established to govern PCI DSS and oversee merchant card processing compliance for the University. The committee consists of members from Information Technology Services, Treasury and Investments and representatives from various University merchants.

All University departments that handle, store, process or transmit cardholder data, including any Â鶹´«Ã½ employee, contractor or agent who, in the course of doing business on behalf of the University, is involved in the acceptance of credit cards and e-commerce payments for the University, must comply with PCI DSS.

The PCI DSS are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The council is responsible for managing the security standards, while the payment card brands enforce compliance. These standards include controls for handling and restricting credit card information, computer and internet security, as well as the reporting of a credit card information breach.

Loaner Credit Card Terminal

The Treasurer's Office maintains five loaner terminals, which are available to departments for special one-time events. Departments requesting the use of a terminal must read the Special Events Loaner Credit Card Terminal Policy and complete the Special Events Loaner Credit Card Terminal Request Form.

Depository Supplies

For departmental deposit slips for US Bank, contact the Treasurer's Office at sludeposits@slu.edu or 314-977-7073. Be sure to include your department name on your request. Tamper-proof deposit bags are available for purchase through .

Credit Card Security FAQs

Who does the credit card environment policy cover?

It covers everyone involved with gathering, processing or storing the credit card information we collect within the University.

What does the credit card environment policy cover?

It covers all the credit card and cardholder information that is gathered throughout the University:

  • How we process credit card transactions
  • What we do with all of the credit card receipts and reports
  • What we do with the credit card information we gather
  • How we dispose of the information after it has served its business purpose
Who should have access to our customers' credit card information?

Only individuals with a "need to know" purpose should have access.

  • Never attach receipts with the full credit card number to the Ad Hoc Bank Transaction that is submitted to the Treasurer's Office.
  • Never email or electronically transmit full credit card numbers.

 

How long do we have to retain credit card data?

Visa, MasterCard and Discover allow customers to dispute charges up to 18 months from the date of the original transaction. American Express allows disputes up to 12 months from the date of the original transaction.

How do we protect the cardholder data we accumulate and store?
  • Store only the most necessary information
  • Never store the full credit card number unless there is a specific business purpose
  • Store information in a secure area, preferably in a locked container marked "Confidential"
  • Limit access to the secure storage area. Only employees or third parties that require access to the area should be allowed
  • An employee with legitimate access should always accompany other employees or third parties needing access to the storage area
What are the risks to the University if we fail to follow the PCI Standards?
Disciplinary actions include fines,  penalties (both for the University and the individual) and loss of the privilege to accept credit cards.
What is your responsibility?
Do your best to protect the cardholder data. Treat it as if it were your own. The ability to accept credit cards is a privilege, not a right.
What is the simplest way to comply with the credit card environment policy?

Keep the policy handy, consult and follow it. Here are a few simple rules:

  • Process cardholder data in a timely manner
  • Properly destroy all cardholder data that will not be retained
  • Retain or store only the necessary cardholder information
  • Never retain or store the full credit card number
  • Never collect the three-digit CVV code
  • Do not send credit card information via email
  • Do not collect customer PIN numbers
  • Make sure access to the stored data is limited and the data is secured and protected
I ran a credit card transaction. How do I submit the information to Treasury?
  • Departments will submit an Ad Hoc Bank Transaction in Workday once the credit card terminal has been batched for the day and a batch settlement receipt has been produced. The Ad Hoc Bank Transaction job aid can be found on the Workday homepage under the Job Aid and Video Library icon, Finance tab. 
    • Job aid title: Ad Hoc Bank Transaction-Departmental Deposit
  • Attach the batch receipt to the Ad Hoc Bank Transaction. Once the Ad Hoc Bank Transaction is submitted, Treasury will review and approve it.
  • Deposits will not be approved without the required documentation. The department will be contacted for any discrepancies.