Skip Navigation

Credit Card Acceptance

Skip Side Navigation

Credit Card Acceptance

I want to start accepting credit cards. What do I do?

The University has established security standards and processes for the protection of Cardholder Data in compliance with the Payment Card Industry Data Security Standard (PCI DSS). PCI requirements apply to all OU entities that collect, store, process, or transmit Cardholder Data, provide for its oversight, or support an entity that does. Each such entity will be required to comply with OU processes and standards. Permission is required from the Office of the Bursar to accept card payments.

All potential merchants must complete the New Merchant Application and agree to comply with and sign the Merchant Contract. As it can take three to four weeks to receive a merchant ID and equipment, it is highly recommended that these documents are returned as soon as possible to Chelsea Smith-Antonides, Buchanan Hall, Room 208 or antonides@ou.edu. Please note that the merchant contract must be signed by the account sponsor for the department number listed on the application. All requests must be approved by the Compliance Administrator and prospective merchants must schedule a training session before approval can be granted. To schedule training, please contact Chelsea Smith-Antonides at antonides@ou.edu.

Approval from the Office of the Bursar is required prior to making changes to existing environments, technologies and/or processes associated with Cardholder Data.

Bursar Operations will provide one terminal for free (subject to change) that requires IP connectivity.  Please call 325-HELP to request port installation specifically for a credit card terminal that must fall under PCI Data Security Standards. Contact Chelsea Smith-Antonides at antonides@ou.edu to place the order.

If you opt to accept credit card transactions online, Bursar Operations offers a gateway solution provided by TouchNet. There is not a charge for an ecommerce merchant who elects to utilize TouchNet as their payment gateway (subject to change). If you have another service provider in mind, it must be approved by Bursar Operations before an agreement is made or a contract is signed with the third party service provider. The merchant will be responsible for all costs associated with a service provider that is not TouchNet. Please include the name of the service provider on the New Merchant Application. If you currently have a TouchNet Store and would like to add authorized users, please complete the TouchNet Access Form. Credit card transactions processed through TouchNet are subject to a 3% charge based on total monthly credit card volume.

Bursar Operations will provide one mobile terminal for free (subject to change). If you require a mobile device to accept credit cards, the approved terminals are the Clover Flex and Clover Go. These terminals connect wirelessly with a mobile data plan and must not be connected to Wi-Fi. If utilizing a Clover Go, the cost associated with a paired tablet and data plan are the responsibility of the merchant. If utilizing a Clover Flex, there is no extra cost for the data plan (subject to change).  The use of third party applications on the Clover system is prohibited unless expressly permitted by Bursar Operations on a case by case basis.  Each application must first undergo an IT risk assessment.  Any costs associated with approved third party applications are the responsibility of the merchant.  If there is another mobile device that the merchant prefers to use, they must have the approval of Bursar Operations and the device must fall under the University approved Mobile Device Policy.

The merchant departmental account will be expensed 3.0% for the total monthly credit card volume. Volume is calculated at the end of each month from the department’s PeopleSoft reporting. The expense will appear on the departmental account at the beginning of each month for previous month’s activity.

Equipment expense: There is not a charge for a merchant who chooses to use the FD150 terminal and FD35 PIN pad (subject to change). Bursar Operations will provide one terminal and one PIN pad. All expense incurred for additional equipment will be the responsibility of the merchant. All expense incurred for an Ethernet drop for the terminal will be the responsibility of the merchant and pricing is determined by OU IT and Facilities Management.

Ecommerce expense: There is not a charge for an ecommerce merchant who elects to utilize Touchnet as their payment gateway (subject to change). If a different service provider is chosen (subject to approval), the merchant is responsible for all expenses incurred. Credit card transactions processed through TouchNet are subject to a 3% charge based on total monthly credit card volume.

How do I Protect Sensitive Cardholder Data?

PCI Data Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The Council is responsible for managing the security standards, while compliance with the PCI Security Standards is enforced by the payment card brands. The standards apply to all organizations that store, process, or transmit cardholder data. In operational terms, complying with PCI DSS means that you are doing your part to ensure that our students, parents, alumni, donors, and visitors payment card data is being kept safe throughout every transaction at the University of Oklahoma.  By ensuring a secure and compliant environment they – and you – can have confidence that they’re protected against the pain and cost of data breaches.  All University of Oklahoma departments that accept, store, process, or transmit payment cards are required to be compliant with PCI DSS and University policies.

Informative Links

  1. Identify and document the existence of all cardholder data (CHD) in your environment and the accessibility of CHD.
  2. Document CHD flows in a diagram to ensure that network segmentation and processes are in place to isolate your CHD environment.
  3. Truncate the Primary Account Number (PAN) on both merchant and customer copies.  Printouts should be truncated or masked.
  4. Set POS terminals to auto-settle to ensure that batches are settled nightly.
  5. Deploy anti-virus software on all systems commonly affected by viruses.
  6. Do not store sensitive authentication data contained in a payment card’s chip or magnetic strip, including the 3-4 digit verification code/value printed on the front or back of the payment card.
  7. You may not store payment card data in POS terminals or other unprotected endpoint device’s such as:
    • Laptop, tablet, smart phone, or other portable devices
    • Removable media such as CDs, DVDs and USB thumb drives
    • Home computers
  8. Do not leave paper and electronic media, computers, networking and communications physically unsecured.
  9. Cardholder data must not be transmitted in an unsecure manner such as email, unsecured fax, instant message, chat, or campus mail.
  10. Permit only employees who have a legitimate business “need-to-know” access to cardholder information.

In the event of a breach or suspected breach of security, including the suspicion that credit/debit card information has been exposed or stolen, the merchant must immediately contact:

Compliance Administrator: Chelsea Smith-Antonides antonides@ou.edu

IT Security:IT Security Operations  (405) 271-2476 Option 9

Please identify yourself as a Norman merchant with a PCI related incident. This number is available 24/7.                            

Please refer to the University Incident Response Plan.

Approval from the Office of the Bursar is required prior to making changes to existing environments, technologies and/or processes associated with Cardholder Data.  An IT risk assessment is required for all potential third party service providers. Subsequent assessments are required periodically to ensure the vendor continues to meet University standards.

All merchants that accept payment cards as a form or payment are required to have the following:

  • Signed merchant contract with Bursar Operations
  • A policy that addresses information security for all personnel (Updated as needed and approved annually by department head)
  • An incident response plan
  • An inventory of all terminals and devices
  • A list of employees who handle cardholder data in any way as well as a signed document that they have received and understand annual training within the department (Training performed annually and for new employees)
  • A Network Diagram that shows the flow of cardholder data in the merchant’s environment.
  • Contractual agreement with third party service provider utilized stating that the service provider is responsible for security of cardholder data it possesses.
  • Service Provider-Merchant PCI DSS Responsibility Matrix (see Important Documents below).

Important Documents and Links

NEW! Online New Merchant Application and Contract

New Merchant Application and Contract (link)