All Saint Louis University merchant accounts must be authorized by Treasury and Investments and the SLU PCI Compliance Committee. The department must demonstrate a valid business need for a merchant account and demonstrate certain business operation and financial management criteria.
Saint Louis University accepts Visa, MasterCard, Discover and American Express via e-commerce solutions, third-party gateways, standard terminals and wireless terminals.
A merchant account is required in order to accept receipts from credit and debit card transactions. All merchant accounts are created through the University's merchant services provider contract with Bank of America. To establish a merchant account, or make changes to an existing merchant account, complete the Merchant Services Account Request/Maintenance form.
Credit Card Training
Only authorized and properly trained individuals can process credit card transactions and access systems or reports containing credit or debit card data. Employees who have access to cardholder data or who are involved in credit card processing must complete credit card security training upon hire and annually.
Employees will be notified of their annual training via email and notifications in Self-Service Banner. Employees who do not complete the credit card training within 30 days of the initial notification, will have all credit card processing privileges removed and the respective dean or vice president will be notified.
Contractors, volunteers and other individuals who are not University employees and who plan to accept or process credit or debit cards on behalf of Saint Louis University, must also be trained prior to taking on their credit and debit card handling duties and annually thereafter. It's the responsibility of the Merchant Manager to notify Treasury and Investments at email@example.com of any non-employee processing or handling credit or debit card data.
If you have requested to loan a special events credit card terminal, email firstname.lastname@example.org to be added to the PCI training. This training must be completed before you can begin processing credit card transactions on behalf of the University.
Credit Card Data Usage and Retention
- Storage and retention of credit card data must be the minimum length necessary to meet University and/or regulatory requirements.
- University policy prohibits retaining or storing the cardholder's full credit card number, the three digit CVV code or the PIN verification value.
- At a minimum, the credit card number must be rendered unreadable for all stored or retained data.
- Media or storage containers with cardholder data must be labeled "confidential."
- Cardholder data may not be sent via email, unless it is encrypted.
- Cardholder data must be secured against unauthorized removal and stored in a secured area.
- Any movement of cardholder data must be communicated to and pre-approved by the treasurer's office.
- All physical areas containing cardholder data must have limited access.
- The preferred method of storage of cardholder data is a locked container.
- These areas must not be accessible to the public.
- All visitors to these areas must be escorted at all times by an employee with legitimate access.
- It is the department's responsibility to ensure the visitor's access to the area is authorized and logged for audit purposes.
- Visitors include employees, temporary employees, consultants or contractors.
- Third parties with access to cardholder data must be contractually obligated to comply with the payment card industry security requirements.
- The third party must provide documentation to the University of their compliance level.
Credit Card Deposit Processing
- The completed web deposit should show the total credit card deposit by credit card type and the supporting documentation should agree to the completed form.
- Scan web deposit and transaction summary, settlement batch or close report with the individual card type subtotals to email@example.com.
- Do not send cardholder receipts with the web deposit.
Saint Louis University will accept MasterCard, Visa, Discover and American Express bank credit cards for payment of miscellaneous charges at University locations approved by the treasurer's office. Departments are responsible for the deposit of credit card payments with the cashier's office.
Departments processing charges by bank credit card must do so electronically using a terminal and printer or e-commerce product approved by the treasurer's office.
Valid MasterCard, Visa, Discover or American Express transactions may be accepted at approved locations; however, the University is not liable for improper use. It is the department's responsibility to recover chargebacks from the customer incurred due to invalid charges.
The University's depository account will be credited within two business days after the bank card transactions have been submitted to the bank. Departmental accounts will be credited upon receipt of a web departmental deposit.
A fee is charged to the University by the bank for each credit card transaction. The cost associated with the acceptance of bank credit cards for payment will be allocated to the departments by the controller's office. Bank merchant numbers are used to record fee allocations.
To request authorization to accept bank credit cards for payment, contact the treasurer's office.
Enter the card information into the credit card terminal.
- Swipe the card through the card reader.
- Verify the customer name, card number, and expiration date as it appears on the terminal screen.
- Enter the amount of the charge.
- Verify the transaction has been accepted and a receipt has been generated.
- Obtain the signature of the cardholder on the transaction receipt.
- Enter the card number into the terminal.
- Verify that the customer name, card number and expiration date as it appears on the terminal screen.
- Enter the amount of the charge.
- Verify the transaction has been accepted.
At the end of each business day, submit the batch of daily transactions to the bank via a modem to charge the customer's bank card and credit the University's depository account.
- Run a batch report of daily transactions from the terminal.
- Departmental supervisors should review the report and verify all transactions on the report are accurate and appropriate. Initial any credits identified on the batch report.
- Transmit batch transactions to the bank.
- Complete a web departmental deposit.
- Maintain detail batch reports and receipt forms in an organized manner in the department.
SLU PCI Committee
Saint Louis University accepts credit card payments as a convenience to its customers and is committed to protecting and preserving the privacy and security of payment card data collected and processed to conduct University business operations. Saint Louis University has a fiduciary responsibility to patients, students, donors, customers and payment card processors to comply with the Payment Card Industry Data Security Standards (PCI DSS) when handling payment card transactions.
The PCI Compliance Committee was established to govern PCI DSS and oversee merchant card processing compliance for the University. The Committee consists of members from Information Technology Services, Treasury and Investments and representatives from various University merchants.
All University departments that handle, store, process or transmit cardholder data, including any Saint Louis University employee, contractor or agent who, in the course of doing business on behalf of the University, is involved in the acceptance of credit cards and e-commerce payments for the University, must comply with PCI DSS.
The PCI DSS are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The Council is responsible for managing the security standards, while compliance is enforced by the payment card brands. These standards include controls for handling and restricting credit card information, computer and internet security, as well as the reporting of a credit card information breach.
Loaner Credit Card Terminal
The Office of the Treasurer maintains three loaner termianls as a service to department to use for a short period of time to process credit card payment for their event. Any department requesting use of a terminal must read the policy and complete the request form.
For departmental deposit slips for US Bank, contact the treasurer's office at firstname.lastname@example.org or Katie Benenati at 314-977-2466. Be sure to include your department name and account number on your requests. Tamper-proof deposit bags are available for purchase through Staples.
Credit Card Security FAQs
It covers everyone involved with gathering, processing or storing the credit card information we collect within the University.
It covers all the credit card and cardholder information that is gathered throughout the University:
- How we process credit card transactions
- What we do with all of the credit card receipts and reports
- What we do with the credit card information we gather
- How we dispose of the information after it has served its business purpose
Only individuals with a "need to know" purpose should have access.
- Never attach receipts with the full credit card number to the web deposit that is sent to the treasurer's office.
- Never email or electronically transmit full credit card numbers, unless they are encrypted
Visa, MasterCard and Discover allow customers' to dispute charges up to 18 months from the date of the original transaction. American Express allows disputes up to 12 months from the date of the original transaction.
- Store only the most necessary information
- Never store the full credit card number unless there is a specific business purpose
- Store information in a secure area, preferably in a locked container marked "Confidential"
- Limit access to the secure storage area-only employees or third-parties that require access to the area should be allowed
- An employee with legitimate access should always accompany other employees or third-parties needing access to the storage area
Keep the policy handy, consult and follow it. Here are a few simple rules:
- Process cardholder data in a timely manner
- Properly destroy all cardholder data that will not be retained
- Retain or store only the necessary cardholder information
- Never retain or store the full credit card number
- Never collect the three digit CVV code
- Do not e-mail unencrypted credit card information
- Do not collect customer PIN numbers
- Make sure access to the stored data is limited and the data is secured and protected
- Do not send cardholder receipts with the web deposit; treasurer's office does not need or want that detailed information.
- Attach and send only a transaction summary, settlement, batch or close report with individual card type subtotals to the treasurer's office.
- Include the applicable merchant ID number on the DOF form. The treasurer's office has a record of all the merchant ID number's.
- The completed DOF form should show the total deposit by credit card type with an attached report that supports the information entered on the form.