Credit Card Ops FAQ

We would like to start accepting credit cards in our department. What do we need to do to get set up?
Contact the Credit Card Coordinator at 392-9057 to establish your exact needs (i.e. swiping machine or eCommerce) and request an application form   to create a merchant ID or eCommerce account.
We have a technical issue with our credit card machine. Can you help us?
First, call the Elavon Terminal Service number posted on the side of your credit card machine (1-800-725-1245, option 1) and have them try to resolve the issue. At the same time Elavon will create a service ticket. If they should determine that your unit needs to be replaced call the UF Credit Card Coordinator at 392-9057 to get a quote and to order a replacement machine.
What Should I Do If I Am Compromised?
Contact the Privacy Office as well as Treasury Management. The University Privacy Office is located in Tigert Hall, room G-24. Phone: 352-273-1212 Toll-free (Hot-line): 866-876-HIPA E-mail: privacy@ufl.edu Treasury Management is located in Criser Hall, room S-113 Phone: 352-392-9057 Email: tmhelp@admin.ufl.edu
Is it OK to Process Credit Card Payments on Behalf of a Customer on My Work Computer?
Agents of the University are no longer allowed to process credit card transactions on University-owned devices on behalf of customers. The customer must make the online payment using their own device.
Who Should I Contact to Learn More About PCI Compliance at UF?
Contact: Treasury Management or specifically: Renato Squindo, Credit Card Coordinator at 273-0491
Who Is Required to Complete Annual Credit Card Security Training?
Annual training is required for personnel processing credit cards in one of the following categories:
  • Has access to cardholder data
  • Fiscal officer of account in which credit card payments are credited and/or their delegate
  • Handles credit card payments as part of their regular job duties.
How Do I Get Approval to Begin Accepting Credit Card Payments or to Begin Using a New Credit Card Processing Method?
Contact: Treasury Management or specifically: Renato Squindo, Credit Card Coordinator at 273-0491
How do I process a refund to an eCommerce transaction (IPAY)?
Download form FA-TM-ECCR and send it completed and signed to Treasury Management’s credit card area for processing.
What Is the Payment Card Industry Data Security Standard (PCI DSS) and to Whom Does It Apply?
PCI DSS is the result of a collaboration of the major credit card associations to establish a single data security standard designed to protect sensitive cardholder information. Any entity that stores, processes or transmits cardholder data (including credit and debit cards) must comply with PCI DSS requirements.
Where Can I Find the PCI Data Security Standards (PCI DSS)?
PCI DSS requirements are defined by the Payment Card Industry Security Standards Council (PCI SSC). Visit the PSCI SSC website at https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml or request a copy by emailing pcpci@ufl.edu.
What is meant by ‘cardholder data’? What credit card information can I store?
Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. When required for business purposes, the following information may be stored:
  • Primary Account Number (PAN)
  • Cardholder Name*
  • Service Code*
  • Expiration Date*
*Any of these elements being stored in conjunction with the primary account number must be protected in accordance with PCI DSS requirements. The following information may never be stored subsequent to authorization:
  • Full Magnetic Stripe
  • Card Validation Code (CVC2/CVV2)
  • PIN/PIN Block
By Which Date Does the PCI SAQ and Training Requirements Have to be Completed?
Treasury Management notifies all merchant locations in September to complete the annual Self-Assessment Questionnaire and training requirement by early November.
If I Only Accept Credit Cards Over the Phone, Does PCI Still Spply to Me?
Any entity that stores, processes or transmits cardholder data (including credit and debit cards) must comply with PCI DSS requirements. That includes the acceptance of credit card information over the phone. You must ensure that cardholder data will not be allowed to be recorded and/or stored on voice mailboxes, and that no voice mailboxes are allocated to users’/departments’ telephone lines (VoIP or analog) through which cardholder data is verbally accepted.
Do Departments or Units Using Third-Party Processors Have to Be PCI Compliant?
Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.
What Are the Penalties for Noncompliance?
The payment brands may fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore,
  • Non-compliance can result in fines and remedial efforts that could easily exceed $1 million. Costs include fines, forensic exams, cardholder notifications, setup of a call center, credit monitoring and more costly compliance requirements. The costs would be the responsibility of the merchant.
  • Fraud and identity theft are a risk to customers (students, faculty/staff and general public) if a department is non-compliant.
  • Breach of cardholder information can result in negative publicity and damage to UF's reputation.
  • The bank will also most likely either terminate your relationship or increase transaction fees.
What is Vulnerability Scanning and Do I Need It to Validate Compliance?
If you electronically store cardholder data post authorization or if your processing systems have any internet connectivity, a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required.
Back to Top