Accepting Credit Card Payments via eCommerce (Internet)
The preferred e-Commerce implementation is through the University web payment gateway (IPAY), together with CASHNet’s eMarket storefront or checkout. The department is responsible for developing an interface to the IPAY gateway based on standards specified by the UFIT liaison of the E-Commerce Committee. Any exception to this practice must be approved by the University Controller’s Office.
Reason for Directive
Credit card merchants at the University of Florida are required to follow strict procedures to protect customers’ payment card data and attest compliance with the Payment Card Industry Data Security Standards (PCI DSS). Also, an appropriate integration with the University’s financial and other systems needs to be ensured.
Who Must Comply?
All University departments whose personnel store, process or transmit cardholder information. This also applies to units that outsource the processing of payment card information to third party vendors.
The process to set up an e-Commerce account takes approximately 1-2 months.
Contact Payment Card Operations (PCO) to discuss the needs of the department/unit and, if needed, to select a service provider that is both University and PCI approved.
View service providers at https://usa.visa.com/splisting/splistingindex.html.
Setting up an e-Commerce Account
After all prerequisites have been completed:
- Complete and sign the eCommerce Application
- Submit the completed forms to Treasury Management, Payment Card Operations (PCO), S-113 Criser Hall, PO Box 112008, or by email to Treasuryfirstname.lastname@example.org
- PCO will forward the application package to the E-Commerce Committee for pre-approvals (details below)
- The application will be sent to the University Controller’s Office for final review and approval
- PCO will:
- Notify the merchant department
- Confirm the appropriate ChartFields to be credited for sale proceeds
- Issue a unique merchant ID or e-Commerce identifier
E-Commerce Committee Review and Approval
The E-Commerce Committee reviews all applications involving credit card sales over the Internet. The Committee may include representatives from Finance and Accounting, Auxiliary Accounting and Educational Business Activities Enterprise Review Committee, the webmaster, UFIT, and UFIT Security.
Applications are reviewed for:
- Intended business purpose
- Consistency with the University’s mission
- Selling department’s ability to support an e-commerce activity
- Adherence to the PCI DSS
If an exception to an IPAY or CASHNet implementation is requested, the merchant must provide proof that the alternate e-Commerce vendor is certified PCI-compliant and ensure that the department and its vendor comply with all relevant provisions of the University of Florida Information Technology Directives, Security Policy, and the UF Standards on Credit Cards.
Third-Party Service Providers
All third-party service providers under contract with the University of Florida must be PCI DSS compliant. Departments who contract with third-party service providers must maintain a list that documents their service providers and:
- Ensures UF contracts/agreements with such providers include language stating that the service provider/third-party vendor is PCI compliant and will protect all cardholder data.
This also applies if the merchants’ e-Commerce website does not receive cardholder data but controls how consumers/their cardholder data are redirected to a PDI DSS validated third-party payment processor
- Confirms annually the PCI compliance status of all service providers and third-party vendors. A lapse in PCI compliance may result in the termination of the relationship
Approval of Implementation Changes
Any significant changes to current processes planned by currently active e-Commerce merchants must be reviewed and approved by the E-Commerce Committee prior to implementation. Such changes include (but are not limited to):
- Departmental website
- Products or services for sale
- Intended customer base
- Anticipated transaction volume
- Outside advertising
- Application software
- Departmental contacts responsible for the e-Commerce business plan
Proposed changes should be submitted to PCO for review by the University Controller’s Office.
Merchant Fees for e-Commerce
Please contact your applicable third-party provider involved with your e-Commerce implementation to inquire about set up, transaction, and any other recurring fees.
Publicly Accessible Computers
- Direct your customers to any UF computer or kiosk for payment processing
- Allow students, guardians or customers to enter their credit card information on any UF-owned device (computer, tablet, laptop, etc.)
It is perfectly acceptable/encouraged for students and customers to make online payments from their personal devices.
Payment Card Industry Data Security Standards (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data. [Back to Top]
01/31/2021: reviewed content
TRM125 – Payment Card Security Awareness Training
Treasury Management/Payment Card Operations: (352) 392-9057