Ë¿¹ÏÊÓƵ

Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of internet-facing environments of merchants and service providers. 

Security Metrics is the Approved Scanning Vendor used by the Curators of the University of Missouri. 

A chargeback is the return of funds to a customer, forcibly initiated by the issuing bank of the instrument used by a customer to settle a debt. Specifically, it is the reversal of a prior outbound transfer of funds from a consumer’s bank account, line of credit or credit card.  

To prevent chargebacks:  

• Obtain authorization for every transaction 
• Communicate return, refund and/or service cancellation policies 
• Void all incorrect sales receipts 
• Use fraud prevention tools 
• Inform customers about the status of their transactions, and any delays in delivery or service 
• Respond promptly if refund or cancellation is requested 

If you receive a chargeback pre-notification, you have a window of time to offer compelling information to prove the transaction was valid. If the dispute of the charge is valid, act promptly and let cardholders know of the impending credit.  

Please contact John Layman to determine if you are eligible to issue convenience fees and surcharges and what specific rules you would have to follow. As an alternative it might be better to determine all costs of doing business and add that total into your goods or services that you are selling. This is the best way to recoup those costs and it is a better customer friendly model.

To request a new credit card machine, please fill out the and email the form to John Layman. 

There is a possibility that you can "swap-out" your old machine. Please contact the JPMorgan Chase Merchant Support Desk at 888-886-8869 option 3, option 3 to request a swap out of the broken terminal. The swap out will cost $50. When they call the Support Desk, they will need to provide the serial number from the broken terminal and you will also need to know your merchant number. 

If your old machine can be swapped out, then a new machine will be shipped to you and upon receipt of it you will need to return the older swipe terminal model in the box provided. The box will also include a UPS Call Tag for pickup with instructions. The following items must be returned in order to complete the swap out process: Terminal, Power Cord, and Cables. A swap-out costs less than a regular machine order. 

If you are not able to swap-out your machine, then please mail the old machine to: Attn. John Layman, 118 University Hall, Columbia, MO 65211. 

Setting up a New Machine 

Most terminals are dial-up communication, but some are IP communication or wireless. The communication method for a new machine depends on which type you request.  

Loaner Machines 

If you do not have a merchant number but you have infrequent events or other occasional uses for a machine, then you can contact John Layman and arrange to have a terminal reserved and set up for your event.  

Please complete the Loaner Request Form (Archive). 

This is a PeopleSoft application that takes the end of day file from the card processor (First Data Merchant Services) and posts it to the general ledger (GL). If you have the invoice field turned on, then the ECC takes that information that was entered and uses the first two digits and places the revenue into the MO code and PS account associated with that 2-digit code. To request an update to the ECC please contact John Layman. 

Using MO Codes 

If your invoice function has been turned on and your ECC account codes have been established, then you need to enter a unique invoice number for the transaction. The invoice field consists of 10 characters. The account code is the first two digits of the invoice number and then the time of day entered twice as the other 8 digits. For example, account code 03 and the time of day was 12:37 pm, the invoice you would want to enter would be 0312371237. 

If the invoice function is not turned on, then a sequential number through the day for your batch will automatically populate the invoice. This number could help you with your reconciliation process. 

Per PCI DSS requirements, you are not allowed to store CAV2/CVC2/CVV2/CID code information electronically or in paper form. If you have current paper storage with the CVV code stored you need to remove the CVV. You cannot just mark it out with a "sharpie" but, if you marked out and then photocopy the marked-out original keeping the photocopy and cross-cut shred the original then you have successfully remediated your CVV2 paper storage problem.

To accept credit card payments, either from a physical store or a store on the Internet, you need to have a merchant account id assigned by an acquiring financial institution. An acquiring financial institution contracts with merchants to enable them to accept credit card transactions.  

To take credit card payments over the web using your browser and Transport Layer Security (TLS), you will need a merchant credit card account ("Merchant Account") that is specifically meant for Internet-based transactions.  

You may already have a merchant ID for handling your phone/fax orders, but a separate merchant is required to do e-commerce business. JPMorgan Chase Bank is the University's financial institution, so they assign the merchant account for internet applications. You must check with Information Security & Access Management (ISAM) and the Treasurer's Office before you purchase a new e-commerce system.  

The acquiring financial institution records the daily credit card sales for your merchant account and transfers that information to the University for posting to your PeopleSoft Financials General Ledger account. When implementation of your application is underway, the e-commerce team will ask you for the information that is needed to request a merchant account ID. 

All merchant reports are located within . 

Establish a New Retail Merchant 

Please complete our . Once the request is received by the Office of the Treasurer, it will be initiated for completion. If you need a TouchNet Marketplace merchant, please contact marketplace@umsystem.edu.   

The first step is to obtain the American Express merchant ID for your new retail merchant account. Once it has been established, the request is forwarded to our financial institution, JPMorgan Chase Bank, so that they can establish the Visa/MasterCard/Discover merchant ID and have the terminal set up and delivered to the department. 

Once the Visa/MasterCard/Discover merchant ID has been established, the PeopleSoft financials feed will be established so that the revenue and expenses are fed correctly into the general ledger for your merchant. 

Once the terminal arrives at your processing location, it should already be programmed (dial 9, auto batch close, etc.). You should just be able to plug it in (power and phone line if dialup) and it should work to your specific specifications. 

Update an Existing Retail Merchant 

Please complete our online . Once the request is received by the Office of the Treasurer, it will be initiated for completion. Once the update has been completed, the Treasurer’s Office will notify the department that originated the update request. 

The Payment Card Industry (PCI) Qualified Security Assessor (QSA) designation is conferred by the PCI Security Standards Council to those individuals that meet specific information security education requirements, have taken the appropriate training from the PCI Security Standards Council, are employees of an Approved PCI Security and Auditing Firm, and will be performing PCI compliance assessments as they relate to the protection of credit card data. The term QSA may also be implied to identify an individual qualified to perform PCI compliance auditing and consulting. 

Security Metrics is the approved QSA company used by the Curators of the University of Missouri. 

In almost all cases, the refund should be processed back to the same card that was originally processed. In some cases, the card may have expired. If so, you will have to contact the customer to obtain the correct card information in order to process the refund. It is not a good idea to refund in cash or check. Without an offsetting credit, the card issuing bank has no evidence of a refund and may still pursue to have a chargeback reverse the sale. In this case, you run the risk of having two refunds processed. 

Ways to protect against staff issuing refunds that should not have been processed: 

• Credit card terminals can have a two-digit code added to the terminal download. Reporting can be done in ClientLine and sorted by the clerk number. The manager who runs the report will need to look for fraud patterns, refund with no sale, same card number receiving numerous credits. The report identifies refunds that may warrant further investigation. The merchant should be looking for things like a refund that was run to one card numerous times or at an unusual time. 
• ClientLine reporting: Login to Clientline - > Select "research" tab -> Run refunds with no sales report