January 2021 Newsletter

Payment Card Processing Newsletter

JANUARY, 2021 ISSUE

University of Nebraska—Lincoln
PCI Compliance Team

The PCI Compliance Team is a collaboration between Information Technology Services (ITS) and the Office of the Bursar. It is a cross-functional team responsible for administering the University of Nebraska-Lincoln payment card policies and procedures, monitoring payment card activity, and educating merchants.

Contact Information
Information Technology Services (ITS)

Chris Cashmere                  phone: 402 472-1423

Office of the Bursar

Jennifer Hellwege               phone: 402-472-9003

Lisa Hilzer                          phone: 402-472-9004

Download the printable PDF version of this newsletter here.

Credit Card Processing RFP Coming in 2021

The University’s card processing contract falls under the State’s contract.  Their current contract is with Elavon, but the State will go out for bid on the contract again in 2021.  We do not have dates as of yet but will keep you posted as we learn more.

Merchant Meeting Planned for February

We will be scheduling a merchant meeting in February and plan to hold meetings on a regular basis going forward to discuss risks, concerns and other topics related to card processing.  Please look for more information to come.

Signatures on Card Receipts Optional

Several departments have asked about needing signatures for card transactions. Signatures have been required on receipts in the past and helped when dealing with disputes. Recently, regulations have changed allowing signatures to be optional. In most cases, signatures also no longer help with chargebacks.

If your department chooses to not obtain signatures, you can simply ignore the signature line on the receipt. We do still recommend you keep the merchant copy of the receipt for your department records. This change presents several benefits to departments including minimizing contact with the customer and speeding up the checkout process.

Terminal Replacement Deadline – April 2021

Per our previous newsletters, the Payment Card Industry (PCI) extended the expiration dates of card terminals with 3.x certification to April 2021 due to COVID-19. Terminals should have 4.X certification or higher as of this date. If you have not already done so, your terminals will need to be replaced in the coming months. Approximately 60% of the campus is already converted to the new terminals.

The exciting news with this change is the new terminals are set up with Safe-T which allows for encryption and tokenization of transactions. This eliminates the need for them to be connected via analog phone lines. You can now connect though a data port and still be PCI compliant. If your department has not purchased replacement terminals, you need to start planning for this. A terminal listing is attached with pricing and options. Please send your terminal purchase orders to Jordan Bergman by March 30th at:  jbergman4@unl.edu 

Once you have your new terminal(s) in place and operational:  Reach out to Elavon’s Premier Services at 800-725-1245 and ask them to walk you through removing the programming from your old terminal(s). This will ensure the terminal is no longer linked to your merchant account. Once this is complete, you can dispose of the terminal by sending it to Inventory.

Fraud Alert—Card Auth Testing Attack

We have recently seen two credit card authorization testing attacks at UNL which have been costly $$$ for the impacted merchants.  These testing attacks are an outside entity processing a large volume of card numbers through our e-Commerce systems in an attempt to validate card numbers.  These transactions cost us generally $.05-$.10/transaction and can add up quickly if not identified and resolved.  Nothing provides 100% assurance, but we recommend the following actions to prevent your site from being vulnerable to a similar attack:

  • Check with your developers and web service providers to be sure automated and/or rapid payment submission is not possible thru your site/merchant account.
  • Add captcha to the payment process or something similar to make sure the payment process cannot be automated or at least slow it down.
  • Implement authorization filters with payment service providers to limit hourly and daily transactions.
  • Check transaction activity often, probably daily, for excessive authorizations.
  • Make sure alerts from payment processors or service providers go to an active email or are forwarded to an email that is monitored.
  • Make sure merchant contact information with payment processors or service providers is up to date.

For assistance in reviewing your sites, please contact ITS Security at security@nebraska.edu

Promote Contactless Payments

Another way we can adapt during these changing times is to provide a contactless payment experience to our customers.  It makes paying safe, convenient and quick and can help navigate a new way of operating our business. Cash is no longer king when safeguarding the payment experience. 

Contactless cards, smart phones and smartwatches are all convenient and quick ways to pay while avoiding contact at the point of sale. The ability to accept contactless payments is an essential component of operating safely and minimizing the spread of germs, and your terminals are already capable of this functionality.  Some keys to success in contactless payments are:  1) Test the option to understand the customer experience, 2) Educate and train your staff and 3) Inform customers of the option with prominent signage -an option for signage can be found here.