Payment Card Processing Newsletter
NOVEMBER, 2022 ISSUE
University of Nebraska—Lincoln
PCI Compliance Team
The PCI Compliance Team is a collaboration between Information Technology Services (ITS) and the Office of the Bursar. It is a cross-functional team responsible for administering the University of Nebraska-Lincoln payment card policies and procedures, monitoring payment card activity, and educating merchants.
Contact Information
Information Technology Services (ITS)
Chris Cashmere phone: 402 472-1423
Office of the Bursar
Jennifer Hellwege phone: 402-472-9003
Lisa Hilzer phone: 402-472-9004
Download the printable PDF version of this newsletter here.
Annual Training Requirements for Card Handling
All parties handling cardholder data must adhere to specific training requirements to be PCI DSS compliant. Since your department knows which individuals are involved with card processing, the monitoring of this training is the department’s responsibility.
Cash Handling Training
All personnel connected in any way with cash handling, including payment card transactions, must review Cash Handling Policies & Procedures on a regular basis. A review should occur at least annually and documentation of this review should be retained within the department. The Cash Handling Policies & Procedures are available at: https://bf.unl.edu/policies/cash-handling-0
Payment Card Data Security Training – PCI DSS V3.2 Requirement 12.6
All personnel involved with cardholder data need to annually complete card data security training. The course titled PCI Payment Card Data is available via the Bridge LMS training and development tile in Firefly, to satisfy this requirement.
To locate the course in Firefly - select the Bridge LMS tile in the Self Service section. Click the Search bar and search “PCI” to pull up the PCI Payment Card Data course (12 mins).
Device Tampering Training –PCI DSS V3.2 Requirement 9.9
All personnel connected in any way with cardholder data must be trained to protect devices that capture payment card data via direct physical interaction with the card. Personnel must be trained to be aware of attempted tampering or replacement of devices, and terminals must be periodically inspected to look for tampering or substitution. Part of protecting your devices is maintaining an up-to-date list of devices. The list should include: make/model of device, location of device, serial number or other unique identification number.
Two training resources we’ve found to be helpful are:
• PCI Security Standards Council - Skimming Prevention Best Practices for Merchants
• VISA - Protect Your Merchant Terminals from Illegal Tampering
Remember, departments must document who needs training and who has completed it.
Elavon & Authorize.net Status Pages
If you encounter a system issue with an Elavon or Authorize.net site, you may want to check the status of the site by checking the Status page. Status pages are used to communicate service availability, scheduled maintenance, and operation status. You may check the page itself or you may subscribe to updates via email by clicking on the “Subscribe” button in the top right corner of the page. This can be particularly helpful to developers and to know when site maintenance is scheduled.
Elavon - including Converge, Fusebox, Payments Insider
Please email Lisa Hilzer at lhilzer3@unl.edu with questions.
Payments Insider Common Uses
Statement - download the bank statement on the 1st, for a record of the previous month’s sales and fees activity. The statement will also tie to the monthly allocation of sales and fees done by the Bursar’s Office.
Sales Report - view & export sales by settled batches, including transaction level details. Note: it’s recommended to run the report for a shorter date range. It may take an extended time to run the report for the entire month.
Card Payment Convenience or Service Fee is Not Permitted
Departments accepting card payments must incorporate the cost of card processing into their overall pricing for goods/services. A convenience or service fee for card payment should not be charged on a website or itemized bill. Also, a discount for payment by other means is not permitted. Departments should incorporate the cost of accepting all payment options offered into the overall pricing of goods/services. The card processing fee charged by Elavon is generally between 2.5 - 3.5%. This fee policy is a UNL policy, which was adapted from regulations provided by Elavon, our card processor.
Please email Lisa Hilzer and Jennifer Hellwege with questions.
PCI Compliance Courtesy Calls Can Be Disregarded
Representatives from Elavon’s PCI Compliance Manager may call and offer to complete PCI compliance as a courtesy for new merchant accounts or merchants with annual compliance due. Please decline the offer as we handle PCI compliance within UNL.