Texas A&M University facilitates the acceptance of credit cards and ACH (“web-checks”) for online payments. University Accounting Services in the Division of Finance and Business Services is the responsible unit for establishing and monitoring the university’s procedures for accepting payments online. E-commerce sites must use merchant accounts and payment gateway accounts approved, opened, and maintained by University Accounting Services (UAS).
Following the procedures on this page ensures consistency for our customers, compliance with state and university rules, and compatibility with our accounting system. For questions, please email marketplace@tamu.edu.
Click any of the links below to jump directly to the corresponding section on this page:
2021-22 E-commerce Platform Change
After a carefully considered RFP, Texas A&M University began the process of switching e-commerce platforms during the summer of 2021. The contract for the former platform—TouchNet—expires on July 31, 2022, which allows a period of transition for merchants to download reports and conduct refunds before access is permanently revoked. By spring break of 2022, almost all e-commerce sites already transitioned.
The new platform is provided by the company Flywire. The university also continues to support Payflow as an alternative when necessary, and systems already using Payflow need make no change.
Please note that state statutory requirements for fiscal controls mean the university cannot use payment service providers such as Stripe, PayPal, or Square.
We will update this page as new information comes available, but all e-commerce merchants should also be subscribed to the TAMU-EPAY@listserv.tamu.edu listserv mailing list to receive timely updates.
Definitions
Shopping Cart: An e-commerce interface for customers to select items or events for purchase.
Mall: A listing of distinct e-commerce stores, just like a physical mall.
Store: An e-commerce destination operated by a particular organizational unit. For instance, a site belonging to the University Accounting Services. This is comparable to a single store within a physical mall.
Product: The goods, services, or events that a customer pays for. Products need not be physical items. Workshop registrations, coffee mugs, and career fair booth rentals are all “products.”
Secure Payment Page: a system of conducting transactions in which the shopping cart and the page collecting card information are two different entities, the latter having a much higher level of security. The campus unit is responsible for monitoring the security of the online shopping cart (whether developed by a third party or internally), but security of the checkout page is the responsibility of the chosen payment processor.
Payment Gateway: The e-commerce payment engine which routes transactions from a shopping cart or Secure Payment Page to our card processor, J.P. Morgan Chase, for approvals.
PCI DSS: a term referring to a specific set of security requirements put forth by the Payment Card Industry Security Council. Every merchant and service provider in the transaction process is required to maintain compliance with the PCI security standards.
Cost
Accepting online payments comes with a cost for doing business. Departments are responsible for paying credit card fees charged by the credit card brands, payment gateway, and a small university per-transaction fee supporting e-commerce infrastructure. Please refer to the E-commerce Cost Guide for a breakdown of costs. Because the information therein contains pricing information for third party providers, it is considered Confidential and is not to be shared with non-university employees.
E-commerce Options
The Division of Finance and Business Services has established multiple paths for accepting online payments in a manner that has been deemed to be both secure and user-friendly. Using one of the established paths ensures you are compliant with the latest payment card industry security standards, that your revenue is posted to FAMIS in a timely manner, and that you can comply with segregation of duties and accountability for refunds.
All University departments conducting online payments are required to use one of the supported platforms (Flywire or Payflow) unless an exception to this requirement is requested and granted in accordance with the provisions in the Exceptions section found on this page.
Select from the links below for an e-commerce path:
- I need a turnkey e-commerce site: a Marketplace
- I use a commercial, 3 rd party website that offers integrations with a select list of Payment Gateways.
- I have a custom-coded shopping cart to tie into a Secure Payment Page.
- I need an exception from one of the established paths.
Marketplace
For branding purposes, our Flywire mall continues to be called the Texas A&M Marketplace. Marketplace is a turnkey e-commerce solution with a web-based, form driven interface that requires no IT knowledge to administer. It is entirely self-contained; you can link to it from your own website, but it is not designed to update an external system as sales occur. For that type of functionality, refer to one of the other two options on this page.
Organizational units must apply for a Marketplace store , even if they formerly had one on the TouchNet platform. As before, stores are limited to one per organizational unit (i.e. department, center, or office). We do not create stores for single events, programs, products, or professors.
Third Party Shopping Cart
Many, many companies offer systems to facilitate online sales. Frequently, they are built around a particular purpose—event registrations, continuing education class sign-ups, rec sports equipment rental—the list goes on and on. Often today, shopping carts are hosted in the cloud by the vendor, but in some cases they could be campus-hosted. PCI Compliance still applies and should be reviewed before signing a contract with a company offering a shopping cart solution.
Before adopting a shopping cart system created by a vendor, University entities must include specific contract language with the vendor regarding PCI-DSS security. Further, the vendor is required to provide security validation conforming to the requirements set forth by the PCI Security Standards Council. The contract terms and security documentation must be produced before use of the system for accepting payments, so we strongly advise not signing with a vendor until their PCI security compliance and compatibility with university card processing systems has been firmly established.
Please schedule a time to meet with our e-commerce team ( marketplace@tamu.edu) to discuss the list of supported payment gateways provided by the shopping cart vendor and a strategy to move you onto a new platform. You will be required to complete an online form to formalize your migration path.
The university’s preferred Secure Payment Page platform is Flywire. However, if your vendor has no plans to support Flywire, other viable options for payment gateways are PayPal Payflow Pro and Bluefin Payconex. FAMIS support is only available for Flywire and Payflow Pro at this time.
Common Payment Service Providers prohibited from use due to state statutory fiscal controls include Stripe, PayPal, Square, WePay.
Custom-Designed Shopping Cart
Although third party shopping carts are gaining in popularity, the university still operates a handful of custom-designed e-commerce sites, such as transcript sales, parking permits and citations, duplicate diploma orders, and others.
Points of consideration with a custom-designed shopping cart are PCI security compliance and choosing a payment gateway. For the latter, the recommended approach is using Flywire’s integration, however you should reach out to the e-commerce team ( marketplace@tamu.edu) to schedule a call or meeting to discuss the particulars of your system. You will be required to complete an online form to formalize your selection. FAMIS support is available today for Flywire and Payflow Pro.
In the past, some custom sites were allowed to share merchant accounts with other university stores, which diluted PCI responsibility. Going forward, we are adopting the practice of requiring each store to have their own credit card merchant account and report on their own PCI compliance annually. If your store does not have its own merchant account, the next step will be to complete a new merchant application.
Exceptions
Any requests for exceptions to the requirement of using one of the listed payment options must be submitted in writing and approved by the Associate Vice President and Controller. The written request for the exception must include:
- A summary of the reasons why the above systems will not fit departmental needs.
- A description of the alternate processes proposed for online payment.
- A risk assessment and cost-benefit analysis.
- A description of the security measures in place, including PCI-DSS documentation.