Merchant Accounts

University Accounting Services (UAS) facilitates the ability for departments to accept credit cards as a form of payment. A merchant account, which is a type of banking account specifically for card processing, is required for anyone wishing to accept payments in person, over the phone, or by mail. Such accounts are also required for e-commerce, but the university has leeway in bundling multiple departments under a single merchant account.

The links below skip directly to the corresponding section on this page:

 

Definitions

Merchant Accounts: special bank accounts issued by a merchant processing bank (also called a credit card processor) that allow a business to accept credit, debit, gift, and other payment cards.  University departments or offices with such accounts are hereafter referred to as “Merchants.”

Merchant Level:  this classification is based on transaction volume. Merchants are ranked as level 1 through 4, with highest-volume merchants are Level 1. Security audit requirements become correspondingly higher with merchant level ranking. Most merchants at Texas A&M University are the lowest rank, Level 4.

PCI (or PCI DSS) Standards:   Payment Card Industry Data Security Standards are created by the Payment Card Industry Security Standards Council for the purpose of safeguarding sensitive cardholder data. The precise security measures required by a department will vary depending on how credit cards are accepted—in person, over the phone, or on the internet—but all are covered in the PCI DSS.

Merchant Fees: monthly fees assessed based on the merchant’s total monthly net credit card sales.

Security Responsibilities

Texas A&M University and the payment card industry take the safeguarding of cardholder data very seriously. Failure to comply with university and industry security regulations may result in the revocation of the department’s merchant account or, in the case of lost or stolen cardholder data, assessment of severe fines on the department by the bank. Departments are financially responsible for fines resulting from security breaches that originate from their systems.

Please refer to our separate page on PCI-DSS Security, which is a requirement for all merchants.

Cost of Doing Business

Merchants are charged fees for accepting cards as a form of payment, but anticipating those fees is difficult. We have written the white paper  Charges Related to Credit Cards to help you understand the fee structure and anticipate your costs. If you want a quick rule of thumb without reading the white paper, budget 2.5% of the sales amount to go toward card processing fees.

Likewise, we have written the white paper  Surcharges for Card Acceptance on whether or not you can charge a surcharge or convenience fee. In short, whenever possible you should build the cost of doing business into the price you charge, rather than tacking on a separate fee.

Procedures

Establishing New Merchant Accounts

Before applying for an account, contact University Accounting Services (UAS) to determine the best solution to your credit card transaction needs. Accounts must be in place before cards can be accepted. Accounts can be revoked for failure to comply with federal, state, university, card processor, or PCI-DSS rules.

When prompted, complete the  New Credit Card Merchant Application. As part of the application, the department is required to provide UAS with a FAMIS account number to which merchant fees will be recorded. UAS establishes the new merchant account through the credit card processor on your behalf. New merchant account activation typically takes 3 weeks from the time the form is received. As part of sign-up, merchants are also required to subscribe to the university’s “pci-merchants” listserv, which is the primary means of communicating merchant news.

If you plan on accepting cards in person or over the phone, it may be necessary to purchase card readers. Merchants can only use card readers approved by UAS. Depending on the equipment's placement, you may require work orders for networking or AC power accommodations.

For e-commerce, discuss your needs with UAS prior to requesting a merchant account. You may be able to be accommodated in an existing merchant account. Contact UAS at  (979) 845-8118 or  (979) 845-5209.

Refunding Card Transactions

Credit card refunds cannot be issued for more than the original transaction amount and can only be refunded on the card used for the original purchase.  In most cases refunds cannot be processed back to the originating card more than 180 days after the initial transaction.  In rare instances of refunds beyond 180 days, the merchant should first verify that the refund has not already been processed. If the refund has not already been processed, the merchant should submit a payment request to Financial Management Operations (FMO) Accounts Payable so that a check can be issued.

Card Processing, Daily Close out, and Deposit Procedures

Credit card sales should be recorded like any other sale. Customers should be given receipts verifying payment for purchases unless an exception is granted by the Associate Vice President and Controller.

To process sales for walk-in customers presenting an acceptable credit card, the card should be run through the credit card machine at the time of the sale to validate the account number. The credit card must be kept within the customer's sight and the CVV code must never be copied or stored. Deposits must be made on a daily basis by someone other than the individual who accepted the transaction payments. The credit card detail report or bill slips should be sent to UAS (at mail stop 6000) on a daily basis. This report should break down the Visa/MasterCard, Discover, and American Express totals. If the merchant has a countertop card reader (such as Verifone, Ingenico, or PAX), attach the tape to the iPayment credit card detail report. Merchants are responsible for reconciling credit card deposits to their FAMIS statements.

E-commerce transactions using university-approved payment gateways are automatically posted to the department’s designated FAMIS account. No iPayment deposit is necessary.

Disposal of Surplus or Nonfunctional Equipment

When a department no longer needs a particular device to swipe or read credit cards, that card-reader must be returned to UAS for disposal. 

Responsibilities

…Of Merchants

Merchant departments participating in the credit card program are responsible for complying with all rules and procedures issued by the university, UAS, and the PCI Data Security Standard, including periodic business review and completion of the annual PCI security self-assessment. Merchants will provide any reasonable assistance necessary to Texas A&M IT Security in the performance of periodic reviews of credit card-related computer or computer network security. This includes providing IP addresses and network configuration diagrams for use in scanning systems for vulnerabilities. Merchants are responsible for notifying law enforcement, Texas A&M IT Security ( if applicable), and UAS in the event of a suspected security breach.

…Of University Accounting Services

UAS is responsible for administering the Texas A&M University credit card program and for ensuring that participating departments are provided updates on all rules, procedures, and security standards. In addition UAS will coordinate with the merchant bank on the merchant’s behalf, including cases of a suspected security breach; distribute and coordinate the preparation of the annual PCI Self Assessment Questionnaire (SAQ) by each merchant; work closely with both the merchant and Texas A&M IT Security to ensure that all necessary security procedures are in place to ensure protection of sensitive credit card data; assess service charges to merchant department accounts for credit card transactions based on information supplied by Visa, MasterCard, Discover, and American Express. Monthly service charges differ for each card type. For more information on monthly service charges, please contact UAS.

…of Texas A&M IT Security

The Texas A&M IT Security team will perform vulnerability scans of PCI computer systems and will require configuration changes to eliminate vulnerabilities. This is both in preparation for and in addition to vendor scans required for PCI compliance. Vulnerabilities must be mitigated as soon as practical. To meet University security needs, the Texas A&M IT Security standards may be stricter than the PCI requirements. Texas A&M IT Security is responsible for approving the configuration of merchants' PCI computer systems.