Payment Card Setup and Acceptance
To accept payment cards from customers, departments at The Ohio State University need to set up a merchant account with the Treasurer's Office. The department will first need to determine the method of acceptance. Pre-approved processing methods are payment card terminal, cellular terminal, and online processing that is redirected to an approved third party service provider.
- In-Person payments (Card Present) – Departments will purchase a terminal to process customers’ payments at OSU’s place of business. These methods are pre-approved.
- Online payments (CNP, Card Not Present) redirected to approved third party service provider - Departments will set up a website to collect payments online. Ohio State policy requires merchants to use an approved third party service provider to process online payments. (Please see PCI Compliance.) An example of a third party provider is Cybersource and the approved e-commerce method is Cybersource’s Web Mobile Pay Secure Acceptance. The implementation must be an I-Frame implementation. This method is pre-approved.
- Other methods must be reviewed and approved by Ohio State's PCI Committee and/or QSA, Qualified Security Assessor - Departments that want to use a POS, point of sale software system, or transmit, process, or store payments on Ohio State's network will need to contact the Treasurer’s Office to determine the review and approval process.
Set up Time
Please allow fifteen (15) business days to set up a merchant account. If your department is also designing a web page with online payment processing, please contact your web designer and IT department for further information.
PCI, Payment Card Industry, Compliance
The payment card industry formed a Council called the Payment Card Industry (PCI) Council which includes Visa, MasterCard, American Express, and Discover. The PCI Council developed Data Security Standards (DSS) to assure consumers payment cards are secure. Merchants accepting payment cards are required to comply with these standards. For more information, please refer to the university's Payment Card Compliance Policy or contact the Treasurer’s Office.
Two (2) Important Daily Processes
- Authorizing the charge – when a merchant accepts a customer’s payment card, swiping the card is a request to our processor to determine if the card can be charged.
- Settlement or “Batching out” – at the end of the business day, a merchant will settle the authorized transactions. This process is called batching out. The transactions are sent in a batch to the processor who will request customers’ charges be sent to our OSU bank account. A department can also program the terminal to “auto-settle” at the end of a business day.
Auto Journal Posting
The Treasurer’s Office will establish an automatic journal process for payment card deposits and fees. Departments can reconcile their accounts by accessing the PeopleSoft system to run a report of their transactions.
Daily, or at a minimum, monthly reconciliation must be completed. Merchant transactions must be reconciled to Ohio State’s bank account using the General Ledger/PeopleSoft and your merchant statements. Monthly statements are provided by email.
To order a Buck ID terminal, contact David Anthony at 614-292-7240 or email@example.com.
Online Payment Card Processing
OSU departments that would like to accept payment cards online will need to select an approved third party vendor/service provider. The service provider, the product selected, and the implementation must meet the following requirements:
- Service Provider is PCI, Payment Card Industry, compliant - see list of compliant service providers
- Contract – service provider must sign a contract accepting responsibility for our customers’ payment card data per PCI regulation 12.8.2.
- Use Secure Acceptance Web Mobile Pay configured for an I Frame implementation – this product redirects our customers from Ohio State's web page to the service provider’s site. Ohio State’s customers “transmit, process and store” all cardholder data on the service provider’s site. This limits the PCI data security requirements that must be met by Ohio State merchants as no cardholder data is handled by university personnel and no cardholder data is on the Ohio State network.
- Customers only are permitted to enter the cardholder data – Ohio State personnel are not permitted to enter a customer’s cardholder data online. The cardholder data must be entered online by customers on their computer. Ohio State personnel should not have access to the cardholder data and not enter it on a university network or device on behalf of the customer.
Cybersource is a service provider that meets the requirements listed above. Cybersource provides a Web Mobile Pay product and has signed OSU’s “PCI Agreement with Third Party Vendor”. If you would like more information about their pricing, please call the Treasurer’s Office (614-292-6261).
Policy and Requirements document
Terminal Inspection Form
The Ohio State Information Security Control Requirements (ISCR) require devices with S4 (Restricted) institutional data to be destroyed or shredded by an approved vendor. Please contact one of the vendors listed below to properly destroy your old payment card terminal.
Royal Document Destruction - 614-751-9731
Shred It - 614-231-7470