Credit Cards and PCI Compliance

Visit Finance & Treasury

Credit Card Processing

The Treasurer’s Office is responsible for issuing credit card merchant accounts and overseeing policies and procedures regarding payment processing. All credit card processing arrangements require the approval of the Treasurer’s office. University approved vendors for credit card processing include Fiserv (Visa/MasterCard/Discover), American Express and CyberSource (online payment processing). Any relationship with other vendors must be approved by Cash Management. 

Arrow Payments

As of February 2020, the University’s PCI Compliance and credit card processing has been supported by Arrow Payments. 

Determining the Need for a Merchant Account

University schools and centers accept payments for a variety of services including registration and application fees, memberships, dues, sales, donations, meeting and conference fees, etc. In order to accept credit cards as a form of payment, schools and centers must obtain a merchant account through the Treasurer’s Office. 

Before applying for a merchant account, you should consider the following: 

  • Purpose of the account 
  • Anticipated dollar volume 
  • Average transaction amount 
  • How often transactions occur (year-round, during the school year, or limited occasions) 

For limited or one-time conferences, meetings, or events please contact Conference Services who can provide credit card acceptance services without the need to open an individual merchant account. 

Payment Card Industry (PCI) Compliance

The Payment Card Industry Security Standards Council (founded by VISA, Master Card, American Express, Discover and JCB International) has developed strict standards to protect cardholder data. Any University employee involved in processing credit card transactions must be familiar with these PCI standards, as well as the University’s policy on PCI compliance.  

One of the requirements to ensure PCI Compliance is the annual submission of an online Self-Assessment Questionnaire (SAQ). Once a merchant account is opened, log in credentials will be sent for the University’s online SAQ portal, VigiOne. Merchants are required to log in, complete the environment survey, and complete and update the controls on an annual basis or whenever merchant card processes change. Failure in compliance can result in suspension of merchant accounts as well as any fees resulting from non-compliance. 

To review the University’s policy on PCI compliance, see: 2006 Sales and Services – Credit Card Sales PCI Compliance. 

Obtaining a Merchant Account

It takes approximately four weeks for merchant account numbers to be assigned. To obtain a merchant account, complete the Merchant Account Request Form (MAR) and email it to support@upenncdm.freshdesk.com. 

Upon approval, the Treasurer’s Office will obtain merchant account numbers for the requested credit card types.  

Fees

There are transaction and service fees associated with processing credit cards as well as set-up and monthly fees for online merchant accounts. Merchants are responsible for these fees. 

For more information