Frequently Asked Questions

Jump to a section:

Policies and Compliance  |  Setting Up an Account  |
Managing the Account  |  Special Considerations for e-Commerce Accounts  |  Technical and User Problems  |  Reconciliation  |  Training  |   Merchant Account Requests via ServiceNow

 

Policies and Compliance



How do I stay compliant with PCI Data Security Standards and University policy?

We have provided this sample set of procedures as guidelines to help merchants comply with industry standards and University policy.

Merchants must also complete this Monthly PCI Data Security Standards Checklist.

Do departments or groups using Third Party Service Providers (TPSPs) need to be PCI compliant?

Yes. Merely using a third-party service provider does not exclude a Merchant from PCI compliance responsibilities.  It may cut down on risk exposure and reduce the effort needed to validate compliance but responsibility for PCI compliance cannot be “outsourced”.

Can we accept credit card information via email?

No. Columbia University strictly prohibits sending or receiving any credit card data via email.Please review the following document for more information: Sending Credit Card Info Over Email

What is a Third Party Service Provider (TPSP) for Merchants?

A Third Party Service Provider is a  business entity that is not a Card Brand (American Express, Visa, etc.) and is directly involved in the processing, storage or transmission of Cardholder Data (CHD), or that provides services that control or could impact the security of the CDE (Cardholder Data Environment).  (Examples include payment gateway providers, processor/acquirers, web hosting providers, mobile application providers, e-commerce payment providers, collection agencies, billing service providers).

May I use any Third Party Service Provider (TPSP) I choose for my Merchant Services?

No. Only TPSPs which have been thoroughly vetted through the Office of Procurement (and for PCI compliance by the Office of the Treasurer) may be used.

What can I do if I want to recommend a new TPSP for my Merchant Services which has not already been vetted by Procurement Services and the Office of the Treasurer?

First, identify that the TPSP is shown on one of the following registries as being PCI compliant (for smaller service providers which may not be listed here, you can request a valid certificate of compliance or some other evidence of PCI DSS compliance directly from the TPSP). Second, you must reach out to Central Purchasing to discuss the process for establishing a new provider. You must also identify to Central Purchasing that your request includes a credit card processing component. Learn more:  

Visa Global Registry of Service Providers

MasterCard Compliant Services Provider List

Where can we get help with 3rd party service provider /assessing credentials?

Please see question above for new providers. For existing providers, please contact creditcards@columbia.edu.

By which date must the annual PCI SAQ and PCI Training requirements be completed?

Security Awareness Questionnaires (SAQs) must be completed annually and are due in early June. It is the responsibility of the SBOs to complete & submit their SAQs in a timely manner. 

PCI Training must be completed before an individual handles credit card data, processes credit card transactions or has any access to the Cardholder Data Environment (CDE) and must continue to be completed on an annual basis, between  April 1 and May 31st  for as long as the individual has access to the CDE.

To top

 

Setting Up an Account



What is a Data Flow Diagram?

Columbia University Merchants must document and maintain a current diagram illustrating the CU Merchant’s Cardholder Data Environment (CDE). The diagram must include all data flows, POS devices, network devices, servers, computing devices, applications and any other component or device located within or connected to the Columbia University Merchant’s CDE and must be attached to Merchant Security Review Forms for validation by the CUIT-PCI Security Group. You should work with your IT Coordinator to create and maintain this document. 

Who must approve a new user access to the Merchant Environment?

The department SBO must approve the new user access via the Service Now workflow and then the credentials are set up through the Office of the Treasurer.

We would like to start accepting credit card payments in our department.  What do we need to do to get started? How do I open a new Merchant Account?

To accept payment by credit card for an event, please contact Columbia University EVENTS at: calendar-admin@columbia.edu

To accept payment by credit card for anything non-event related, please review the Merchant Questionnaire and Checklist for an overview of what is required to open and maintain a Merchant Account.  This document will guide you to have all the required information prior to initiating a request through the Service Now portal using the Merchant Account Request Form.

What if I want to update my Merchant Environment (i.e.: add a new Terminal ID (TID) number, change configuration, add a new service, etc.).

Complete the Merchant Security Review Form, located within the FORMS LIBRARY on the Finance Gateway and attach to a Service Request.  On the Form, under Section 1, User must check box for “EXISTING MERCHANT REVIEW” and provide a description of the update or new service they wish to add within the space provided. User must also provide all information under Section 2 and complete/provide all relevant information under Section 3. Finally, all names & signatures must be provided in Section 4.

How do we add the ability to accept American Express to our Merchant Account?

Complete the Merchant Security Review Form, located within the FORMS LIBRARY on the Finance Gateway and attach to a Service Request.  On the Form, under Section 1, User must check box for “EXISTING MERCHANT REVIEW” and provide a description of the update or new service they wish to add within the space provided. User must also provide all information under Section 2 and complete/provide all relevant information under Section 3. Finally, all names & signatures must be provided in Section 4.

Then within the Service Now Form, select “Update or Close Existing Merchant Account” (as the “Type of Request”), then check “Update your merchant environment (including adding a new service)” and attach the completed Merchant Security Review Form to the Service Request.

To top

 

Managing the Account



What is the difference between cancelling/voiding a charge and processing a refund?

You can cancel (or void) a charge after you have processed it and before it has been settled. Voiding a transaction makes it appear to the cardholder as if the transaction never happened.

To correct an error after the transaction has been processed and settled, you must process a refund. Please see the instructions below for your particular terminal for the steps to void/cancel a transaction or to process a refund.  Please also refer to your own internal policies/procedures for processing refunds.

We have a technical issue with our credit card terminal.  Who should we contact?

First, call the Elavon Terminal Service number posted on the side of your credit card machine (1-800-725-1245, option 1) and have them try to resolve the issue. At the same time Elavon will create a service ticket. If they determine that your terminal needs to be replaced, submit a request through ServiceNow to purchase or rent equipment. DO NOT PLACE THE ORDER DIRECTLY THROUGH ELAVON - ALL ORDERS MUST BE PLACED THROUGH TREASURY via the ServiceNow form.

To top

 

Special Considerations for e-Commerce Accounts



How do I get access to a test Converge or test CyberSource account?

Submit a request for a new TEST PAYMENT GATEWAY ACCOUNT via Service Now Form.

To top

 

Technical and User Problems



What can I do if I am locked out of Citrix, Converge or Cybersource?

First, identify which site you are locked out of by checking the URL of the page you are on. Then, do the following:

  • If you are locked out of CITRIX – please send an email to askcuit@columbia.edu for assistance.
  • If you are locked out of Converge/Virtual Merchant, You can reset your password online by answering a few security questions. If that does not solve the problem, please send a screenshot of your page in an email to creditcards@columbia.edu and advise that you have already reset your password and are still having difficulty.  
  • If you are locked out of one of Cybersource, please send a screenshot of your page in an email to creditcards@columbia.edu with a request for a password reset.

People are receiving an error when trying to pay through my website. What should I do?

If your site is hosted by Columbia, send a screenshot of the error message to the CUIT Service Desk for assistance. Please include in your problem report:

  • The name of the service you were trying to use.
  • The URL that gave the error message.
  • Any error messages that were displayed before being directed to this page.
  • Whether you have successfully accessed the service before.

If your site is not hosted by Columbia, check with the Provider who supports your website and or your local IT support.

 

If they are unable to diagnose or correct the problem, please forward the information to creditcards@columbia.edu for further assistance.

To top

 

Reconciliation



What tools are available for reconciling my Elavon or Virtual Merchant Accounts?

You may request access to the Merchant Connect online tool, where you can download statements, view transactions, fees and much more. To request access to online statements and transaction activity for all Elavon Merchant Accounts, complete only the highlighted section of the form Merchant Connect User Form and return it via the ServiceNow request “Modify Existing User Access”. You must note on the form the MID account numbers for which you need access. 

What tools are available for reconciling my Global Payments or CyberSource Merchant Accounts?

You may request access to the My Merchant Info online tool, where you can download statements, view transactions, fees and much more. To request access to online statements and transaction activity for all Global Payment Merchant Accounts, please submit a Service Now request to “Modify Existing User Access”. Please note on the form that you are requesting access to My Merchant Info and the MID account numbers for which you need access. 

How do I access my American Express Merchant Statements?

You must request access from the Office of the Treasurer by contacting creditcards@columbia.edu.

Watch the Demo on How to Access AMEX Statements

I have been accepting credit cards but I’m not seeing anything in my ARC account. What should I do?

If you have already reconciled your daily transaction receipts to your batch totals and online Merchant statement and you do not see any credits to your ARC account, please send an email to creditcards@columbia.edu.

To top

 

Training



How do I access the PCI Basics Course?

Please visit this webpage and login with your uni and password. 

How often must I complete the PCI Basics Course?

You must complete the course upon hire and prior to gaining access to the merchant environment and again  between May 1 – June 30 each year.

Who must complete the PCI Basics course?

All individuals with access to the Columbia University Merchant Cardholder Data Environment (CDE) must complete the PCI Basics course. 

How is a credit card transaction processed?

Read the steps on how credit card transactions are processed.

How can I learn more about FRAUD PREVENTION TRAINING?

This course will explore the basic relationships in the context of transaction processing and the activities that link cardholders, merchants, issuers, and acquirers.

Watch the course.

To top

 

Merchant Account Requests via ServiceNow

 

For ALL REQUEST TYPES:



Whom should I enter as the Department IT Coordinator UNI?

This should be whoever handles the technical aspects of your Merchant Environment:  

  • For “In-Person (card-present)” requests, this may be someone who setup the terminals or perhaps installed a phone-line for the terminals.
  • For “Over the Phone and/or by Mail (card-not-present)” requests, this should be whomever will be installing the Citrix software and applying required settings to the desktops of Authorized Users associated with the Merchant Environment.
  • For “Online/website, over the Internet (card-not-present)” requests, this should be whomever is responsible for developing and maintaining the Merchants website.

To top

For TEST PAYMENT GATEWAY ACCOUNTS:



When are Users required to request / open a TEST PAYMENT GATEWAY ACCOUNT?

Users are required to request / open a TEST PAYMENT GATEWAY ACCOUNT when they are planning to accept credit card payments online through a website where the cardholder enters their own credit card data.  Users must request and setup a TEST PAYMENT GATEWAY ACCOUNT, then configure the test gateway account to their website.  Testing should be completed within the test environment prior to requesting a new “Online/Website over the Internet (Card-Not-Present)” Merchant Account.

To top

For REQUESTS TO OPEN NEW MERCHANT ACCOUNTS:

 



Where can User find the MERCHANT SECURITY REVIEW FORM?

This FORM is located within the FORMS LIBRARY on the Finance Gateway.

User wants to open a new Merchant Account, but does not know which type of account to open.

Direct User to the “HOW DO I CHOOSE THE BEST METHOD?” section of the Merchant Manual.

I submitted my request but I need to make an update.

Must contact Treasury / creditcards@columbia.edu before they approve the request and ask for a ‘return for edit’.

What is required to open a new In-Person (card-present) Merchant Account?

Prior to logging into the Service Desk to submit your request, User must complete the each of the following, as they must be attached to the request.

REQUIRED ATTACHMENTS:

 

What is required to open a new Over the Phone and/or by Mail (card-not-present) Merchant Account?

Prior to logging into the Service Desk to submit your request, User must complete the each of the following, as they must be attached to the request.

REQUIRED ATTACHMENTS:

What is required to open a new Online/website, over the Internet (card-not-present) Merchant Account?

Prior to submitting a request for a new CU Merchant Account, User must login to the Service Desk and submit a request for a TEST PAYMENT GATEWAY ACCOUNT.

Once you have completed testing your TEST PAYMENT GATEWAY ACCOUNT  (#_SETTING_UP_A) with your website, prior to logging into the Service Desk to submit a request for a new CU Merchant Account, User must complete each of the following, as they must be attached the Service Request.

REQUIRED ATTACHMENTS:

 

Can the same person be listed for all Departmental Roles?

It is recommended that separate individuals fulfill each role, but if you don’t have the resources available, the ‘Merchant Account Coordinator’, ‘Financial Coordinator’ and ‘Authorized User’ may all be the same user, so long as they were not already listed as the Senior Business Officer or the IT Coordinator.

To top

For CURRENT MERCHANTS:



Where can User find the REQUEST TO UPDATE EXISTING ACCOUNT FORM?

This FORM is located within the FORMS LIBRARY on the Finance Gateway.

How do I update the Bank Account associated with our existing Merchant Account?

To make updates to an Elavon MID - User must complete sections (1) & (6) ONLY of the REQUEST TO UPDATE EXISTING ACCOUNT FORM found on the Finance Gateway.  Then attach form to Request, prior to Checkout.

To make updates to a Global Payments MID - User must complete sections (1) & (4) ONLY of the REQUEST TO UPDATE GPN ACCOUNT FORM found on the Finance Gateway.  Then attach form to Request, prior to Checkout.

How do I update the Tax ID associated with our existing Merchant Account?

To make updates to an Elavon MID - User must complete sections (1) & (2) ONLY of the REQUEST TO UPDATE EXISTING ACCOUNT FORM found on the Finance Gateway.  Then attach form to Request, prior to Checkout.

To make updates to a Global Payments MID - User must complete sections (1) & (5) ONLY of the REQUEST TO UPDATE GPN ACCOUNT FORM found on the Finance Gateway.  Then attach form to Request, prior to Checkout.

How do I update the Merchant DBA Name associated with my existing Merchant Account?

To make updates to an Elavon MID - User must complete sections (1) & (3) ONLY of the REQUEST TO UPDATE EXISTING ACCOUNT FORM found on the Finance Gateway.  Then attach form to Request, prior to Checkout.

To make updates to a Global Payments MID - User must complete sections (1) & (3) ONLY of the REQUEST TO UPDATE GPN ACCOUNT FORM found on the Finance Gateway.  Then attach form to Request, prior to Checkout.

How do I update the Contact Information for my existing Merchant Account?

To make updates to an Elavon MID - User must complete section (1) ONLY of the REQUEST TO UPDATE EXISTING ACCOUNT FORM found on the Finance Gateway.  Then attach form to Request, prior to Checkout.

To make updates to a Global Payments MID - User must complete sections (1) & (2) ONLY of the REQUEST TO UPDATE GPN ACCOUNT FORM found on the Finance Gateway.  Then attach form to Request, prior to Checkout.

We want to update our Merchant Environment (i.e.: configuration, add a new service, etc.).

User must complete the complete and attach the MERCHANT SECURITY REVIEW FORM, located within the FORMS LIBRARY on the Finance Gateway. On the FORM, under Section 1, User must check box for “EXISTING MERCHANT REVIEW” and provide a description of the update or new service they wish to add within the space provided.  User must also provide all information under Section 2. and complete/provide all relevant information under Section 3.  Finally, all names & signatures must be provided in Section 4.

User wants to replace or purchase/rent new processing equipment/swipe terminals for an existing MID.

Within the Service Now Form, the ‘Type of Request’ the User will select is “Update or Close Existing Merchant Account”, then check “Purchase or Rent Swipe Terminals” under next section and continue to complete all required fields.   No attached forms are necessary.

User wants to close an existing MID.

Within the Service Now Form, the ‘Type of Request’ the User will select is “Update or Close Existing Merchant Account”, then check “Close Existing Merchant Account” under next section and continue to complete all required fields.   No attached forms are necessary.

User wants to update the chartstring associated with an existing MID.

Within the Service Now Form, the ‘Type of Request’ the User will select is “Update or Close Existing Merchant Account”, then check “Update Chartstring for Existing MID” under next section and continue to complete all required fields.   No attached forms are necessary.

To top

For MAINTAINING USERS:

 



User wants to add new authorized access to an existing MID.

Within the Service Now Form, the ‘Type of Request’ the User will select is “User Maintenance”, then check “Add New User Access to Existing MID” under next section and continue to complete all required fields.   PCI Training Certificates are required and must be attached for all users.  Training can be accessed online.

(Note: some Users may see the ‘PCI Basics’ training under “Optional Courses”) After completing the training, users can download their certificates. 

User wants to modify the access of an existing user.

Within the Service Now Form, the ‘Type of Request’ the User will select is “User Maintenance”, then check “Modify Existing User Access” under next section and continue to complete all required fields. No attached forms are necessary.

User wants to disable access to an existing MID for either one or multiple users.

Within the Service Now Form, the ‘Type of Request’ the User will select is “User Maintenance”, then check “Disable Access for One or More Users” under next section and continue to complete all required fields. No attached forms are necessary with this type of request. 

To top