[ skip to content ]

More Information about this image

Interior renovations and upgrades were made to Rollins Hall.

Payment Card Processing Rules

It is very important that all credit card information be safeguarded. Safeguarding credit card information is vital to ensure compliance with Payment Card Industry Data Security Standards (PCI DSS). All departments that collect credit card payments must ensure all staff members adhere to these standards.

Currently the University accepts MasterCard, Visa, Discover, & American Express for departmental charges.

Before a department may accept credit card payment transactions for University-approved events, a merchant account must be established.

If you have any questions about this process, please contact the PCI Compliance Specialist at pci@odu.edu.

Forms & Procedures

Payment Card Industry Data Security Standards (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) was developed by the PCI Security Standards Council to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers.

PCI DSS comprises a set of 12 requirements for protecting account data, and may be enhanced by additional controls and practices to further mitigate risks, as well as local, regional, and sector laws and regulations. Additionally, legislation or regulatory requirements may require specific protection of personal information or other data elements (for example, cardholder name). PCI DSS does not supersede local or regional laws, government regulations, or other legal requirements.

All employees of the University who are involved in the accepting, processing, or reconciling of payment card transactions are required to comply with all payment card security guidelines. For more information, please visit the PCI Security Standards Council website.

ODU Merchant Establishment Form

Before a department may accept credit card payment transactions for University-approved events or services, a merchant account must be established. To become a merchant, the collection of funds must be ongoing or at least annual, and the department must have the fiscal support to manage the payment card processing fees. To establish a merchant account, departments must complete an ODU Merchant Establishment Form to be reviewed and approved by the University Controller at least 30 days prior to the desired date the department will begin accepting card payments.

Please Note: This form must be signed by a Department Budget Unit Director.

ODU Merchant ID Request Form

Once a department's Merchant Establishment Form is approved by the University Controller, the department must then submit an ODU Merchant ID Request Form to be reviewed by the Financial Accounting Supervisor in the Office of Finance. This form provides the Financial Accounting Supervisor specific information about the merchant account so that an account number can be requested from the bank. All new merchant accounts are required to be set up with the University's current merchant services provider, Bank of America. The responsible party must adhere to the University policies and guidelines dealing with collection of credit card payments.

Please Note: This form must be signed by a Department Budget Unit Director.

PCI Training

All individuals in the merchant department that will be engaged in any aspect of the payment card processing, transmission, or storage must review the Payment Card Industry Training when hired or as job duties change, and annually thereafter. This training fulfills PCI Requirement 12.6 for general security awareness.

Please contact the PCI Compliance Specialist with any questions.

Payment Card Security and Confidentiality Agreement

All individuals in the merchant department that will be engaged in any aspect of the payment card processing, transmission, or storage must also complete and submit a Payment Card Security and Confidentiality Agreement when hired or as job duties change, and annually thereafter.

Please contact the PCI Compliance Specialist with any questions.

Please Note: This form must be signed by a supervisor.

TouchNet User Request Form

All merchant departments requiring a uStore must submit a TouchNet User Request Form to be approved by the Office of Finance. This form assists ITS in assigning individuals access to the department's TouchNet account. This form must be signed by a supervisor.

Please Note: Departments must check the boxes below "Marketplace Roles" to agree to notify ITS and the Office of Finance if the department is selling taxable items, if the department will be shipping the items, and/or if the request is a change request.

Reconciliation Reports/Revenue Deposits

All cashiering transactions performed by University offices must be processed through the Cashiering Office in the Office of Finance, even if the department posts transactions to Banner. Departments responsible for collecting money must adhere to all applicable state and University policies and procedures and are designated either off-line or on-line collection sites. Please see this link for departmental deposits to submit the reconciliation report/revenue deposits.

Self Assessment Questionnaire

At the end of every calendar year, PCI DSS requires the Office of Finance to collect Self-Assessment Questionnaires from each merchant on campus to submit to our current merchant services provider, Bank of America. The PCI DSS Self-Assessment Questionnaires (SAQs) are validation tools intended to assist merchants and service providers in reporting the results of their PCI DSS self-assessment.

The Office of Finance, with assistance from ITS, prepares and distributes SAQs to each merchant for their completion and validation. This form must be signed by a Department Budget Unit Director.

For more information, please visit the PCI Security Standards Council website.

Daily Use/Tamper Log

All merchant departments with payment card terminals are required to protect these devices and to physically inspect them for tampering or device substitution. A Daily Use/Tamper Log is used to record the periodic physical inspection of each device by departmen personnel. All merchant departments are also required to maintain an up-to-date list of their devices to include the make, model, location, and serial number of each decvice. This information should be verified to match the information on the device during physical inspection. As the Daily Use Log includes this information, it also serves as a current device list for the merchant department and fulfills PCI DSS Requirement 9.9.

Please contact the PCI Compliance Specialist with any questions about the Tamper/Daily Use Log.

Visitor Log

All merchant departments that have payment card terminals are required to keep a current Visitor Log with the terminal, which is used to maintain a physical audit trail of visitor activity to the facility where cardholder data is transmitted. Anytime a visitor accesses the payment card terminal, the visitor's name, organization, and the name of the personnel authorizing access to the terminal must be recorded on the log. This log fulfills PCI DSS Requirement 9.4.

Please contact the PCI Compliance Specialist with any questions about the Visitor Log.

PCI Compliance Requirements

All merchants currently accepting payment cards, whether online or in person, must adopt and utilize PCI Compliance Requirements distributed by the PCI Compliance Specialist in the Office of Finance. These requirements are specific to the type of Self-Assessment Questionnaire that your department completes every year and therefore must include all forms of accepting payment cardholder information per PCI DSS Requirement 12. PCI DSS Requirement 12.1 states that "all personnel should be aware of the sensitivity of data and their responsibilities for protecting it." The approved PCI Compliance Requirements must be reviewed by all personnel involved in handling payment card information for the merchant and must be kept readily available in the merchant department.

Please contact the PCI Compliance Specialist with any questions or to obtain a copy of PCI Compliance Requirements for your department.

Clover Role Designation From

All Merchants that have employees that require access to their department's Clover Flex terminal must submit a Clover Role Designation Form. This form assists the PCI Compliance Specialist in assigning individuals access to the department's Clover Flex. This form must be signed by a supervisor.

Please Note: Departments must check the boxes below "Marketplace Roles" to agree to notify ITS and the Office of Finance if the department is selling taxable items, if the department will be shipping the items, and/or if the request is a change request.



Site Navigation

Presidential Inauguration

ODU commemorated the inauguration of President Brian O. Hemphill, Ph.D., during Homecoming Weekend 2022. Relive the historic weekend.

Fall Open House

It's time to fall in love with ODU! Join us for our last Open House event of the semester on Saturday, November 19.

Commencement 2022

Visit the Commencement Office for information on event times, caps & gowns, tickets and more!