[ skip to content ]

More Information about this image

Interior renovations and upgrades were made to Rollins Hall.

Payment Card Processing Rules

It is very important that all credit card information be safeguarded. Safeguarding credit card information is vital to ensure compliance with Payment Card Industry Data Security Standards (PCI DSS). All departments that collect credit card payments must ensure all staff members adhere to these standards.

Currently the University accepts MasterCard, Visa, Discover, & American Express for departmental charges.

Before a department may accept credit card payment transactions for University-approved events, a merchant account must be established.

If you have any questions about this process, please contact the PCI Compliance Specialist at pci@odu.edu.

TouchNet is the platform used for online storefronts which accept electronic payment on behalf of Old Dominion University. Before a department may accept credit card payment transactions for University-approved events or services, a merchant account must be established. The forms required to initiate this process are listed below. Please review our TouchNet Best Practices Guide got guidance and assistance.

For more information on the TouchNet, please contact our PCI Compliance Specialist.

Setup Details & Required Forms for Credit Card Payments

ODU Merchant Establishment Form

Before any department may accept credit card payment transactions, a merchant account must be established. To do so, please submit a complete ODU Merchant Establishment Form at least 30 days prior to the desired date the department will begin accepting card payments.

Please Note: This form must be signed by a Department Budget Unit Director.

ODU Merchant ID Request Form

After a department has been approved as a merchant by the University Controller, the department must then submit an ODU Merchant ID Request Form to identify specific banking and account information about the merchant account so that an account number can be requested from the University's merchant services provider, Bank of America. University policies and guidelines apply to all merchant departments.

Please Note: This form must be signed by a Department Budget Unit Director.

TouchNet User Request Form

All merchant departments requiring an online uStore must submit a TouchNet User Request Form to be approved by the Office of Finance. This form must be signed by a supervisor.

Please Note: Departments must check the boxes below "Marketplace Roles" to agree to notify ITS and the Office of Finance if the department is selling taxable items, if the department will be shipping the items, and/or if the request is a change request.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) was developed by the PCI Security Standards Council to enhance cardholder data security and provide baseline technical and operational requirements to protect account data. It was created by the PCI Security Standards Council (PCI SSC), which is comprised of the five major credit card brands (American Express, Discover, JCB International, Mastercard, and Visa). Old Dominion University is committed to these standards.

All employees of the University who are involved in the accepting, processing, or reconciling of payment card transactions are required to comply with all payment card security guidelines. For more information, please visit the PCI Security Standards Council website.

PCI Compliance Requirements

Old Dominion University merchants accept Mastercard, Visa, American Express, and Discover for departmental charges. All ODU employees accepting, processing, or reconciling online or in-person payment card payments from these major card companies must follow PCI Compliance Requirements as distributed by the Office of Finance PCI Compliance Specialist. All employees must complete the PCI Security and Confidentiality Agreement training before handling credit card data.

The requirements are specific and may vary per each merchant department. Merchant departments must work with our PCI Complaince Specialist to determine their specific compliance responsibilities. All employees within each department responsible for accepting online or in-person payment card paymentsmust complete and submit any additional required forms. The original forms are reviewed annually and must remain readily availabile within each merchant department.

Please contact the PCI Compliance Specialist with any questions or to obtain a copy of PCI Compliance Requirements for your department.

Who must comply with PCI DSS Standards?

  • Any organization that is processing credit or credit cards
  • Employees who handle payment card data in preson at the point of sale, through mail orders, telephone orders, or online via an e-commerce website
  • All employee(s) who receive or transmit cardholder data physically on a paper form or electronically on an e-commerce site
  • Employee(s) that utilize a system that processes or stores cardholder data
  • Employee(s) that use a device connected to other systems that process or store cardholder data

PCI Non-Compliance

The outcome of PCI non-compliance will severely impact the University and its Stakeholders. The incident will have the following result:

  1. If a breach occurs and the merchant or ODU is found to be non-compliant, the individual card brands can assess fines up to $500,000 per breach.
  2. ODU will be responsible for notifying all victims. And the card brands may require the University to pay card replacement costs or reimburse all fraudulent purchases.
  3. A forensic investigation may be required and conducted by a PCI-approved firm.
  4. The card brand may require ODU to validate as a Level 1 merchant, which brings increased assessment requirements and costs. In addition, the monthly fee per department will vary on the volume of transactions per year.
  5. The card brands can also remove ODU's ability to accept and process cards or charge higher processing fees.
  6. The reputational damage and loss of trust from customers who may not want to do business with the University again due to lack of security will devastate our industry.


The PCI DSS rules and regulations are mandatory for all merchants and employees with access to cardholder data. Therefore, compliance at Old Dominion University is compulsory and must be administered and adhered to daily. If a merchant or employee (s) violates the PCI DSS rules, the Controller's Office may terminate the department's merchant account.

Logs and Forms

ODU Visitor's Log

All merchant departments that have payment card terminals are required to keep a current Visitor Log with the terminal, which is used to maintain a physical audit trail of visitor activity to the facility where cardholder data is transmitted.

ODU Daily Use/Tamper Log

All merchant departments with payment card terminals are required to protect these devices and to physically inspect them for tampering or device substitution with this form.

Clover Role & Designation Form

All Merchants that have employees that require access to their department's Clover Flex terminal must submit this form, which assists the PCI Compliance Specialist in assigning individuals access to the department's Clover Flex. This form must be signed by a supervisor.

According to University Policy 3011, a Red Flag is a transaction that a reasonable person should suspect that they may be interacting with an individual using someone else's identity.

Some examples include:

  • Notifications & Warnings from Reporting Agenices
  • Suspicious Documents
  • Suspicious Personally Identifiable Information (PII)
  • Suspicious Covered Account Activity or Unusual Use of Account
  • Alerts from Others

If you notice any red flags, please complete a Suspicious Activities Report (SAR). This is a report of suspicious activity that arises when a University employee is confronted with a Red Flag. The report shall be in writing and must be forwarded to the Assistant Vice President for Finance/University Controller in the Office of Finance. The report shall specifically state the party or parties involved, the conduct creating the Red Flag, and the action or refusal to take action that was a result of the suspicious behavior.

University Policy 1002: Old Dominion University Code of Ethics University Policy 3011: Identity Theft Protection (Red Flag) Program

At the end of every calendar year, PCI DSS requires the Office of Finance to collect Self-Assessment Questionnaires (SAQs) from each merchant on campus. The SAQs may be found on the CampusGuard website.

Bank of America and CampusGuard representatives notifies the Office of Finance about SAQ specifics, due dates, and completion requirements. The PCI Compliance Specialist will be in touch with each merchant department with these specifics annually.

All cashiering transactions performed by University departments must be processed through the Cashiering Office in the Office of Finance. Departments responsible for collecting money must adhere to all applicable state and University policies and procedures.

Please visit our Departmental Deposit page for requirements and details on reconciliation reporting and revenue deposits.

Site Navigation

Experience Guaranteed

Enhance your college career by gaining relevant experience with the skills and knowledge needed for your future career. Discover our experiential learning opportunities.

Academic Days

Picture yourself in the classroom, speak with professors in your major, and meet current students.

Upcoming Events

From sports games to concerts and lectures, join the ODU community at a variety of campus events.