The PCI Committee recommends meeting and talking through your needs. Send an email to PCI@wm.edu and one of the committee members with schedule a conversation. In addition, you should familiarize yourself with the Payment Card Policy & Procedures and the specific departmental responsibilities. (top)

The software that my department uses has the ability to take credit cards. Can I start using it?

Typically no. There are several elements to taking credit cards that need to be reviewed or established: was the payment option reviewed and approved at time of purchase; does your department have a merchant account; does your department have Departmental Card Handling procedures established; have you attended PCI DSS training. Contact the PCI Committee to discuss further. (top)

What credit card solutions are available for use?

There are online solutions available as well as in person but it really depends on your department’s needs. TouchNet is an approved ecommerce solution enabling you to have an online “storefront” where you can sell approved merchandise, registrations, etc. It also has the capability to tie in with existing software systems (who are partnered with TouchNet) to collect payments.

Authorize.net is an approved payment gateway that can work with some software systems to collect payment.

In-person card payments can be accepted via an approved payment card terminal. (top)

Is there a standard credit card solution on campus?

TouchNet and Authorize.net are two standard/generic online solutions available today. For in-person payments, a payment card terminal can be procured, contact PCI@wm.edu. (top)

As a department, can we find our own solution?

We want to work collaboratively with any department in finding the best solution available but also one that is PCI DSS compliant, secure and adheres to the State of Virginia’s contractual terms. Financial Operations, Information Technology and Procurement must review and approve all payment card solutions. Please contact the PCI Committee at pci@wm.edu to start the conversation. (top)

Is the department responsible for paying any fees?

Yes. All merchants must pay the merchant fees assessed by the card brands (MasterCard/VISA, etc.). There may be other fees depending on the solution implemented. For example, to integrate TouchNet with a partnered solution, TouchNet charges an annual fee in addition to the merchant fees. In addition, some of the partnered solutions charge an annual fee as well. (top)

Can I recoup my merchant fees?

Like any business, the cost of running your services should cover the cost of goods/services plus overhead. However, you cannot charge one fee for checks and a different fee for credit cards. (top)

Do I need to charge sales tax?

Whether or not sales tax is charged is based on the merchandise being sold. All merchandise is reviewed for applicability of sales tax. (top)

What training is required?

All merchants (department personnel handling card payments) must attend annual Payment Card training as well as complete the annual IT Security Awareness training. (top)

Why do I have to attend training annually?

W&M has established the W&M Payment Card Policy and Procedures and associated training to ensure all payments are handled securely and to remain compliant with the Payment Card Industry Data Security Standards (PCI DSS). Annual retraining is required as new requirements may be introduced. (top)

What is an SAQ, Self-Assessment Questionnaire?

"The Self-Assessment Questionnaire is designed as a self-validation tool to assess security for cardholder data. It includes a series of yes-or-no questions for each applicable PCI Data Security Standard requirement,“ as defined by the PCI Security Standards council. (top)

As a department, will I have to complete the Self-Assessment Questionnaire (SAQ)?

PCI DSS requires each merchant to complete an SAQ. In addition, each W&M merchant is required to do so per our contract with First Data, our credit card processor. Until this year (2021), all merchant SAQs have been completed by one person. Moving forward, each merchant will now be required to complete the SAQ and submit to Financial Operations for review and signoff. It will then be submitted to First Data. SAQ training and completion will be provided to ensure you understand the questions and related processes. (top)

Why is each department required to have Departmental Card Handling procedures?

As a merchant you define how you will handle payment cards (within the boundaries of W&M’s policy) and in accordance to your business model. Having specific procedures ensures each member of your team know how you accept and process payment cards as it is essential to ensuring cardholder data is handled securely and properly. (top)

What kind of records/documents do I need to keep for audit purposes?

All merchants/departments are required to have specific Card Handling procedures and required logs that track training, visitors, equipment inspection, etc. as set forth in the W&M Payment Card Policy and Procedures. (top)

If I need to change how I process credit cards, who should I consult?

Business needs change and new software comes to market. If you need to change software that handles payment cards, please consult with the PCI Committee and IT. Any new procurement of software will need review and approval by Financial Operations, IT, and Procurement. If you no longer need to accept payment cards, contact the PCI Committee to discuss whether you need to close your merchant account. (top)

Do I need a refund policy?

Yes. All merchants are required to have a published refund policy. A refund policy that is clearly stated set the expectations for your customers on what will be refunded. In addition, it supports your case should a chargeback/dispute be received from the card brands. For all online purchases, customers should be required to acknowledge the return policy, if the software permits. (top)