Being a web merchant allows your customers to make purchases through your online storefront. There will be no face-to-face interaction. An example of this type of transaction is making a purchase on-line from an e-retailer like Amazon.com.

Accepting credit cards creates legal and financial risk for merchants. It also requires substantial compliance activities. Consider the risks and responsibilities associated with accepting credit cards before moving forward.

  1. uStore or uPay?

    OSU uses TouchNet Marketplace to offer web based storefronts to OSU merchants. TouchNet provides two different storefront options; the uStore and the uPay site.

    uStore

    The uStore is the less technical of the two options. It can be setup completely in TouchNet and does not require a lot of technical knowledge. The e-commerce team is familiar with uStores and will be able to assist you whenever you need help.

    Examples of uStores currently in use at OSU can be found in the Oregon State University Marketplace.

    uPay Site

    A uPay site allows you to develop the store front yourself or use third party developers. This front end website can then link to TouchNet's uPay site for secure payment processing. This option gives you a lot more customization options but it is much more technical to implement. The e-commerce team will not be able to help you with third party or campus developed front ends for the uPay site.

    An example of a simple Drupal front end that ties into a uPay site can be found here. You will enter the uPay site and leave the drupal front end once you click the "Click Here To Pay" button.

  2. Setting up a uStore or uPay Test site

    Please contact the eCommerce team to discuss the right option for you and request access to TouchNet.

    Every merchant on campus needs to acquire a merchant ID (MID). Your uStore or uPay site must be ready for production orders before a MID will be issued by the payment processor.

    Once you have access to TouchNet you will be provided with the necessary documentation to help you build a uStore or set up a uPay site. You will also have access to a testing environment which is to be used for the initial setup and testing of the uStore or uPay sites. If you are using a third party to host your front end website for your uPay site you need to submit a firewall opening request. TouchNet needs to open their firewall to the IP address used by the front-end web pages or web application so information can be passed back and forth between TouchNet and the front-end. This needs to happen for both the Test and Production TouchNet instances. Information will not pass from and to your front-end until this occurs. Standard processing time is 3 – 5 business days. Please submit this request through the TouchNet Firewall Exception webform.

    When you are ready to move your uStore or uPay site to TouchNet’s Production instance, you will re-create in Production the site you built in Test. Once you have built a working prototype of your web store in the TouchNet Production instance, you need to fill out a New Merchant Application. This form will ask you for links to your functional website.

    It is important to note that before the processor will approve the New Merchant Credit Card Processing Application, they will actually attempt a trial order. Before submitting the New Merchant Credit Card Processing Application, the Production site needs to be set up such that the underwriters can start the purchase process and get all the way to the payment screen. The links listed on the application for Return and Refund Policy, Privacy, Statement Delivery Methods and Time Frame, and Transaction Page must work and be the production links.

    From the date the New Merchant Credit Card Processing Application is submitted, it will be 4-6 weeks until payments can be taken from customers assuming that everything goes smoothly. Below you can see the steps the application has to go through before you can start to take payments.

  3. In the meantime

    Please review the Oregon State Treasury Best Practices Training Presentation. This document gives you a good understanding about accepting credit cards and what to look out for.

    Develop policies and procedures for credit card acceptance, using the PCI DSS Questions and Expected Testing in SAQ A. These policies and procedures will be submitted as evidence with your yearly PCI DSS SAQ document.

    If any cardholder data will be written down, purchase a cross-cut or micro-cut shredder for disposal of cardholder data. A locked shredding bin is not sufficient. If you are unsure what to purchase, here is a suggestion.

  4. PCI DSS responsibilities after becoming a merchant

    Once you are doing business online you are responsible to continuously assess your operations and fix any vulnerability which could potentially cause a credit card data breach. This is part of the PCI compliance requirements. For more information on what you have to do throughout the year to stay PCI compliant please visit the PCI Compliance for OSU Credit Card Merchants website.

    The list of PCI DSS SAQ A requirements can be found in the SAQ A document. You are responsible for on-going compliance with all of these requirements. Some of these requirements are:

    • Only accept card-not-present eCommerce transactions.
    • Do not electronically store, process or transmit any cardholder data. This means you do not directly view or handle cardholder data. Under SAQ A, you cannot key cardholder data into a computer keyboard for the purchaser. All cardholder data is to be directly entered by the purchaser into a PCI DSS validated third-party service provider’s (i.e. TouchNet) payment page. Under SAQ A, the merchant cannot provide a computer to the consumer for making these purchases.
    • Do not accept credit card numbers sent via end-user messaging technologies, such as email. If you receive a credit card number via email, let the customer know you cannot accept the order that way and offer an alternative. Then, delete the email, delete the email from your deleted items folder, and contact CN to delete the email from the server.
    • Do not store cardholder data, either on paper or electronically. If you do happen to receive cardholder data by mistake, shred any written cardholder data using a cross-cut or micro-cut shredder. A locked shredding bin is not sufficient. If you are unsure what to purchase, here is a suggestion.
    • Provide PCI DSS training for new employees and provide annual training for all employees.
    • Attend annual OSU-wide PCI DSS training.
    • Maintain and update policies and procedures related to PCI DSS SAQ compliance. These will be submitted as evidence with your yearly PCI DSS SAQ document.
    • Complete SAQ A annually, including Expected Testing and submission of supporting documents, as evidence of PCI DSS compliance. Links and descriptions of the SAQs can be found here.

  5. Additional TouchNet merchant responsibilities

    TouchNet is affected by Banner downtimes. During Banner outages, TouchNet Marketplace uStore and uPay sites will function normally with the exception of general ledger (Banner) updates. For most uStores and uPay sites, TouchNet automatically performs a general ledger (Banner) update for each transaction. This will fail while Banner is down. This does not mean the transaction itself has failed. It means data could not be transferred to the general ledger system after the transaction was processed. You will need to monitor and resolve TouchNet G/L Exceptions for your merchant. You will not receive the funds related to these transactions until you repost the GL exceptions.


Web merchant Frequently Asked Questions:

Q1. Who answers questions about your Point of Sale transactions (products, orders, payments, credit card transactions, refunds)?

  • You, as the merchant, are responsible for answering all questions coming from the customer. If you cannot answer the question or if there is a technical issue, eCommerce Support can assist with troubleshooting.

Q2. Who makes the merchant’s deposits?

  • You, as the merchant, are responsible for submitting your deposits to the cashiers.Touchnet will automatically update Banner via a detail code that is set up as part of the New Merchant Credit Card Processing Application. If you are not using TouchNet, a settlement report should be printed from the application or the Merchant Connect website and sent on a daily basis along with a cash receipt record to the Cashiers Office for entry into Banner.

Q3. Who tests the Web Merchant site to make sure it works?

  • You, as the merchant, are responsible for testing that the site functions the way you intend.eCommerce Support tests the payment process to ensure the funds are deposited to the correct account.

Q4. How will I be trained?

Q5. Will there be potential downtimes?

  • Yes, occasionally the TouchNet application will be down for upgrades or OSU year-end close processing. You will be notified via the eCommerce list serv when downtime is scheduled.