Point of Sale (POS) marks the location of the transaction. The customer will come to your place of business in person to make a purchase. The customer’s credit card will be physically swiped or dipped into a terminal. An example of this type of transaction is making a purchase in person at a retail store and checking out using your credit card. Please note a percentage of point of sale transactions can be accepted over the phone or by mail order. Due to data security issues, mail order transactions are discouraged.

  1. Choose a POS Terminal

    Two types of terminals are in use at OSU. The primary type of terminal relies on an analog dial up phone-line. The second type of terminal connects via a cellular wireless connection.

    The dial up POS terminal relies on a dial up phone line to make transactions. The merchant is responsible for having the phone line setup by Telecom before it can be used. In rare cases, ethernet connections are allowed in special circumstances, where dial up is not an option. If your merchant will use an analog dial-up phone line, order the Verifone VX520 terminal.

    The cellular wireless terminal is optimal for businesses that need to move the payment location around, for example for special events. It makes its transactions through a cellular connection and functions everywhere with enough cellphone service. The terminal is more expensive compared to its dial up alternative and it charges a monthly fee. If your merchant will use a cellular wireless connection, order the Ingenico iWL250G with Comm Base terminal.

    For more detailed information on terminal options and pricing please refer to the Terminal & Software Pricing document.

  2. Order the POS terminal and submit the MID Application

    The next step of the process is to fill out section A and B of the New Merchant Credit Card Processing Application (MID Application).

    From the date the New Merchant Credit Card Processing Application is submitted, it will be 4-6 weeks until payments can be taken from customers. Below you can see the steps the application has to go through before you can start to take payments.

  3. In the meantime

    If an analog dial-up phone jack will need to be installed, work with Telecom so the jack is in place and operational when the POS terminal arrives.

    Please review the Oregon State Treasury Best Practices Training Presentation. This document gives you a good understanding about accepting credit cards and what to look out for.

    Develop policies and procedures for credit card acceptance, using the PCI DSS Questions and Expected Testing in SAQ B. These policies and procedures will be submitted as evidence with your yearly PCI DSS SAQ document.

    If any cardholder data will be written down, purchase a cross-cut or micro-cut shredder for disposal of cardholder data. A locked shredding bin is not sufficient. If you are unsure what to purchase, here is a suggestion.

  4. PCI DSS Responsibilities after receiving the POS Terminal

    Once you are doing business with the POS Terminal you are responsible to continuously assess your operations and fix any vulnerability which could potentially cause a credit card data breach. This is part of the PCI compliance requirements.

    The list of PCI DSS SAQ B requirements can be found in the SAQ document (for dial-up and cellular wireless SAQ B, for ethernet connection SAQ B-IP). You are responsible for on-going compliance with all of these requirements. Some of these requirements are:

    • Daily inspection of POS devices for tampering. Click here for best practices.
    • Create and maintain an inventory of POS devices. Include device type (POS), brand, model, serial number, location of device (including room number), jack number, and IP address (if applicable). This will be submitted as evidence with your yearly PCI DSS SAQ document.
    • Do not accept credit card numbers sent via end-user messaging technologies, such as email. If you receive a credit card number via email, let the customer know you cannot accept the order that way and offer an alternative. Then, delete the email, delete the email from your deleted items folder, and contact CN to delete the email from the server.
    • Do not store cardholder data, either on paper or electronically.
    • Shred any written cardholder data using a cross-cut or micro-cut shredder.
    • Do not leave device passwords in plain sight.
    • Provide training for new employees before use of POS device and provide annual training for all employees who use the POS device. This requirement can be met by watching the PCI Awareness Training online or by attending the annual PCI Overview Training in person.
    • Attend annual OSU-wide PCI DSS training.
    • Maintain and update policies and procedures related to PCI DSS SAQ compliance. These will be submitted as evidence with your yearly PCI DSS SAQ document.
    • Complete SAQ B or B-IP annually, including Expected Testing and submission of supporting documents, as evidence of PCI DSS compliance. Links and descriptions of the SAQs can be found here.

    For more information on what you have to do throughout the year to stay PCI compliant please visit the PCI Compliance for OSU Credit Card Merchants website.

Point of Sale Frequently Asked Questions:

Q1. Who answers questions about your Point of Sale transactions (products, orders, payments, credit card transactions, refunds)?

  • You, as the merchant, are responsible for answering all questions coming from the customer. If you cannot answer the question or if there is a technical issue, eCommerce Support can assist with troubleshooting.

Q2. Who makes the merchant’s deposits?

  • You, as the merchant, are responsible for submitting your deposits to the cashiers.

Q3. Will there be potential downtimes?

  • Other than during year end close, point of sale terminals do not typically have downtimes except in the event of a power outage.