Financial Services Operations

New Merchant Request

Breadcrumb

New Merchant Request

This page outlines the detailed requirements in order to accept payment card transactions. It is to be used to assist departments with gathering information to make the request to Financial Services and the Commerce Committee for new merchants.

As each situation is different; this is a guide only. Financial Services will assist departments in coordinating with vendors on the requirements.

University Policy on Accepting and Handling Payment Cards to Conduct University Business

It is important for the department to review this policy before beginning this process.

View Policy

Requestor Gathered Documentation

Requestor (Department) must gather documentation to provide to the Commerce Committee.

  • Copy of Contract/Agreement with Vendor.
  • PCI DSS Attestation of Compliance (AOC).
  • Complete Network Diagram, to include card payment process flow(s).

Authorized Vendors

Brown University has contracted with several Third Party Service Providers (TPSP) vendors to assist in the engagement of payment cards activity. The authorized TPSPs meet the University’s requirements for security compliance and centrally controlled financial settlement of payment card transactions, while at the same time acknowledging the diverse needs of the individual departments. 

Determine if your request falls within the preferred authorized vendors

The following questions identify if your request falls within the preferred authorized vendors. Requests that do not must offer evidence that that such TPSPs cannot meet the business needs of the department, and that an alternative TPSP meets University requirements for security and for integrating transaction information into Brown’s financial system.  The Commerce Committee shall have the authority to decide whether or not to approve the department’s request.

  • Brown University has contracted with Heartland Payment Systems and FiServ as the primary third-party payment card payment processors/acquirers to facilitate the financial authorization and settlement of all payment card transactions.
  • If the vendor does not process credit card payments via Heartland or FiServ, Financial Services requires additional information and documentation:
    • Which acquirer/card processor does the vendor work with?
    • Contact information for the card processor.
    • Is a contract required?  Note: Contracts for acquirers/card processors are held by Financial Services.
    • PCI DSS Attestation of Compliance (AOC) for the credit card processor.
    • What fees will be charged?
    • Document detailing how the requestor will support this from a systems and implementation perspective, in addition to financial transactions and reconciliation. NOTE: All acquirers/card processors are considered a level 3 security risk. If the preferred vendor, Heartland, is not being used, and any additional contract is required, the department should be aware of the additional time necessary for security and contract review. 
  • For in-person payments, all card payment devices and solutions must be listed as a PCI Council validated Point-to Point Encrypted (P2PE) product and solution. 
    • Please provide the detail on the devices recommended by the vendor for in person payments. Financial Services will review and confirm if the devices are Validated P2PE.
  • For online payments, all online storefronts must connect to the TouchNet Payment Gateway for processing of payment card information. 
    • Is the vendor a TouchNet Ready Partner?    
      • Yes - If the vendor is a TouchNet Ready Partner, Financial Services will initiate a contract addendum (as part of the project) with TouchNet to add this partner.  Please note that there will be an implementation fee (@$1250) and an annual hosting/access fee (@$1500) charged to the department for this service.
      • No - additional information is required.
      • Which gateway services does the vendor work with?
      • Contact information for the gateway service.
      • Is a contract required? Note: Contracts for card gateway services are held by Financial Services.
      • What fees will be charged?
      • PCI DSS Attestation of Compliance (AOC) for the gateway service provider.
      • Document detailing how the requestor will support this from a systems and implementation perspective, in addition to financial transactions and reconciliation. NOTE: All credit card gateways are considered a level 3 security risk. If the preferred vendor, Heartland, is not being used, and any additional contract is required, the department should be aware of the additional time necessary for security and contract review. 

Commerce Committee Review

Once all information has been received by Financial Services, the Assistant VP Financial Services will bring the request to the Commerce Committee for review. The Commerce Committee may have follow-up questions or request additional information. The Commerce Committee has the authority to decide whether or not to approve the department’s request. 

Contract and Security Review

Financial Services and Commerce Committee review must be completed prior to the contract and security review processes. 

Project Checklist

Once a project is approved, Financial Services will coordinate with the department, and the project manager (if applicable).  

Example of a Project Checklist