Question: May I use a shopping cart system on my SPH website, or accept online payments as part of an event or course registration system?
Answer: It is against School of Public Health policy to accept or store credit card information (cardholder name, card number, expiration date, CCV) on SPH web servers. Instead, a third-party service such as Authorize.net must be used for monetary transactions.
Keep in mind that if any credit card information even passes through any University of Michigan server, that server needs to be maintained in compliance with PCI DSS v1.1 [1], which is very costly. PayPal PayFlow Pro service does not meet this specification. The bottom line is, if you use a third-party service, make sure that the address or URL of the web page where users enter their credit card information does not contain "umich.edu."
See Merchant Services on the U-M Treasurer's Office website for information on becoming a merchant.