ADMINISTRATIVE PROCEDURE

Managing Payment Card Accounts

Introduction

Payment card processing involves the handling of protected private data. Policy states that proper controls must be implemented to protect the cardholder and the University. Acceptance of payment cards and management of a payment card account entails specific responsibilities and requirements on the part of the University community.

Managing Payment Card Accounts

Managing payment card accounts must be done in such a manner as to maintain the security and integrity of cardholder data while remaining in compliance with the current version of PCI DSS. Important areas of payment card account management activities can be classified by the frequency of their occurrence. These are the most common activities. Additional activities may be required based on the technology used. These will be communicated to the Payment Card Manager by Accounts Receivable Services.

Upon Account Setup:
  1. Department Head or HR staff requests background check for Payment Card Manager following Administrative Procedure: Conducting Background Checks and Verifications.
  2. Payment Card Manager requests background check for any other staff person with access to more than one payment card number at a time. This includes electronic and hard copy access.
  3. Payment Card Manager completes compliance forms and documents assigned by Accounts Receivable Services. These forms and documents may include, but are not limited to, the following:
  4. Payment Card Manager completes training assigned by Accounts Receivable Services.
  5. Designated financial staff completes the “Bank Card Reconciliation” online tutorial. This online course provides an overview of the process for reconciling point-of-sale bank card payments.
  6. Payment Card Manager provides for the training of all department employees with access to payment card information to ensure that they understand and follow departmental policy and processes as well as PCI DSS, University policy, and applicable laws.
Daily:

NOTE: These processes will vary depending on the acceptance method (e.g. swipe terminal, e-commerce)

  1. Customer presents payment card for payment.
  2. Accept payment card and process transaction.
  3. Confirm transaction is authorized.
  4. At the end of each day, “batch out” the account and transmit transactions to the bank. Depending on the process used, the batch process may occur automatically at a specific time each day or may need to occur manually.
  5. A summary of sales activity for each merchant account is automatically loaded into the Enterprise Financial System on a daily basis (the next day). The revenue will be recorded to the chartstring provided when the payment card account was set up.
  6. Designated departmental financial staff reconciles daily sales receipts from local records with the sales activity recorded in EFS. Discrepancies should be reported to Accounts Receivable Services.
  7. The acquiring bank (for Visa, MasterCard, and Discover) or card brand (American Express) will fund the transactions by making a deposit into the designated University bank account.
  8. Accounts Receivable Services reconciles the cash received vs. sales activity as recorded in EFS.
Monthly:
  1. Designated financial staff retrieves merchant statements from the acquiring bank and American Express.
  2. Designated financial staff reviews monthly statements and reconciles with activity in EFS.
  3. Designated financial staff reviews fees. Fees consist of payment gateway or equipment rental fees and payment card transaction fees. The amount of the transaction fee is influenced by the issuing bank, the type of payment card used, the amount of the transaction, as well as the overall perceived risk of the transaction. Transaction fees include
    • Assessment fees - fee that goes directly to payment card companies
    • Discount fees - amount charged by issuing bank for processing qualifying daily payment card transactions
    • Per item fees - fixed fee assessed on each transaction

These fees accumulate for each payment card account and are charged to the responsible department on a monthly basis (one month in arrears) to the chartstring provided when the payment card account was set up.

Annually:
  1. Payment Card Manager reviews and updates compliance forms and documents assigned by Accounts Receivable Services. These forms and documents may include, but are not limited to, the following:
  2. Payment Card Managers complete training assigned by Accounts Receivable Services.
  3. Payment Card Manager provides for the training of all department employees with access to payment card information to ensure that they understand and follow departmental policy and processes as well as PCI DSS, University policy, and applicable laws.
As Needed/Periodically:
  1. Chargebacks: Cardholders have the right to dispute transactions that they claim were not authorized or were done in error. Once a transaction has been disputed, the cardholder’s bank will contact the payment card account and request verification that the transaction took place. The department has a limited number of days to provide documentation or the funds in question will be automatically withdrawn from the department’s account – see the card provider regulations for the specific timeframe. Once this happens, it cannot be reversed.
  2. Refunds: when an item or service is purchased using a payment card and a refund is necessary, the refund must be credited to the same account from which the purchase was made. Under no circumstances is it permissible to issue a refund with cash or a check. A refund must never exceed the original payment amount. To process a refund, follow the procedure appropriate to the technology used for processing (terminal, web, etc.). In addition, each department must make sure that they have a written or published refund policy.
  3. If issues of non-compliance are identified at any time, the department must work with Accounts Receivable Services to develop a remediation plan. The remediation plan is a detailed process delineating how an individual payment card account will address issues identified as being non-compliant with University policy, applicable law, or contractual obligations to the payment card industry. A remediation plan will include a description of the issues, a plan to fix the issues, and a timeframe for completion of the fixes.
  4. In the case of a suspected breach of payment card information - either electronic or hard copy, immediately e-mail abuse@umn.edu. See Administrative Procedure: Report Information Security Incidents.
  5. All new hires or reassignments involved in payment card processing complete the Employee Non-Disclosure Form (UM 1623)

Document Feedback