Payment card processing involves the handling of protected private data. Policy states that proper controls must be implemented to protect the cardholder and the University. Acceptance of payment cards and management of a payment card account entails specific responsibilities and requirements on the part of the University community.
Managing Payment Card Accounts
Payment card accounts must be managed in a manner that maintains security and integrity of cardholder data while complying with PCI DSS, University policy, state and federal laws, and contractual obligations. Activities can be classified by the frequency of their occurrence. These are the most common activities. Additional activities may be required based on the technology used. These will be communicated to the Payment Card Manager by Accounts Receivable Services.
Upon Account Setup:
- Department Head or HR staff requests a background check for Payment Card Manager following Administrative Procedure: Conducting Background Checks and Verifications.
- Payment Card Manager requests a background check for any other staff person with access to more than one payment card number at a time. This includes electronic and hard copy access.
- Payment Card Manager completes compliance forms and documents assigned by Accounts Receivable Services.
- Payment Card Manager completes security awareness training assigned by Accounts Receivable Services.
- Designated financial staff completes the “Bank Card Reconciliation” online tutorial. This online course provides an overview of the process for reconciling point-of-sale bank card payments.
- Payment Card Manager provides for the training of all department employees with access to payment card information to ensure they understand and follow departmental policy and processes as well as PCI DSS, University policy, and applicable laws.
NOTE: These processes will vary depending on the acceptance method (for example, swipe terminal, point-of-sale system, e-commerce)
- Customer presents payment card for payment.
- Accept payment card and process transaction.
- Confirm transaction is authorized.
- At the end of each day, “batch out” the account and transmit transactions to the bank. Depending on the process used, the batch process may occur automatically at a specific time each day or may need to occur manually.
- A summary of sales activity for each merchant account is automatically loaded into the Enterprise Financial System on a daily basis (the next day). The revenue will be recorded to the chartstring provided when the payment card account was set up.
- If a department has collected sales tax as part of the sales activity for a merchant account, designated departmental financial staff should complete a Journal Entry to record sales tax to the appropriate sales tax liability balance sheet account.
- Designated departmental financial staff reconcile daily sales receipts from local records with the sales activity recorded in EFS. Discrepancies should be reported to Accounts Receivable Services.
- The acquiring bank (for Visa, MasterCard, and Discover) or card brand (American Express) will fund the transactions by making a deposit into the designated University bank account.
- Accounts Receivable Services reconciles the cash received vs. sales activity as recorded in EFS and works with Payment Card Managers and departments to resolve discrepancies.
- Designated financial staff retrieve merchant statements from the acquiring bank and American Express.
- Designated financial staff review monthly statements and reconcile with activity in EFS.
- Designated financial staff review fees. Fees consist of payment gateway or equipment rental fees and payment card transaction fees. The amount of the transaction fee is influenced by the issuing bank, the type of payment card used, the amount of the transaction, and the overall perceived risk of the transaction. Transaction fees include:
- Assessment fees that go directly to payment card companies
- Discount fees charged by issuing bank for processing qualifying daily payment card transactions
- Per item fee, a fixed fee assessed on each transaction
These fees accumulate for each payment card account and are charged to the responsible department on a monthly basis, one month in arrears, to the chartstring provided when the payment card account was set up.
- Payment Card Manager reviews and updates compliance forms and documents assigned by Accounts Receivable Services.
- Payment Card Managers complete security awareness training assigned by Accounts Receivable Services.
- Payment Card Manager provides for the training of all department employees with access to payment card information to ensure that they understand and follow departmental policy and processes as well as PCI DSS, University policy, and applicable laws.
- Chargebacks/disputed transactions: Cardholders have the right to dispute transactions that they claim were not authorized or were done in error. Once a transaction has been disputed, the cardholder’s bank will contact the payment card account and request verification that the transaction took place. The department has a limited number of days to provide documentation or the funds in question will be automatically withdrawn from the department’s account, see the card provider regulations for the specific timeframe. If the bank withdraws the funds in question from the department account, it cannot be reversed.
- Refunds: When an item or service is purchased using a payment card and a refund is necessary, the refund must be credited to the same account from which the purchase was made. A refund must never exceed the original payment amount. To process a refund, follow the procedure appropriate to the technology used for processing (terminal, POS, internet, etc.). Each department must have a written or published refund policy.
- If situations of non-compliance are identified at any time, the department must work with Accounts Receivable Services to develop a remediation plan. The remediation plan is a detailed process delineating how an individual payment card account will address issues identified as being non-compliant with University policy, applicable law, or contractual obligations to the payment card industry. A remediation plan will include a description of the issues, a plan to fix the issues, and a timeframe for completion of the fixes.
- In the case of a suspected security or privacy breach of payment card information, either electronic or hard copy, immediately email [email protected]. See Administrative Procedure: Report Information Security Incidents.
- All new hired staff or reassigned staff involved in payment card processing must complete training and sign the Employee Non-Disclosure Form (UM 1623) prior to processing a payment card transaction.
- Payment Card Manager facilitates review and testing activities performed by ARS, including on-site visits, resolution of assessment findings, and incident response testing tabletop exercises.