A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.



Similar documents
Prepared by Treasury Office. This is a new policy. A8.711 September 2009 A8.700 TREASURY. P 1 of 5. A8.711 Electronic Payments via University Websites

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Appendix 1 Payment Card Industry Data Security Standards Program

WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS

Standards for Business Processes, Paper and Electronic Processing

4/13/2016. Cash Handling & Deposits Informational Session Presented by Wendall Ho. Contact Information. Staff. Financial Management Office

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Accepting Payment Cards and ecommerce Payments

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

University Policy Accepting and Handling Payment Cards to Conduct University Business

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

b. USNH requires that all campus organizations and departments collecting credit card receipts:

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Payment Card Industry Compliance

Dartmouth College Merchant Credit Card Policy for Processors

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

Policies and Procedures. Merchant Card Services Office of Treasury Operations

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

CAL POLY POMONA FOUNDATION. Policy for Accepting Payment (Credit) Card and Ecommerce Payments

TERMINAL CONTROL MEASURES

Saint Louis University Merchant Card Processing Policy & Procedures

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Fraud - Preparing Data Card Transactions

The University of Georgia Credit/Debit Card Processing Procedures

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES

SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures

PCI Data Security and Classification Standards Summary

Information Technology

BUSINESS POLICY. TO: All Members of the University Community 2012:12. CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05)

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

POLICY SECTION 509: Electronic Financial Transaction Procedures

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

Fraud Protection, You and Your Bank

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Payment Card Acceptance Administrative Policy

CREDIT CARD POLICY DRAFT

Failure to follow the following procedures may subject the state to significant losses, including:

The University of Michigan Treasurer s Office Card Services. Merchant Services Policy Document

CREDIT CARD PROCESSING POLICY AND PROCEDURES

POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS

Frequently Asked Questions

University Policy Accepting Credit Cards to Conduct University Business

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

UGA Cooperative Extension Service Credit Card Machine Policy

ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS

How To Control Credit Card And Debit Card Payments In Wisconsin

Credit Card Processing and Security Policy

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

The Interlink Network and Maestro U.S.A. Network rules and regulations (collectively National/International Networks );

Ball State University Credit/Debit Card Handling Policy and Procedures

UW Platteville Credit Card Handling Policy

Emory University & Emory Healthcare

Policy for Accepting Payment (Credit) Card and Ecommerce Payments

Merchant Card Processing Best Practices

PCI Policies Appalachian State University

The Department Travel Cardholder/Travel Arranger will be responsible for making travel arrangements for individual and/or group travel for:

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration

PCI Compliance. Top 10 Questions & Answers

The following are responsible for the accuracy of the information contained in this document:

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL

P R O G R E S S I V E S O L U T I O N S

Financial Reconciliation and Reporting for. Credit/Debit Payment Card Sales Transactions. Webinar

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

McGill Merchant Manual

Credit Card Handling Security Standards

PCI DSS SECURITY AWARENESS

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

3. Internet Credit Card Processing System generates a daily batch release report 4. Reporting Deposits to the University Depository

CSU, Chico Credit Card PCI-DSS Risk Assessment

DCCCD BUSINESS PROCEDURES MANUAL

Credit/Debit Card Processing Policy

Table of Contents. 2 TouchSuite Welcome Kit

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

Important Info for Youth Sports Associations

Josiah Wilkinson Internal Security Assessor. Nationwide

CREDIT CARD MERCHANT PROCEDURES. Revised 01/21/2014 Prepared by: NIU Merchant Services

Viterbo University Credit Card Processing & Data Security Procedures and Policy

PCI DSS Requirements - Security Controls and Processes

Becoming PCI Compliant

Your Compliance Classification Level and What it Means

Vanderbilt University

UNIVERSITY CONTROLLER S OFFICE

IT04 UO ACH Security Policy

Information Security Policy

. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume.

PCI Compliance Top 10 Questions and Answers

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Transcription:

Prepared by Treasury Office. This amends A8.710 dated July 2001. A8.710 April 2005 A8.700 TREASURY P 1 of 5 A8.710 Credit Card Program 1. Purpose To provide uniform procedures for the processing of credit card transactions in accordance with University policies, banking and payment card industry requirements, the terms of the University's credit card contract and all subsequent amendments. 2. Applicability This directive applies to all campuses of the University of Hawai i. 3. Definitions a. Merchant an entity accepting credit cards as a form of payment. A merchant number must be established by the bank before credit card processing can commence. For accounting and control reasons, only the Treasury Office will request merchant set-ups from the Contractor. Terminal identification numbers (TID) must also be established for each merchant as the mechanism to initiate credit card transactions. TID s must be established even if software is being used to initiate credit car transactions. b. Merchant Fee the service fee paid to the contractor by the merchant (UH department) accepting a credit/debit card for payment c. Contractor the vendor contracted by the University to provide credit card processing services. d. ecommerce a non face to face on-line transaction using electronic media over a public or private network. e. Payment processing service a service that provides connectivity among merchants, customers, and financial networks to process authorizations and payments. 4. Responsibilities a. The Treasury Office approves or disapproves requests to participate in the program. This includes requests to use a third party payment processing service to accept credit card payments over the web.

P 2 of 5 b. The campus/department will comply with all procedures specified by the University and the Contractor with respect to sales drafts and related transactions. c. The campus/department must comply with security requirements and safeguard cardholder data as set forth by the Payment Card Industry (PCI). d. The campus/department is responsible for the payment of the rental costs of equipment or software, dedicated telephone line, and the merchant fee. e. The campus/department utilizing third party payment processing service to accept credit card payments over the web must ensure that they comply with all University, banking and payment card industry security requirements. 5. Procedure to Participate in Program a. Requests to participate in the credit card program should be addressed to the Bursar and contain the following: 1) The justification for participating in the credit card program. 2) The legal authority that permits the campus/department to collect and deposit State or UH cash receipts. b. Upon approval by the Bursar, the Treasury Office will notify the Contractor's representative to establish a merchant number and contact the department to arrange for equipment/software installation and training. 6. Procedure to Process Credit Card Sales a. All sales drafts must be signed by the cardholder at the time of sale. Exceptions to this are purchases by mail, telephone, fax, and Internet orders. If a mail, telephone, fax, or Internet order is received, it must list the entire account number, card expiration date, cardholder's name, and amount to charge. b. Specific instructions for credit card sales transaction processing are included in the user manual provided by the Contractor. 7. Procedure to Refund Credit Card Purchase a. All refunds of goods and services paid for by credit card shall be made by credit vouchers. Department personnel shall sign each credit voucher. The amount of the credit voucher may not exceed the amount of the original transaction as reflected on the sales draft.

P 3 of 5 b. Specific instructions for refund processing are included in the user manual provided by the Contractor. 8. Procedure to Record Credit Card Sales in FMIS a. All terminals must be closed and transmitted daily to the Contractor to receive credit for transactions processed. Specific instructions for deposit transaction processing are included in the user manual provided by the Contractor. b. Contractor will credit the University s checking account no later than two (2) business days following transmission. Department must process a departmental deposit form (FMIS-5) to record the credit in FMIS. Prepare one departmental deposit form for each batch transmitted. The document number for the departmental deposit form is based on the first three digits of the fiscal officer code, followed by three digits assigned by the fiscal officer. c. If refunds exceed sales, process a departmental deposit form (FMIS-5). To record a negative deposit in FMIS, enter a D in the D/C column. d. A transaction may be charged back to the merchant when the cardholder disputes the sale or asserts that the sale was fraudulently processed. The program manager must investigate the claim and respond to the Contractor by date noted on the chargeback notice. If the chargeback is upheld, the merchant must process a journal voucher to record the chargeback in FMIS. 9. Retrieval of Credit Cards a. As stipulated in the University's credit card contract, the department will use its best efforts to retrieve cards as requested by the Contractor. b. Cut credit card once lengthwise through the account number and mail to the Contractor. 10. Reconciliation and Payment of Merchant Fees a. The Contractor will submit monthly an original and two copies of invoices to each department for each merchant number. b. Departments must reconcile the daily batch settlement report to the monthly merchant statement to ensure that the merchant was properly credited. c. The Contractor will submit annually each July, an original and two copies of invoices to each department for the rental of equipment or software. d. Purchase orders or departmental checks, as appropriate, shall be issued to the Contractor for payment.

P 4 of 5 11. Procedure to Withdraw from Credit Card Program a. Submit written request to the Bursar, with justification to withdraw from the credit card program. b. Upon approval, the Treasury Office will coordinate the closing procedures with department and Contractor. 12. Security Polices and Procedures for Credit Card Data a. It is the responsibility of all credit card merchants to safeguard cardholder data. Every effort must be made to prevent theft or inappropriate use of cardholder data. 1) Cardholder data must be securely disposed of after meeting State of Hawai i records retention requirements. 2) The full contents of any track from the magnetic stripe (on the back of a card, in a chip, etc.) in the database, log files, or point of sale products may not be stored. 3) The card validation code (3-digit value printed on the signature panel of a card) may not be stored in any database, log file or point of sale product. 4) All but the last 4 digits of the cardholder s account must be masked when displaying cardholder data. 5) Account numbers must be rendered unreadable anywhere it is stored by means of encryption or truncation. 6) Account numbers must be sanitized before being logged in an audit log. 13. Security Policies and Procedures for Credit Card Data From ecommerce Transactions a. ecommerce merchants must implement data security procedures to conform to university information security policy and current PCI data security standards. 1) Install and maintain a working firewall to protect data. 2) Do not use vendor supplied defaults for system passwords and other security parameters. 3) Protect stored data. 4) Encrypt transmission of cardholder data and sensitive information across public networks. 5) Use and regularly update antivirus software.

P 5 of 5 6) Develop and maintain secure systems and applications. 7) Restrict access to data by business need to know. 8) Assign a unique ID to each person with computer access. 9) Restrict physical access to cardholder data. 10) Track and monitor all access to network resources and cardholder data. 11) Regularly test security systems and processes. a. ecommerce merchants must conduct a self-assessment survey and network system scan. The frequency is based on current PCI guidelines. 12) Maintain a policy that addresses information security. 14. Security Incident Response Plan a. The department must immediately notify the University s credit card Contractor and the Treasury Office when cardholder data is breached. 1) The program manager must investigate the circumstances causing the breach and quickly resolve it. Failure to comply with security procedures and rectify the violation may result in heavy fines imposed by the credit card companies. b. All security incidents involving ecommerce transactions must also be reported immediately to the ITS Information Security Officer and Incident Response Team. 1) Minimally, the Incident Response Team shall be comprised of the ITS Security Officer, the Application Security Administrator, the System Security Administrator, and the Credit Card Contract Administrator. 2) In the event that cardholder data from an ecommerce transaction is compromised, incident response team shall follow procedures outlined in the University s Administrative Information Systems Information Security Policy.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information