The University of Georgia Credit/Debit Card Processing Procedures



Similar documents
CREDIT CARD PROCESSING POLICY AND PROCEDURES

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

The following are responsible for the accuracy of the information contained in this document:

Information Technology

Payment Card Acceptance Administrative Policy

Credit and Debit Card Handling Policy Updated October 1, 2014

Merchant Card Processing Best Practices

ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS

POLICY SECTION 509: Electronic Financial Transaction Procedures

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

Credit/Debit Card Processing Policy

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS

3. Internet Credit Card Processing System generates a daily batch release report 4. Reporting Deposits to the University Depository

Policies and Procedures. Merchant Card Services Office of Treasury Operations

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Payment Card Industry Compliance

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume.

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES

UGA Cooperative Extension Service Credit Card Machine Policy

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.

Saint Louis University Merchant Card Processing Policy & Procedures

PCI Policies Appalachian State University

Standards for Business Processes, Paper and Electronic Processing

E-Market Policy Accepting Online Payment for Conducting University Business

TEXAS TECH UNIVERSITY HEALTH SCIENCES CENTER EL PASO

McGill Merchant Manual

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

CENTRAL WASHINGTON UNIVERSITY PAYMENT CARD SECURITY PROCEDURES

UW Platteville Credit Card Handling Policy

Office of Finance and Treasury

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration

DCCCD BUSINESS PROCEDURES MANUAL. Revision Log

University Policy Accepting and Handling Payment Cards to Conduct University Business

CREDIT CARD PROCESSING & SECURITY POLICY

Online Payment Processing Definitions From Credit Research Foundation (

CREDIT CARD MERCHANT PROCEDURES. Revised 01/21/2014 Prepared by: NIU Merchant Services

CREDIT CARD PROCESSING GLOSSARY OF TERMS

Viterbo University Credit Card Processing & Data Security Procedures and Policy

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

Merchant e-solutions Payment Gateway Back Office User Guide. Merchant e-solutions January 2011 Version 2.5

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009


The University of Michigan Treasurer s Office Card Services. Merchant Services Policy Document

How To Control Credit Card And Debit Card Payments In Wisconsin

CREDIT CARD POLICY DRAFT

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES

Failure to follow the following procedures may subject the state to significant losses, including:

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

688 Sherbrooke Street West, Room 730 James Administration Building, Room 524

New York University University Policies

institute s Credit Card Payment Policy

Emory University & Emory Healthcare

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Credit Card Processing and Security Policy

Credit Card Handling Security Standards

policy D Reaffirmation of existing policy

Accepting Payment Cards and ecommerce Payments

Credit/Debit Card Processing Requirements and Best Practices. Adele Honeyman Oregon State Treasury Training Specialist

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

BUSINESS POLICY. TO: All Members of the University Community 2012:12. CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05)

Fraud - Preparing Data Card Transactions

Your gateway to card acceptance.

Appendix 1 Payment Card Industry Data Security Standards Program

Bursar s Office Department Cash Receipting Training for Receipt Book, Pre Numbered Tickets and Cash Register Users.

Ball State University Credit/Debit Card Handling Policy and Procedures

Acceptance to Minimize Fraud

Merchant Account Glossary of Terms

TERMINAL CONTROL MEASURES

b. USNH requires that all campus organizations and departments collecting credit card receipts:

GLOSSARY OF MOST COMMONLY USED TERMS IN THE MERCHANT SERVICES INDUSTRY

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

The Interlink Network and Maestro U.S.A. Network rules and regulations (collectively National/International Networks );

University of York Policy on the Management of Debit/ Credit Card Data

SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures

How Do I Understand Credit Card Processing Fees?

Redwood Merchant Services. Merchant Processing Terminology

How To Complete A Pci Ds Self Assessment Questionnaire

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Getting Started. Quick Reference Guide for Payment Processing

Clark Brands Payment Methods Manual. First Data Locations

University of Virginia Credit Card Requirements

Finally A Solution. Processing POS Rewards. Merchant Processing Manual

JCharge White Paper. Merchant, Acquirer, Bank, Authorization Network

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Questions and Answers PCI Compliance (Updated May 23, 2014)

An access number, dialed by a modem, that lets a computer communicate with an Internet Service Provider (ISP) or some other service provider.

SCHEDULE A MODIFIED SCOPE OF SERVICES MERCHANT CARD PROCESSING SERVICES STATE OF NORTH CAROLINA AND SUNTRUST MERCHANT SERVICES

University Policy Accepting Credit Cards to Conduct University Business

Transcription:

The University of Georgia Credit/Debit Card Processing Procedures The University of Georgia currently accepts four major credit cards (MasterCard, Visa, Discover and American Express) for payment of services rendered and goods sold. Debit cards with the Visa or MasterCard logo are also accepted. All University departments are required to process card transactions through the merchant services provider selected by the University and/or the state of Georgia. Effective January 1, 2004, the State of Georgia selected FirstData and Suntrust Merchant Services as the state-wide provider. General guidelines 1) Any University Unit wishing to accept credit/debit card for goods and/or services should complete a Credit/Debit Card Processing Application (www.bursar.uga.edu). 2) Upon approval, the Bursar s Office will request a merchant id for the University department from the merchant services provider. If the department will be conducting e-commerce, an e-commerce merchant id must be established which is separate from any point-of-sale merchant id. 3) The Bursar s Office will work with the department regarding the purchase of all card processing terminals. Effective July 1, 2004, all card equipment that prints a receipt is required to truncate the card number on the customer receipt. 4) If specialized software and/or systems are required, the Bursar s Office, the Chief Information Security Officer, Internal Auditing, and the applicable computer support unit will work with the department to ensure that processing standards and safeguarding measures are met. 5) University units should not store any sensitive cardholder data. To the extent possible on e-commerce transactions, the sale transaction should not take place on University computers or network resources. It is acceptable for Point of Sale devices to store the sensitive cardholder data on their device until transactions are settled; once settlement occurs, no information should be stored electronically. 6) On a daily basis, the department must balance transactions and settle their sales electronically to the merchant services provider. 7) The department will complete and send the credit/debit card transmittal form to the Bursar's Office so that the sales revenue can be recorded in the University Accounting System. Transmittal forms summarizing the settled sales should be sent to the Bursar's Office by fax or email no later than noon of the day following settlement. The credit/debit card sales transmittal form is available at: http://www.busfin.uga.edu/forms/credit_card_transmittal.pdf. 8) All departments accepting credit/debit cards for payment must comply with the University of Georgia Credit/Debit Card Processing Policy and the University s Customer Information Security Program (UGA Gramm Leach Bliley Policy) to protect the private financial information of University customers. The policy is available at: http://www.uga.edu/audit/glba/index.html

Guidelines for Point-of-Sale Transactions 1) The Bursar s Office will coordinate all credit/debit card processing for the University. No individual department may enter into a contract with a credit/debit card processor without approval of the Bursar s Office and the Senior Vice President of Finance and Administration. 2) All card transactions will be processed on equipment compatible with the processing platform(s) of the University s card processor. As of January 1, 2004, the University s card processor is FirstData/Suntrust Merchant Services which is the card processor selected by the State of Georgia. 3) Effective July 1, 2004, all customer receipts must truncate the card number so that only the last four digits are printed. 4) Departments requiring customized equipment for point-of-sale transactions must contact the Bursar s Office before such equipment is purchased. The Office of Information Security will be consulted prior to equipment purchase. 5) In order to reduce fraud, credit card companies recommend the following procedures for processing cards when the card is present (i.e. a face to face transaction): It is recommended that you ask for an ID at the point of sale to verify that the card member is using the card. Always swipe the card through the terminal/point of sale device, if applicable. Obtain authorization for every card sale. Ask customer to sign the sales receipt. Match the embossed number on the card to the four digits of the account number displayed on the terminal. Compare name and signature on the card to those on the transaction receipt. If you believe the card member or card sale is suspicious, make a Code 10 call to your voice authorization center for card being used. 6) If cardholder information is taken over the phone or via fax (i.e. card is not present), in order to reduce fraud, the following guidelines are recommended: Obtain cardholder name, billing address, shipping address (if different from billing address and if applicable), account#, and expiration date. Verify the customer's billing address either electronically (by entering the zip code in the POS device) or by calling the credit card automated phone system (Address Verification System - AVS). Request the Security Code (the three-digit code on the back of the card in the signature panel) and validate the code at the time of authorization either electronically (through the POS device) or by calling the credit card automated phone system. This code should be destroyed once validated; it should not be stored physically or electronically. Get a signature for each delivery that is not the card member. Maintain credit card receipts and all delivery records for the retention period as specified in #13 below.

7) UGA units should not accept credit/debit card information via email. 8) All point-of-sale terminal transactions must be batched and transmitted to the card processor on a daily basis. 9) Sales totals (net of refunds) must be reported to the Bursar s Office on a credit card transmittal form (http://www.busfin.uga.edu/forms/credit_card_transmittal.pdf) no later than noon the day following the day of settlement. These forms should be faxed to 706-542- 3959 or e-mailed to bursar@uga.edu. 10) It is important that departments reconcile their point-of-sale transactions and report the sales amounts to the Bursar s Office. The department s transmittal should be the origination point; the Bursar s Office should not report the sales amount per the credit card processor reports to the department in order for the department to prepare the transmittal. 11) The Bursar s Office will compare the sales amount per the transmittal to the records at the card processor and will immediately inform the department of discrepancies. All discrepancies should be resolved within 24 hours so that sales can be posted to the departmental account in the UGA Accounting System on a timely basis. 12) When the Bursar s Office receives charge back inquiries from the credit card companies, the applicable department will be contacted to provide the necessary information about the sales transaction in question. 13) Departments should maintain adequate records of the sales transactions. Daily sales totals, logs, etc. substantiating revenue should be stored for 5 years in accordance with state record retention policies (Records Retention Series A, http://www.usg.edu/usgweb/busserv/series/). Individual receipt slips and other documents with cardholder data should be stored in a locked filing cabinet or safe and only need to be retained for 12 months. In order to dispute a charge, customers must report the item to the credit card company within 12 months of the date of sale. At the time of disposal, all documents containing sensitive cardholder data should be shredded using a cross-cut shredder. e-commerce Transactions 1) The Bursar s Office will coordinate all e-commerce processing for the University. No individual department may enter into a contract with a card processor without approval of the SVPFA, CIO or delegate(s). 2) Departments should contact the Bursar s Office prior to purchase of specialized software or equipment so that customized processing applications are reviewed in conjunction with policy and procedure. The Bursar s Office, the Chief Information Security Officer, Internal Auditing, and the applicable computer support unit will work with the department to ensure that processing standards and safeguarding measures are met.

3) All card transactions will be processed through a payment gateway approved by the SVPFA and the CIO. 4) To the extent possible, card processing transactions should be performed on the website of the payment gateway (i.e. the customer should enter sensitive cardholder data on a payment engine website) and not on University computer or network resources. 5) No department should store any sensitive cardholder data on any UGA server or PC. All sensitive cardholder data should be maintained by an approved service provider. All outside service providers must comply with the security programs of Visa CISP, MasterCard SDP, American Express DSS, and Discover s Merchant Operating Regulations. 6) All ecommerce transactions must be batched and transmitted to the card processor on a daily basis. 7) Sales totals (net of refunds) must be reported to the Bursar s Office on a credit card transmittal form (http://www.busfin.uga.edu/forms/credit_card_transmittal.pdf) no later than noon the day following the day of settlement. These forms should be faxed to 706-542- 3959 or e-mailed to bursar@uga.edu. 8) It is important that departments reconcile their ecommerce transactions and report the sales amounts to the Bursar s Office. The department s transmittal should be the origination point; the Bursar s Office should not report the sales amount per the credit card processor reports to the department in order for the department to prepare the transmittal. Departments will be given web access to the payment manager database which houses the card transactions. This will enable the department to perform reconciliation and research. 9) The Bursar s Office will compare the sales amount per the transmittal to the records at the card processor and will immediately inform the department of discrepancies. All discrepancies should be resolved within 24 hours so that sales can be posted to the departmental account in the UGA Accounting System on a timely basis. 10) When the Bursar s Office receives charge back inquiries from the credit card companies, the applicable department will be contacted to provide the necessary information about the sales transaction in question. 11) Departments should maintain adequate records of the sales transactions. Daily sales totals, logs, etc. substantiating revenue should be stored for 5 years in accordance with state record retention policies (Records Retention Series A, http://www.usg.edu/usgweb/busserv/series/). Individual receipt slips and other documents having cardholder data should be stored in a locked file cabinet or safe and only need to be retained for 12 months. In order to dispute a charge, customers must report the item to the credit card company within 12 months of the date of sale. At the time of disposal, all documents containing sensitive cardholder data should be shredded using a cross-cut shredder. Technical Specifications:

Each University unit processing credit/debit cards will be responsible for adhering to the credit card merchants data security program. The Office of Information Security will maintain links to the various merchant s data security programs at: http:www.infosec.uga.edu/standards.html. Any questions with regard to the technical specifications should be directed to the Chief Information Security Officer. Each merchant id assigned will have at least one person subscribed to the ecomm and ecomm-tech listservs for updates on credit/debit card policy and procedure. Exceptions to Policy: In order to be granted an exception to the policy please submit Request for Exception located at: www.bursar.uga.edu. Request should include: Reason for requesting exception. Steps that are being taken to become compliant with the policy. Date your division is expected to become compliant. The Bursar s Office will work with the SVPFA and the CIO to determine if an exception to the policy can be granted.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information