V802.07 Electronic Financial Transactions Policy and Procedures

Policy Statement

Valley City State University allows departments to accept credit cards for purchases of goods or services only in accordance with the procedures outlined in this document.

Reason for Policy

The University recognizes that accepting credit cards as payment for goods or services has become a common practice that improves customer service, brings certain efficiencies to VCSU's cash collection process, and may increase the sales volume of some types of transactions. In addition, the use of technology, such as the World Wide Web, provides easy access for many, and the use of credit cards is essential when sales are conducted electronically.

Scope of Policy

This policy applies to all VCSU faculty, staff, students, organizations, and individuals who on behalf of the University handle electronic financial transactions and payments such as credit/debit card transactions, and electronic fund transactions (EFT).

Related Information

The Gramm Leach Bliley Act of 1999 (GLBA)
- http://www.ftc.gov/privacy/privacyinitiatives/glbact.html
Fair and Accurate Credit Transaction Act of 2003 (FACTA)
Red Flag Rules – Interpretation of Sections 114 and 315 of FACTA
Incidence Response Policy – to be developed
Payment Card Industry Standards
"What to Do If Compromised" VISA USA Fraud Investigations and Incident Management Procedures
- http://www.usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf
Guidelines for Protecting Sensitive Data

Definitions

The Gramm Leach Bliley Act - Key rules under the Act govern the collection and disclosure of customers' personal financial information
Payment Card Industry - A multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
Electronic Financial Transactions: The term is used for a number of different concepts such as cardholder-initiated transactions, where a cardholder makes use of a payment card (e.g., credit or debit card); electronic payments by businesses, including salary payments, electronic check clearing.
TouchNet: Third party service provider used for online billing and payment processing which follow applicable PCI DSS standards and guidelines.
Credit Card Processing Machine - A machine or device used to process credit card transactions. Examples may include: Zon, Trans 330, Trans380, Trans 460, Omni3200SE.

Principles

Overview

Many departments on campus process credit card transactions, either infrequently or in the course of daily business. It is the University's responsibility to protect the privacy of its customers, as well as maintain compliance with the Gramm Leach Bliley (GLB) Act, Payment Card Industry (PCI) Standards and Red Flag Rules.

Departments that transact business by accepting credit cards for goods or services are expected to adhere to the attached procedures to help ensure the integrity and security of all credit card transactions. Failure to follow the procedures may result in the revocation of departmental authorization to accept credit cards and departmental responsibility for paying all related penalties.

Credit card payments for student accounts receivable accepted are online via Campus Connection.

Acceptable Credit Cards

The University is required to process credit card transactions through the Bank of North Dakota. Any exceptions must be approved, in writing, by the Bank of North Dakota.

Credit card types that departments may request to be accepted within the department for goods and services include MasterCard, VISA, Discover, and American Express.

Credit Cards Fees

The University is charged fees on all credit card transactions. The fees vary and are based on the card type accepted and the method of acceptance (swiped versus manually entered). In addition to a percentage on the amount of the transaction, a "per transaction" fee and a monthly merchant account fee is charged.

Merchant fees are charged to the designated funding sources on a monthly basis.

The credit card merchant fee is considered a cost of doing business. Departments cannot assess an additional fee to the customer if the customer pays via a credit card.

Security

If a department suspects that credit card records may have been compromised in any way, whether through malicious intent or due to a weakness in the handling and processing of credit card transactions, they are to notify their supervisor immediately.

All security incidents will follow the VCSU Incident Response Policy (to be developed). The document 'What to do if Compromised', VISA USA Fraud Investigations and Incident Management Procedures will be utilized as a reference for any security incident.

The Office of Human Resources and Payroll performs criminal background checks on all potential employees prior to their date of hire.

Procedures

Obtaining Authorization to Accept Credit Card Payments

Departments must obtain prior approval from the Controller to accept and/or process credit card transactions within the department. Requests should be made via e-mail to the Controller. If approved, the Controller will provide the department with procedures that must be followed when processing credit card deposits. If a department has not obtained approval to accept credit card payments, they should not be accepting credit card information.

To minimize the risk of attacks from internal sources, all VCSU employees who work with electronic financial transactions and the personal data associated with it will:

Have completed a criminal background check
Have completed the data privacy training
Have signed the Employee Credit Card Security Agreement
Read the Identity Theft Prevention Program Plan
Read the Guidelines for Protecting Sensitive Data
Read the Reporting and Investigating Fraud and Theft Policy

Methods of Processing Transactions

There are five accepted methods for processing credit card transactions:

In person.
By telephone – must obtain the CVV code from the back of the card, but must be destroyed after the transaction is processed; must verify the address if sending merchandise; may choose to have return receipt to confirm delivery of goods.
By mail.
Via the University approved service provider (TouchNet).
Via approved mobile payment devices. See VCSU Policy V802.07.02.

Credit card information cannot be requested or sent via electronic messaging. If a cardholder sends credit card information via electronic messaging, departments are required to reply to the cardholder with the following verbiage without including the credit card information that was received:

"It is important that VCSU protects the privacy of our customers, and therefore, does not accept credit card information via electronic messaging as it is not a secured method. Please discontinue sending credit card information via electronic messaging. Please contact the department providing the goods or services to request available payment options."

Departments must attach a copy of the response to the merchant copy of the transaction being processed and retain in accordance with the records retention policy.

When issuing credits to customers, the credit should be processed in the same payment method as the original charge. If a cash refund is necessary, it should be approved by the departmental head/manager on a case-by-case basis. Refunds processed thru Student Accounts Receivable (all methods) must be processed by the Accounts Receivable Specialist or a non-cashiering Business Office employee.

Department must not store any credit card information, including CVV codes or PIN numbers, in a customer database or electronic spreadsheet. All CVV codes, PIN numbers, and other documents containing credit card information, must be shredded immediately after the transaction has been processed.

Refunds

When an item or service is purchased using a credit card, and a refund is necessary, the refund should be credited to the credit card from which the purchase was made. If a cash refund is necessary, it should be approved by the departmental head/manager on a case-by case basis. Refunds processed thru Student Accounts Receivable (all methods) must be processed by the Accounts Receivable Specialist or a non-cashiering Business Office employee.

Disputed Charges / Chargebacks

Occasionally, the Bank of North Dakota will send notification to the University indicating a disputed charge. The Controller will provide all requested information in response to the notification by the due date indicated.

Recording and Reconciling Transactions

When submitting deposits to the Business Office, include the following:

Daily Totals Report - this includes only the totals for MasterCard, VISA, Discover, and American Express; no credit card numbers are included.
1. This report should be printed twice (one copy for the Business Office, and one copy is to be retained by the department)
Daily Settlement Report - this indicates the amount settled successfully.
1. Departments should transmit and settle their batches daily.

Retention Periods

Documents supporting the credit card transaction must be retained by the department according to the University's Records Retention Policy.

Departments are considered to be the originating department and should retain the following documents for receipts processed with a Tender Type of Credit Card:

The merchant copy of the sales slip, which includes the signature, should only include the last four digits of the credit card number.
1. Retention period is to be determined.
Daily Totals Report - includes only the totals for each card type (MasterCard, VISA, Discover, and American Express); no credit card numbers are included.
1. Retention period is to be determined.
Daily Detail Report - this includes the entire credit card number for all transactions.
1. Retention period is to be determined.

The Business Office retains the following documents for receipts processed with a Tender Type of Credit Card:

Daily Totals Report - includes only the totals for each card type (MasterCard, VISA, Discover, and American Express); no credit card numbers are included.
1. Retention period is to be determined.
Daily Settlement Report – this indicates the amount settled successfully.
1. Retention period is to be determined.

All transaction documents, as stated above, must be secured by the department, for example, in a locked cabinet/room with limited access.

PCI Self Assessment Questionnaire

The Controller is required to complete a PCI Self Assessment Survey on an annual basis and submit to the Bank of North Dakota. The Controller is required to submit a revised survey if there have been any changes since the last survey or if requested by the Bank of North Dakota.

Responsibilities

Director of Business & Financial Services

Grant authorization to departments to accept and process credit card transactions.
Provides procedures for daily reconciling of credit card transactions.
Retain documents supporting credit card transactions as required.

Department Accepting Credit Cards for Goods or Services

Request/obtain prior approval from the Controller to accept and/or process credit card transactions.
Notify their supervisor immediately if there is a suspicion that credit card records may have been compromised in any way.
Should take merchant fees into consideration when determining rates for goods and services.
Must follow the procedures for processing credit card deposits.
Must not store any magnetic stripe information, including security codes, CVV/CVC, PIN number, CVV2/CVC2.
Reconcile and transmit credit card transactions on a daily basis.
Retain all required credit card documents in a secured location according to the records retention policy.
Do not request credit card information via electronic messaging. When credit card information is received by the department via electronic messaging, departments are required to notify the sender to discontinue sending credit card information via electronic messaging, as it is not a secured method. This notification should be attached to the merchant copy of the transaction.
When disposing of credit card information, all documents must be shredded.

Forms

Employee Credit Card Security Agreement

Departmental Request to Process Electronic Financial Transactions

Sponsored by:Vice President for Business Affairs

Effective:May 1, 2009

Revised: August 2016