(1)
Setting up a credit card account
(a)
To set up a
credit card terminal account, please refer to the office of the treasurer
website.
(b)
To use third-party web providers, software, or a
wireless terminal, complete a credit card merchant agreement and request form,
accessible through the office of the treasurer website.
(2)
Accounting for transactions
(a)
The office of the treasurer sends first data ("FD")
reports to the department. Treasury will then make transaction entries within
the current month to the general ledger based on the department's chart of
accounts, and based on reconciling items identified by both the department and
treasury.
(b)
A monthly reconciliation to cash process takes place,
which includes the following: Treasury (monthly) records any transactions that
are not reconciled via the FD report in miscellaneous revenue and cash.
Treasury will record the department's appropriate general ledger ("GL")
accounts and relieve miscellaneous revenue relieved once a reconciled FD report
is received from the department.
(c)
It is the
department's responsibility to reconcile the settlement amount in the general
ledger to the credit card receipts and to the statements issued by the credit
card processor on a regular basis, but no less than monthly.
(d)
When customers
dispute a charge, treasury will notify departments via email regarding any
disputed charge card sale. It is a department's responsibility to research and
respond within the designated time, including correcting the chargeback if
needed.
(3)
Credit card data security
(a)
Business managers
must maintain a department PCI security policy. In addition to complying with
established UT policies, supervisors must establish policies and procedures for
safeguarding cardholder information and satisfy PCI
requirements.
(b)
The department is responsible for:
(i)
establishing
procedures to prevent access to cardholder data in physical form, and
(ii)
prohibiting storing cardholder data electronically. Hard copy media containing
credit card information must be stored in a locked drawer or office, with
visitor sign-in logs, escorts and other means used to restrict access to
documents.
(c)
The information technology department has established
password protection on computers, per the IT workstation policy, access control
policy, and password policy.
(d)
Supervisors
including deans and business managers must communicate the office of the
treasurer credit card merchant/credit card handling responsibilities and
procedures to their staff, and maintain responsibilities of credit card
handlers and processors documents for all personnel involved in credit card
transactions.
(e)
All personnel involved in credit card transactions
shall do the following:
(i)
Charge credit cards for no more than the amount of
purchase unless the office of the treasurer has approved the
surcharge.
(ii)
The signature on the charge card, if available, must
agree to the draft.
(iii.)
Verify the expiration date on the credit
card.
(iv.)
In the case of face-to-face credit card transactions,
the customer receives the copy of the sales draft that has only four digits of
the credit card number. The department retains the other copy and must securely
protect these drafts, especially if the drafts have the full sixteen-digit
credit card number printed on it. Safeguard drafts in an appropriate locking
file cabinet or safe.
(v.)
Do not send full credit card numbers via e-mail or fax.
Partial credit card numbers sent via email or fax (first four digits and last
four digits) is permissible.
(vi.)
The cardholder
should retain possession of his/her credit card throughout the entire
transaction (i.e., a university of Toledo employee should not touch the
card).
(f)
Access to physical or electronic cardholder data must
be restricted to individuals whose job requires access as approved specifically
by the university treasurer. (Reference: 3364-65-02 of the Administrative Code
(access control policy)
(http://www.utoledo.edu/policies/administration/info_tech/pdfs/3364-65-02
Access control policy.pdf)).
(g)
Each
person with computer access to credit card information receives a unique
identification, with private user names and passwords (Reference: 3364-65-02 of
the Administrative Code (access control policy)
(http://www.utoledo.edu/policies/administration/info_tech/pdfs/3364-65-02
Access control policy.pdf)).
(h)
Storing
(electronically or physically) a card verification value code ("cvv" or
"cvv2"), or personal identification number ("PIN") number is prohibited. This
is a three or four digit number found on the back of most credit cards, except
for American express cards where it is on the front of the
card.
(i)
Do not fax, e-mail, or store full or partial credit
card numbers in combination with the three or four digit validation codes
(usually on the back of credit cards). Departments will reconcile their weekly
credit card transactions against reports run by treasury and emailed to each
department representative (partial credit card numbers only -- first five
digits and last four digits).
(j)
There must be
appropriate segregation of duties between personnel handling credit card
processing, the processing of refunds, and the reconciliation
function.
(k)
Departments must perform applicable background checks
on potential employees who have access to systems, networks, or cardholder data
within the limits of UT human resource policy and local law. This includes
established UT employees that may transition to new job roles within the
university. If employees have access to only one card number at a time to
facilitate a transaction, such as store cashiers in a supervised setting,
background checks are not required.
(l)
Terminals and
computers must mask twelve of the sixteen digits of the credit card number,
usually the first six digits and the last four digits of the credit card
number.
(m)
Imprint machines may not process credit card payments
as they display the full sixteen-digit credit card number on the customer
copy.
(n)
If an employee suspects that credit card information is
exposed, stolen, or misused, report this incident immediately to the office of
the treasurer and the office of the chief information officer (information
security). This report must not disclose by fax or e-mail credit card numbers,
three or four digit validation codes, or PINs.
(4)
Merchant
fees
(a)
The
credit card companies charge fees based on a variety of factors including the
type of card the customer presents. To obtain the lowest rate for credit card
terminal transactions the merchant should refer to the office of the treasurer
website.
(b)
Contact treasury for current fees to process credit
card transactions.
(5)
Rocket cards
(identifications or "IDs")
(a)
Do not process rocket cards on the same equipment as
credit cards.