RESPONSIBLE UNIVERSITY OFFICIAL: Senior Vice President for Operations and Chief Financial Officer
RESPONSIBLE OFFICE: Controller's Office
COORDINATING DEPARTMENTS: Purchasing Card Office/Accounting Office
ISSUE DATE: January 1, 2010
EFFECTIVE DATE: January 1, 2010
WHO NEEDS TO KNOW THIS POLICY: All university departments that process credit card transactions
Purpose of the Policy
This policy establishes authority and responsibility for obtaining and maintaining merchant accounts that are used to process payment by way of credit card transactions. This policy establishes guidelines for departments to use to ensure that credit card processing is handled in a manner that is in compliance with the Payment Card Industry Data Security Standard (PCI-DSS).
1. The university designates the Controller’s Office (CO) as responsible for setting up and maintaining oversight of all merchant accounts. Departments are not authorized to independently establish relationships with credit card processors. It is understood that merchant accounts support processing
both deposits and “negative” deposits to the university bank account.
2. Departments seeking merchant accounts will forward a completed application to the CO. Such application will describe: the name that business is to be conducted under, what sales will be conducted, estimated sales volume, whether card present transactions will be conducted, etc. To the extent possible, the university will utilize a single credit card processor and a limited number of transaction processing support platforms.
3. The primary support platform will be a personal computer with access to merchant account via the internet. Card present transactions will be accommodated by means of a card swipe strip that can be attached. In cases where the department will utilize a point of sale processing system, the link to the processor may be bridged by way of software or function provided by authorize.net.
4. The CO will maintain a log of open merchant accounts and a list of those departmental employees with passwords. It is the responsibility of the ownership department to assign a single employee (manager, director, supervisor) the role of stewarding the department account.
5. This employee will control, at the department level, the creation of user names and passwords at the merchant account level. This employee will be responsible for insuring that account is used to process only authorized transactions. Care should be taken to review transaction processing on a daily basis and to ensure that transactions are properly recorded. The location will not receive account credit if the university does not receive funds.
6. It is required that “credit” transactions be approved by someone other than the employee that is requesting the transaction. Under no circumstances will credit be issued when the card has not been previously charged. Such a transaction is entirely unauthorized and completion of such transaction is grounds for dismissal.
7. It is extremely important to understand that internet based accounts user names and passwords are subject to “phishing” attacks and that such attacks happen all the time. Never use your password unless you navigated directly to the website. Do not respond to e mail links. Employees must be thoroughly skeptical and maintain a high degree of security over their passwords. Remember that credit transactions processed by a merchant account will result in a payment being processed from Tulane’s bank account. It is important to monitor the activity on your account on a frequent basis to validate that no unauthorized transactions have been processed.
8. Departmental personnel are required to reconcile credit card charges to amounts recorded as revenue on behalf of the department. Such reconciliations will be done at least a monthly basis. In some cases it may be necessary to perform such reconciliations on daily basis. Departmental leadership must take responsibility for monitoring the transactions recorded on merchant accounts under its stewardship. To the maximum extent possible, accounts should be reconciled by employees that do not process credit card transactions. If this is not possible, then the reconciliation must be reviewed by departmental leadership on a monthly basis, and documentation of such review must be maintained.
9. Each department with a “Merchant Account” is essentially operating as a “merchant” and must therefore be knowledgeable about consumer card data security. The Payment Card Industry Data Security Standard is intended to protect cardholder data. Merchant agreements signed in connection with setting up accounts require compliance with data protection standards. The following apply to storage of Cardholder Information:
- Do not store the following under any circumstances: full contents of any track from the magnetic stripe on the back of the card, card validation does.
- Store only that portion of the customer account information that is essential to your business-name, account # or expiration date.
- Store all material containing this information in a secure area that is limited to authorized employees only.
- Destroy or purge media containing obsolete or dated transaction data with cardholder information.
- In the event of a security incident where transaction data is accessed or retrieved by any unauthorized entity, notify the merchant bank or processing contact for each card brand immediately.
- Such reporting will not only minimize risk to the payment system, but protect your customers in the most responsible manner. Systems and procedures are in place to protect your customers but are only effective if the security incident is reported.
- Also see the “Guidelines for all computer systems handling credit card numbers” http://security.tulane.edu/TulaneCreditCardPolicy.pdf
Recording and Reconciling Credit Card Transactions:
1. When requesting opening a credit card merchant account, the department will designate the TAMS budget account for recording credit card revenues and credit card fees as part of the application process.
2. Accounting Office will record all credit card transactions via a daily report from the bank.
3. All departments will receive a monthly statement from the credit card vendor via internet access and/or hardcopy.
4. The department is responsible for reconciling their monthly credit card statement with the monthly TAMS budget account and their internal records (credit card receipts).
5. The department should maintain daily records of all credit card transactions and must maintain all supporting documentation for 3 years, including reconciliations.