1.7.5 Credit and Debit Card Transactions

Purpose

This section defines and outlines university policy with regard to the acceptance, handling and processing of credit and debit card transactions.

Introduction

The Cashier's Office is responsible for overseeing merchant payment card accounts for the university.  The university's preferred method of processing credit/debit card payments is via the CASHNet system E-market site or stand-alone terminals as utilized by the Cashier's Office.  All requests for processing credit card payments must be sent to the Cashier's Office for review.  Customer credit card payment processing can only take place after the approval by the Cashier's Office.  Any card payment related contracts or purchases of services, software and/or equipment must be approved by the Cashiers Office before the vendor agreement is executed by the university.

Schools/Colleges/Divisions interested in accepting payment cards must complete and submit an Application to Establish a Cash Collection Center, E-commerce Website and/or Stand-alone Merchant Terminal to the Cashier's Office.  Forms are available at the Cashier Office website -

http://fisops.wayne.edu/bursar/cashier/emarket.php

A University School/College/Division unit that accepts payment cards from internal and/or external customers is a merchant.

Business Requirements

1.1.           General Responsibilities for Merchants (Schools/Colleges/Divisions) Accepting Payment Card transactions:

    

  • Obtain approval by the Cashier's Office before entering into any merchant credit card contract, acquisition, or replacement of equipment, software, internet provider or wireless device for the processing of debit/credit card transactions.  This requirement applies regardless of the transaction method or technology used (e.g., e-commerce, point of service (POS) device).
  • Comply with applicable sections of  Appendix - Payment Card Merchant Services and Payment Card Industry Data Security Standards (PCI DSS).
  • Maintain an Information Security Agreement for employees processing payment cards.
  • Establish procedures to prevent access to cardholder data in physical or electronic form including, but not limited to, the following:  hard copy or media containing credit card information must be stored in a locked drawer or office; department should establish password protection on computers; visitor sign-in logs, escorts and other means must be used to restrict access to documents, servers, computers, and storage media. Access to physical or electronic cardholder data must be restricted to individuals whose job requires access.
  • Do not store customer card information (physical or electronic).  Copies of all transactions will be stored in a secure area in the Cashier's Office for up to 12 months from sale date unless there is a strong business reason to store these transactions for a longer period.
  • Supervisors including Deans, fiscal officers/business managers and system managers must communicate this Cash Collection Policy to their staff and maintain an Information Security Agreement.  Refer to APPENDIX C for all personnel engaged in payment card transactions.
  •  A unique ID must be assigned to each person with computer access to payment card information.  User names and passwords must not be shared.
  • Full or partial payment card numbers and three or four digit validation codes (usually on the back of cards) may not be faxed or e-mailed.
  • Do not store the three or four digit CVV or CVV2 validation code from the payment card, the Personal Identification Number (PIN) or the magnetic stripe information. This is a violation of PCI guidelines.
  • Establish appropriate segregation of duties between personnel handling credit card processing, the processing of refunds, and the reconciliation function.
  • Perform background checks on potential employees who have access to systems, networks, or cardholder data within the limits of Wayne State University policy.
  • Terminals and computers must truncate the payment card number ideally so only the last four digits of the account number are displayed.
  • The use of imprint machines to process credit card payments is prohibited as they display the full 16 digit payment card number on the customer copy.
  • If you know or suspect that payment card information has been exposed, stolen, or misused, this incident must be reported immediately to the Cashiers Office and Office of Internal Audit.  Complete and send the online TIPs form at: http://internalaudit.wayne.edu/report.php The Cashiers Office will contact the C&IT Information Security Office, as required by the University "Incident Handling Protocol Response" requirement.    

1.2.     Procedures to Deposit and Report Credit Card Sales

Payment card transactions are monetary transactions and therefore are subject to the same control and reconciliation policies as cash transactions.  A daily accounting of receipts, from sales or deposits, should be balanced against these electronic transactions.

Payment card sales should be deposited along with any currency, coins, and checks at the Cashier's Office.  Automatically, the actual funds for payment card transactions are electronically deposited into the university's bank account and reconciled by the General Accounting Office.  All personnel authorized to process payment card payments must exercise reasonable care in accepting credit card transactions to reduce card misuse and loss of funds.  Schools/Colleges/Divisions should follow the applicable guidelines shown below to deposit and report credit card sales:

  1. Schools/Colleges/Divisions using stand-alone merchant terminals (such as Omni/Verifone) must close the batch on a daily basis and print out a Batch Settlement report.

  2. The Batch Settlement report along with a completed Sundry Remittance Form will be brought to the Cashier's Office for deposit within two business days.

  3. Schools/Colleges/Divisions using CASHNet Marketplace applications are responsible for reconciling payments accepted online to ensure revenue updates correctly to Banner Finance (general ledger). 

  4. Charge-backs and rejected payment card transactions will be charged to the departmental account. 

  5. Bank reports reflecting rejects and charge-backs will be sent to the originating department from the Cashier's Office.

1.3.     Mail Order, Telephone Order, Delayed Delivery, and Recurring Transactions

The merchant may not engage in mail order, telephone order, delayed delivery, and/or recurring transactions unless previously indicated on the merchant application.  The merchant assumes all risk associated with accepting mail order, telephone order, delayed delivery, e-commerce and recurring transactions, including, but not limited to, fraudulent sales transactions.

1.4.     Record Retention Policy

Schools/Colleges/Divisions should annually review their Record Retention Policy to ensure compliance with Payment Card Industry Data Security Standards as defined in the Appendix - Payment Card Merchant Services and Payment Card Industry Data Security Standards (PCI DSS).