Administrative Procedure AP 8.710, Credit Card Program

Administrative Procedure Chapter 8, Business and Finance
Administrative Procedure AP 8.710, Credit Card Program
Effective Date:  March 2015
Prior Dates Amended:  June 1992, July 2001, April 2005    
Responsible Office: Office of the Vice President for Budget and Finance/Chief Financial Officer
Governing Board and/or Executive Policy: EP 1.102, Authority to Manage and Control the Operations of the Campus
Review Date:  August 2018

To provide uniform procedures for the processing of credit card transactions in accordance with University of Hawai‘i (UH) policies, banking and payment card industry requirements, the terms of the UH credit card contract and all subsequent amendments.

A.  Contractor – The vendor contracted by the University to provide credit card processing services.

B.  eCommerce – A non-face-to-face on-line transaction using electronic media over a public or private network.  Refers to all forms of business activities conducted over computer networks such as the Internet.

C.  Merchant – An entity (e.g. UH department) accepting credit cards as a form of payment.  A merchant number shall be established and issued by the University’s credit card contractor before credit card processing can commence.  For accounting and control reasons, only the Treasury Office is authorized to request merchant numbers from the credit card contractor.

D.  Merchant Fee – The service fee paid to the contractor by the merchant (UH department) accepting a credit/debit card for payment.

E.  Payment processing service – A service that provides connectivity among merchants, customers, and financial networks to process authorizations and payments and securely stores credit card data.

A.  Applicability

This administrative procedure applies to all campuses and departments of the University of Hawai‘i.

B.  Responsibilities

    1.  The Treasury Officer approves or disapproves requests to participate in the program.  This includes requests to use a third party payment processing service to accept credit card payments over the web.

    2.  The campus/department shall comply with all procedures specified by the University and the Contractor with respect to sales drafts and related transactions.

    3.  The campus/department shall comply with security requirements and safeguard cardholder data as set forth by the Payment Card Industry (PCI).

    4.  The campus/department is responsible for the payment of the rental costs of equipment or software, dedicated telephone line, and the merchant fee.

    5.  The campus/department utilizing third party payment processing service to accept credit card payments over the web shall ensure that they comply with all University, banking and payment card industry security requirements.

C.  Procedure to Participate in Program

    1.  Requests to participate in the credit card program shall be addressed to the Treasury Officer and contain the following:

        a.  The justification for participating in the credit card program.

        b.  The legal authority that permits the campus/department to collect and deposit State or UH cash receipts.

    2.  Upon approval by the Treasury Officer, the Treasury Office shall notify the Contractor's representative to establish a merchant number and contact the department to arrange for equipment/software installation and training.

D.  Procedure to Process Credit Card Sales

    1.  All sales drafts shall be signed by the cardholder at the time of sale.  Exceptions to this are purchases by mail, telephone, fax, and eCommerce orders.  If a mail, telephone, fax, or eCommerce order is received, it must list the entire account number, card expiration date, cardholder's name, and amount to charge.

    2.  Specific instructions for credit card sales transaction processing are included in the user manual provided by the Contractor.

E.  Procedure to Refund Credit Card Purchase

    1.  All refunds of goods and services paid for by credit card shall be made by credit vouchers.  Department personnel shall review and sign each credit voucher.  Refunds for eCommerce sales must be processed through the eCommerce software application.  The amount of the credit voucher shall not exceed the amount of the original transaction as reflected on the sales draft.

    2.  Specific instructions for refund processing are included in the user manual provided by the Contractor.

F.  Procedure to Record Credit Card Sales in the University’s financial system

    1.  All terminals shall be settled daily to receive credit for transactions processed. Specific settlement instructions are included in the user manual provided by the Contractor.

    2.  Contractor shall credit the University’s checking account no later than two (2) business days following transmission.  Department shall process a credit card receipt (CCR) to record the credit in the financial system.  Prepare one CCR for each batch settled.

    3.  If refunds exceed sales, process a CCR.  To record a negative deposit, enter a negative amount in the accounting line.

    4.  A transaction may be charged back to the merchant when the cardholder disputes the sale or asserts that the sale was fraudulently processed.  The fiscal administrator (FA) shall investigate the claim and respond to the Contractor by the date specified on the chargeback notice.

G.  Reconciliation and Payment of Merchant Fees

    1.  The Contractor shall submit monthly, an original and two copies of invoice to each department for each merchant number.

    2.  Departments shall reconcile the daily batch settlement report to the monthly merchant statement to ensure that the merchant is properly credited.

    3.  The Contractor shall submit annually each July, an original and two copies of invoices to each department for the rental of equipment or software.

    4.  Purchase orders shall be issued to the Contractor for payment.

H.  Procedure to Withdraw from Credit Card Program

    1.  Submit written request to the Treasury Officer, with explanation to withdraw from the credit card program.

    2.  Upon approval, the Treasury Office shall coordinate the closing procedures with department and Contractor.

I.  Security Policies and Procedures for Credit Card Data

    1.  It is the responsibility of all credit card merchants to safeguard cardholder data.  Every effort shall be made to prevent theft or inappropriate use of cardholder data to include:

        a.  Cardholder data shall be securely disposed of after meeting State of Hawai‘i records retention requirements.

        b.  The full contents of any track from the magnetic stripe (on the back of a card, in a chip, etc.) in the database, log files, or point of sale products shall not be stored.

        c.  The card validation code (3-digit value printed on the signature panel of a card) shall not be stored in any database, log file or point of sale product.

        d.  All but the last 4 digits of the cardholder’s account must be masked when displaying cardholder data.

        e.  Account numbers must be rendered unreadable anywhere it is stored by means of encryption or truncation.

        f.  Account numbers shall be masked before being logged in an audit log.

J.  Security Policies and Procedures for Credit Card Data From eCommerce Transactions

    1.  eCommerce merchants shall implement data security procedures to conform to University information security policy and current PCI data security standards which includes:

        a.  Install and maintain a working firewall to protect data.

        b.  Nonuse of vendor supplied defaults for system passwords and other security parameters.

        c.  Protect stored data.

        d.  Encrypt transmission of cardholder data and sensitive information across public networks.

        e.  Use and regularly update antivirus software.

        f.  Develop and maintain secure systems and applications.

        g.  Restrict access to data by business need to know.

        h.  Assign a unique ID to each person with computer access.

        i.  Restrict physical access to cardholder data.

        j.  Track and monitor all access to network resources and cardholder data.

        k.  Regularly test security systems and processes.  eCommerce merchants must conduct a self-assessment survey and network system scan.  The frequency is based on current PCI guidelines.

        l.  Maintain a policy that addresses information security.

K.  Security Incident Response Plan

    1.  The department shall immediately notify the University’s credit card Contractor and the Treasury Office when cardholder data is breached.

        a.  The program manager shall investigate the circumstances causing the breach and quickly resolve it.  Failure to comply with security procedures and rectify the violation may result in heavy fines imposed by the credit card companies.

    2.  All security incidents involving eCommerce transactions shall also be reported immediately to the ITS Information Security Officer and Incident Response Team.

        a.  Minimally, the Incident Response Team shall be comprised of the ITS Security Officer, the Application Security Administrator, the System Security Administrator, and the Credit Card Contract Administrator.

        b.  In the event that cardholder data from an eCommerce transaction is compromised, incident response team shall follow procedures outlined in EP 2.214, Security and Protection of Sensitive Information.

There is no administrative specific delegation of authority.

Treasury Office, 956-2144, or wendall@hawaii.edu
Website:  http://www.fmo.hawaii.edu/cash_handling/index.html#tab7

    A. Link to superseded Executive Policies in old format https://www.hawaii.edu/policy/archives/ep/
    B. Link to Administrative Procedures in old format https://www.hawaii.edu/policy/archives/apm/sysap.php

None

    Vice President for Budget and Finance/Chief Financial Officer