Administrative Procedure 8.711 Administrative Procedure 8.711 abolished on 2020-01

No current Procedure.

Title

Administrative Procedure AP 8.711, Electronic Payments via University Websites

Header

Administrative Procedure Chapter 8, Business and Finance
Administrative Procedure AP 8.711, Electronic Payments via University Websites
Effective Date: March 2015
Prior Dates Amended: September 2009
Responsible Office: Office of the Vice President for Budget and Finance/Chief Financial Officer
Governing Board and/or Executive Policy: EP 1.102, Authority to Manage and Control the Operations of the Campus
Review Date: August 2018

I. Purpose

To establish uniform policies and procedures for the processing of electronic payments in accordance with University of Hawai‘i (UH) policies, banking and payment card industry(PCI DSS) requirements, the terms of the University's eCommerce services contract and all subsequent amendments.

A secure system of executing business on-line that is compatible with other University systems is imperative to protecting the University’s finances, reputation and relationships.

II. Definitions

A. eCommerce – A non-face-to-face on-line transaction using electronic media over a public or private network. Refers to all forms of business activities conducted over computer networks such as the Internet.

B. Electronic Funds Transfer (EFT) – Transfer of funds by electronic means directly to the University of Hawai‘i General Account (UHGA).

C. ePayment – An on-line, non-cash payment. Methods of electronic payments include credit cards, debit cards and electronic checks (web-checks).

D. Merchant – An entity (e.g. UH department) accepting credit cards as a form of payment. A merchant number must be established and issued by the University’s credit card contractor before credit card processing can commence. For accounting and control reasons, only the Treasury Office is authorized to request merchant numbers from the credit card contractor.

E. Merchant Fee – The service fee paid to the contractor by the merchant (UH department) accepting a credit/debit card for payment.

F. Payment Card Industry Data Security Standard (PCI DSS) – Security standards designed to safeguard credit card data and developed by the major credit card companies.

G. Payment processing service – A service that provides connectivity among merchants, customers, and financial networks to process authorizations and payments and securely stores credit card data.

H. Unrelated Business Income Tax (UBIT) - Federal law enacted to eliminate unfair competition by placing the unrelated businesses of tax-exempt organizations on the same tax basis as non-exempt organizations. Generally, for most organizations, an activity is an unrelated business and subject to UBIT if it meets three requirements:

1. It is a trade or business;

2. It is regularly carried on; and

3. It is not substantially related to furthering the exempt purpose of the organization.

III. Administrative Procedure

A. Applicability

This administrative procedure applies to all UH campuses and departments. This policy does not cover business-to-business eCommerce in which the UH purchases goods or services or to electronic ordering and payment applications that are typically used between other businesses or institutions and the UH, usually referred to as Electronic Funds Transfer (EFT). Procedures on EFT are found in A8.702, Establishment of Electronic Funds Transfer Agreements and Receipt of Funds.

B. General

The University has implemented a secure, PCI DSS compliant, hosted eCommerce management system that supports a payment processing service for a variety of eCommerce applications. Campuses and departments that want to accept ePayments should process all sales transactions through this eCommerce management system, unless granted an exception.

Exceptions may be granted to departments who prefer to use another system. To receive an exception, departments must provide evidence to the Treasury Officer, that the University’s eCommerce management system cannot meet the department’s business needs and that the alternate system complies with University and PCI DSS requirements for security as defined in Administrative procedure A8.710, Credit Card Program

The Treasury Office reserves the right to rescind a department’s merchant number and disable the department’s ability to accept electronic payments if the department does not comply with University and PCI DSS security requirements as stated above. Departments granted an exception to use an alternate system will be responsible for any costs to operate and maintain the system as well as any data breach remediation costs resulting from failure to comply with PCI DSS requirements. Departments granted such exceptions also assume all responsibility and liability for the security of all transactions and data, including any monetary loss suffered by the University due to theft or improper use of credit card numbers and other bank account information.

C. Responsibilities

1. Treasury Office

a. Reviews and approves or disapproves requests to participate in the program.

b. Requests merchant number through the credit card contractor. eCommerce transactions require a unique, separate merchant number from in-person transactions.

c. Serve as liaison with eCommerce contractor.

2. Departments

a. Submit a memo requesting participation in the program and an eCommerce merchant number for transacting electronic payments and Attachment 1 to the Treasury Office.

b. Comply with all procedures specified by the University and the Contractor with respect to eCommerce payment transactions.

c. Provide all technical/functional support to create and maintain web pages for transactions and connectivity to the payment gateway.

d. Comply with security requirements and safeguard cardholder and data and personal financial information as set forth by the PCI DSS and UH Executive Policy EP 2.214, Security and Protection of Sensitive Information.

e. Record all revenues in University’s financial system. Reconcile daily batch settlement totals to monthly merchant statement to ensure that proper credit has been received.

f. Complete an annual PCI DSS self-review. The review will certify that the department is conducting eCommerce in the manner approved and adhering to all regulations. Any significant changes to eCommerce business activities or contacts should be noted.

D. Procedure to Participate in Program

1. Complete Attachment 1 – “University of Hawai‘i Request to Accept Electronic Payments” and submit to the Treasury Office.

2. Upon approval by the Treasury Officer, the Treasury Office will prepare the application and request for a merchant number and coordinate connectivity to the eCommerce payment gateway with the appropriate vendors and arrange for equipment/software installation and training with the department.

E. Security Incident Response Plan

All security incidents involving eCommerce transactions must be immediately reported as outlined in EP 2.214, Security and Protection of Sensitive Information.