Payment Card Industry (PCI) Compliance Certification
78 Slides3.38 MB
Payment Card Industry (PCI) Compliance Certification A course reviewing: the security standards, guidelines and procedures designed for employees accepting, processing and reconciling credit card payments at the University of South Florida.
Credit Card Reconciliation Process
Banking, Cash Collections and Reconciliation Training Today’s training has been design for all departments that accept credit cards and new staff that need to understand the process of reconciling credit cards. 3
University General Ledger Accounts On this training we will talk about the credit card accounts. There are two main credit card accounts: Regular Credit Card Student Tuition Account In the general ledger they both have a different account number. Account General Ledger account Regular Credit Card 10061 Student Tuition Account 10071 We also have two different systems Banner (Oasis) used for all student transactions and People Soft (Fast) used for all other transactions. If the deposit number or the paperwork submitted to the cashiers office is not properly identified, a deposit could be posted in the incorrect general ledger account. 4
Credit Card Accounts Regular Credit Card Account: Account used for all University departments and all three Campus: Tampa, St. Pete Sarasota Student Tuition Account: Account used for all Student Tuition, Transcripts, Admissions and Housing. 5
To request new credit card merchant 1. Send an email requesting your new credit card merchant account to General Accounting. ( [email protected]) 2. A form will be sent to you to provide the merchant name, the contact person, phone number, fax number, email address and campus mail address. 3. We will also need a chart field to post the revenue and the merchant fees. 4. Also specify which credit card types would you like to accept: Visa, Master Card, Discover and American Express. 6
Changes in your Department On a new Fiscal Year some departments close a fund or a project and open another. If any change occurs on the revenue or merchant fees chart field, we encourage you to inform General Accounting to make the appropriate correction. Also if an employee leaves the department please make sure you notify us so we can make sure we contact the new employee to have our credit card contact list updated. Also a change on name if you get married and your email changes please notify us to make the changes as well. 7
Types of transactions accepted The University of South Florida has two different forms of accepting a credit card transaction. Online payments or card not present transactions: these are processed thru Touch net Payment Gateway. A website is setup for the department to receive the payments online for the products or services they want to provide. Card Swipe or Card present transactions: This is the typical transactions where the customer is present and swipes its card to pay for the transaction. 8
Wells Fargo Merchant Services: 1. On their website https://www.myclientline.net ,we can view all our credit card deposit activity, chargebacks, merchant fees at all times. 2. All departments have access to this website and they are responsible for reconciling on a monthly basis and save a copy for audit purposes 3. If you have not setup your account in client line please do so to view your merchant statements and reconcile. You will need your merchant number, bank account number and tax id number. If you do not have this information send me an email and I would gladly sent it to you. 9
Recording credit card deposits: 1. All credit cards being processed thru touch net are posted on a daily basis by the cashier’s office but the chargebacks need to be posted by the department. 2. All departments that send the credit card deposits to the cashier’s office to be posted should do them on a daily basis. Deposits are sent to cashiers in a Miscellaneous receipts Form. Please remember to write the correct chart field, the deposit number and the amount. 3. The deposit number for Visa, Mastercard, and Discover merchants is the last five numbers of the merchant number: USF Athletics – 482032953994 53994 4. For American Express merchants the deposit number is: 376 the last three numbers of your merchant number : o USF Athletics – 4098139008 – 376008 10
11
Deposits sent to the cashiers thru email When sending the cashiers office deposits thru an email please remember to : The cashier’s office email to send paperwork to be posted is [email protected] Attach paperwork with deposit number, amount, date and specify if it is a credit card or lockbox deposit since they belong to different general ledger accounts. Make sure the email was received by the cashiers office and that you have a confirmation from them. Also if it is a correction make sure to write a brief but clear note of what is being corrected. The date of the original transaction and the amount. 12
Backup paperwork needed? All departments that originate their own Miscellaneous Receipts Form should include back up paperwork for example: o copy of the invoice, check , credit card slip, etc. All information pertaining the deposit should be included in order to have backup papers for future reference. On the Miscellaneous Receipts Form do not change the order of the chart field. It is in order to assist the data entry process for the cashiers. 13
Deposits sent to cashier’s office: The Cashier’s Office rules are: 1. Take all deposits to the office before 2:30 p.m. in order to be processed the same date. 2. If a deposit number is not on the paper submitted it will be returned to the department. 3. Identify clearly if it is an e check, check, lockbox, credit card and remember all American Express deposits should be posted separate from the Visa, Master Card and Discover Card. 4. If submitting a prior month correction please write a note stating the correction and the original transaction’s date and amount to facilitate the reconciliation process. 14
Departments reconciliation: 1. All departments are responsible of reconciling their credit card account on a monthly basis. 2. Find your Book side at FAST – DATA MART – FINANCE MART 3. The credit card account in the General Ledger is 10061. 4. Compare all deposits posted in your revenue account against your merchant statements information which is your Bank side. 5. It is your responsibility to follow up, dispute, and resolve all chargebacks done to your credit card account. 6. Send to cashiers office all refunds to be posted. Debits and negative amounts. 7. Save a copy of your reconciliation for audit purposes. 15
Department reconciliation: Finance Mart Go to MyUSF Data mart Finance Mart On report type select o Balance Sheet Summary o Enter the department # and the fund Select : check to enable period selection View Report o Select 10999 Total Cash o Select account 10061 which is the credit cards GL account Bank Merchant Statements Go to www.myclientline.net Go to merchant login and enter your user id and password. Select from Statements o Card Processing Statements Print the Statement Compare deposits from the Finance Mart Report with the Merchant statements report from Wells Fargo Merchant Services. 16
Chargeback recording: 1. The contact person for the department will receive a chargeback document that the bank sends General Accounting and they make a copy and send to the contact person via campus mail . 2. It is your responsibility to print your merchant statement and review if any chargeback has been charged to your account, follow up with the student or owner of the credit card. Dispute and send any information, the bank is requesting. 3. Send the appropriate Miscellaneous Receipts form with the posting of the chargeback to the cashier’s office. Also remember to write a note and include any backup paperwork. 17
All corrections and chargebacks posting should be on the same month: 1. All prior month corrections should be stated in a note in the Miscellaneous Receipts form sent to the cashiers. o Include as much information to be able to tie the correction to the original transaction. 2. All chargebacks are always in the first page of your merchant statements. 3. All corrections and chargebacks should be posted or corrected in the same month . 4. Chargebacks are also known as debits in your merchant statements and they are negative amounts. 18
General accounting reconciliation process: The accountant has 30 days to reconcile the accounts for all the credit card departments. There is 30 days to make corrections for the current month. After 60 days all corrections are going to be addressed by the Staff Accountant and the General Accounting Supervisor. Prior to year end old outstanding items will be removed from the Credit Card account and placed in a suspense account. After a year they will be taken against merchant fees or revenue if the department doesn’t provide another chart field where they would like it to be posted. 19
Understanding your merchant statements 20
Visa, Master Card and Discover merchant statements: Go to : https://www.myclientline.net Log in with your user Id and password Proceed to Statements on your right side Select Statement Type - Location Select the date year and month Open the statements Print statement 21
22
23
24
25
26
How to create a report: Go to Applications on your top left hand side Go to Reports / Create a Report o Select : Sales/Funding, Transactions o On Date Type: Select Funded Date to match the bank o On Report Type: Select Detail Select the Date Range needed Then Hit Next Hit Run Now on your Right hand side The report will be available and you can export it as a PDF file, Excel Spreadsheet, CSV or HTML. 27
28
29
30
31
32
33
34
American Express merchant statements: Go to https://sso.americanexpress.com Log in with your user id and password Select the month you need to view an hit view statement If you need to view a prior month statement go to customize statement Select the month and hit Go Select view E statement Select print The merchant fees are called Discount Amount on the American Express statements. 35
36
Credit card machine replacement: Please contact Cherie Carson or Noemi Merced in General Accounting to find out if your credit card is still under warranty. All replacements should be done thru us so we can get the best deal for your department according to our contract with Wells Fargo Merchant Services. 37
Payment Collection and Internal Controls
Agenda Enhance USF Business Practices Establish Internal Controls related to accepting payments at the University How to apply appropriate segregation of duties The roles, responsibilities, procedures and constraints associated with each step Four Functions of Segregation of Duties Record Keeping Authorization Custody Reconciliation 39
Accountability & Internal Controls Defining Accountability Internal Controls Examples
Defining Accountability Delegation of authority to qualified persons to: o Initiate, approve, process and review business transactions Holding these persons responsible for: o The validity, correctness and appropriateness of their actions 41
Accountability Everyone is accountable for their actions Of all the individuals involved in the receipt, recording and balancing of funds, the person of ultimate responsibility is the custodian Payment processors are accountable for o Recording payments accurately o Observing all of the USF internal controls o Protecting the cardholders information Supervisors are accountable for o Proper allocations of payments o Assignment of duties that comply with separation of duties guidelines Others are accountable for o Proper transfer of custody of payments Accountable officers are ultimately responsible for payment transactions. 42
Internal Controls Protect o USF o USF staff Are designed to provide reasonable assurance regarding: o Effectiveness and efficiency of operations o Reliability of reporting o Compliance with applicable rules, laws, and regulations 43
Internal Controls as They Relate To Cash Management Internal controls specifically ensure: o The safety of all funds o The timeliness of recording the receipt of all funds o That assignment of duties complies with separation of duties guidelines o That reconciliations are completed and reviewed on a monthly schedule o A sound audit trail and adequate documentation are created Find specifics on internal controls on: www.usf.edu/businessprocesses 44
Internal Controls - Examples Generally, access to credit card terminals and POS systems must be limited to a primary and a secondary custodian Physical safety of the information and equipment must be ensured at point of collection and then stored overnight All adjustments must be documented and approved by a supervisor (authorizer) The payments must balance to the system where the payments were recorded Deposits must be reconciled to the general ledger 45
Segregation of Duties Defining Segregation of Duties The Four Functions of Segregation of Duties Record Keeping Authorization Custody Reconciliation When Segregation is not possible Examples
Separation of Duties Separation of duties protects USF and the individual by ensuring that no one person has the ability to control all of the steps involved in handling and accounting for money received by USF. Custody Authorization Record Keeping Reconciliation The ideal is that any one person performs only one function; four people are needed for the four functions 47
Four Functions of Segregation of Duties The four functions are Record Keeping, Authorization, Custody and Reconciliation The ideal is that any one person performs only one function; four people are needed for the four functions If one person performs two functions o Risk exists that presents the opportunity for something to go wrong o A compensating control is needed to reduce the risk o The compensating control might be an extra layer of review 48
Segregation of Duties 49
When Segregation Is Not Possible If one person performs two or more of the functions: o Risk exists that presents the opportunity for something to go wrong o A compensating control is needed to reduce the risk o The compensating control might be an extra layer of review 50
Examples of Compensating Controls A manager may perform a high level of review of detailed transaction reports A manager may periodically sample transactions and request supporting documentation to ensure the transactions are complete, appropriate, and accurate. Someone from an another area may perform an external review of a reconciliation. For instance two departments within a college may share responsibility to review each others reconciliations. Some colleges and units have a centralized business services department 51
Record Keeping Defining Record Keeping Retention Examples
Record Keeping Record keeping is the process of creating and maintaining official records Record keeping may occur manually or through an automated data system Record Keeping Examples: o Mail log – paper or electronic o Customer receipts Official USF pre-numbered cash receipts System generated cash receipts o Deposit slips o Credit card receipts o Cash register reports o EFT (electronic funds) payment documents o Balancing and reconciliation reports 53
Record Keeping - Retention Observe record retention requirements o o Find information on Online Business Processes Also find information on the Purchasing web site Records serve multiple needs o o Compliance with best business practices Helpful in researching a question 54
Authorization Defining Authorization Best Practices
Authorization Authorization is the process of granting formal approval to perform a specific function For example, someone must be authorized in order to perform one of the following functions: Verify cash collections Review daily balancing reports Approve discounts, voids, or refunds 56
Authorization The person who originally created a transaction should not be: o The one who makes a correction o The one who creates a void o The one who creates/approves a refund The best practice is to have a supervisor take these actions 57
Custody Defining Custody System Passwords Register Keys Storage of Funds
Custody Having access to or control over any physical asset Custodians: o Collect and handle payments o Prepare deposits o Have access to safes, lock boxes, & file cabinets where funds are kept o Custodians of petty cash funds or change funds 59
Custody – System Passwords All cash registers or Point of Sale (POS) systems should be password protected to assign accountability and fix responsibility Every person must have their own password Passwords must never be shared Don’t write your passwords down If you need to leave the work area, sign off your password; log back on when you return Passwords should be changed periodically Passwords should be inactivated whenever a custodian vacates the position 60
Custody – Register Keys If your cash register or point-of-sale system uses key access: Only essential staff should possess the keys An inventory of the keys should be kept Keys should never be shared Keys must be collected whenever a custodian vacates the position Custody – Storage of Funds The safe or lock box combination should be changed: Any time an employee with knowledge of the combination or access to the key terminates or is reassigned Periodically Funds should never be stored in a desk, even if it is locked 61
Reconciliation Defining Reconciliation Why Reconcile? Transaction Reconciliation Non-Inventory Reconciliation Credit Card Reconciliation Reconciliation Guidelines
Reconciliation & Balancing Cashier Balancing Check Log Balance 63
Defining Reconciliation A reconciliation is simply a comparison of two sets of information as of the same point in time Identify the differences between what actually did post in Finance Mart vs. what you expected to post in Finance Mart Why Reconcile? Good internal controls and sound business practices necessitate the reconciliation of funds by business staff USF needs assurance that all assets are safeguarded and used to the best benefit of the university 64
What Do We Reconcile? Point of sale transactions ( POS ) Check logs Bank card payments E check payments Transaction posting in FAST and FM Credit Cards Inventory 65
Point of Sale Transactions ( POS ) The POS system should o Record sales and cash collections o Produce a daily detailed sales report o Produce a pre-numbered customer receipt Reconciliations to perform o Balance the cash drawer o Balance the day’s sales to actual collections o Reconcile daily balancing sheet to deposit 66
Transaction Reconciliation Reconcile o Deposits to accounts receivable postings o Deposits to general ledger postings o Inventory to sales Finance Mart is the official reporting system o Confirm that correct chart fields were used o Submit corrections immediately o Confirm that corrections posted correctly o Find detail in FAST or OASIS 67
Non-Inventory Reconciliation Some sales may not involve tangible inventory To ensure that all billings have been completed, review o Room usage logs o Equipment or lab usage logs o Participant lists or class rolls o Order forms or contracts for services 68
Credit Card Reconciliation When credit cards are used with a POS o POS system should produce a report of credit card transactions o Compare the POS report to the daily settlement report o Supervisor reviews this 69
Reconciliation - Guidelines Reconciliation must be performed by a person with no cash handling responsibilities The reconciliation must be dated and signed or initialed The reconciliation should be reviewed by an independent party The prescribed procedure should be followed; find reconciliation resources on the UCO web site 70
Glossary Account Number The 16-digit account number that appears in print on the front of all valid credit cards. The number is one of the card security features that should be checked by merchants to ensure that a Card-Present transaction is valid. Address Verification Service (AVS) AVS allows USF Merchants that accept card-not-present transactions to compare the billing address (the address to which the card issuer sends its monthly statement for that account) given by a customer with the billing address on the card issuer’s master file before shipping an order. AVS helps merchants minimize the risk of accepting fraudulent transactions in a card-not-present environment by indicating the result of the address comparison. Authorization The process by which a card issuer approves or declines a credit card purchase. Authorization occurs automatically when you swipe the magnetic stripe of a payment card through a card reader. See also: Voice Authorization Center. “Call” or “Call Center” response A response to a merchant’s authorization request indicating that the card issuer needs more information about the card or cardholder before a transaction can be approved; also called a referral response. Card Acceptance Procedures The procedures USF Merchants and Employees must follow at the point of sale to ensure a card and cardholder are valid. Card Expiration See Good Thru date. Cardholder The person to whom a credit card is issued. Card-Not-Present A merchant, market, or sales environment in which transactions are completed without a valid credit card or cardholder being present. Card-not-present is used to refer to mail order, telephone order, and Internet merchants and sales environments. 71
Card-Present A merchant, market or sales environment in which transactions can be completed only if both a valid credit card and cardholder are present. Card-Present transactions include traditional retail—department and grocery stores, electronics stores, boutiques, etc.—cash disbursements, and self-service situations, such as gas stations and grocery stores, where cardholders use unattended payment devices. Card Security Features The alphanumeric, pictorial, and other design elements that appear on the front and back of all valid credit card and debit cards. Card-Present merchants must check these features when processing a transaction at the point of sale to ensure that a card is valid. Card Verification Value 2 (CVV2) A fraud prevention system used in card-not-present transactions to ensure that the card is valid. The CVV2 is the three-digit value that is printed on the back of credit cards. Card-not-present merchants ask the customer for the CVV2 and submit it as part of their authorization request. For information security purposes, merchants are prohibited from storing CVV2 data. Cardholder Information Security Program (CISP) A program that establishes data security standards, procedures, and tools for all entities— merchants, service providers, issuers, and merchant banks—that store cardholder account information. CISP compliance is mandatory. Chargeback A transaction that is returned as a financial liability to a merchant bank by a card issuer, usually because of a disputed transaction. The merchant bank may then return or “charge back” the transaction to the merchant. Code 10 Call A call made to the merchant’s voice authorization center when the appearance of a card or the actions of a cardholder suggest the possibility of fraud. The term “Code 10” is used so calls can be made without arousing suspicion while the cardholder is present. Specially trained operators then provide assistance to point-of-sale staff on how to handle the transaction. Copy Request A request by a card issuer to a merchant bank for a copy or facsimile of a sales receipt for a disputed transaction. Depending on where sales receipts are stored, the merchant bank either fulfills the copy request itself or forwards it to the merchant for fulfillment. A copy request is also known as a retrieval request. 72
Credit Receipt A receipt that documents a refund or price adjustment a merchant has made or is making to a cardholder’s account; also called credit voucher. Disclosure Merchants are required to inform cardholders about their policies for merchandise returns, service cancellations, and refunds. How this information is conveyed, or disclosed, varies for Card-Present and Card-Not-Present merchants, but in general, disclosure must occur before a cardholder signs a receipt to complete the transaction. Firewall A security tool that blocks access from the Internet to files on a merchant’s or third-party processor’s server and is used to ensure the safety of sensitive cardholder data stored on a server. Good Thru Date The date after which a bankcard is no longer valid, embossed on the front of all valid credit cards. The Good Thru date is one of the card security features that should be checked by merchants to ensure that a Card-Present transaction is valid. See also: Card expiration date. High-Risk Merchant A merchant that is at a high risk for chargebacks due to the nature of its business. High-risk merchants include direct marketers, travel services, outbound telemarketers, inbound teleservices, and betting establishments. Internet Protocol Address A unique number that is used to represent individual computers in a network. All computers on the Internet have a unique IP address that is used to route messages to the correct destination. Key-Entered Transaction A transaction that is manually keyed into a point-of-sale device. Magnetic Stripe The magnetic stripe on the back of all credit cards is encoded with account information as specified in the Payment Card Industry Operating Regulations. The stripe is “read” when a card is swiped through a Point of Sale (POS) terminal. On a valid card, the account number on the magnetic stripe matches the account number on the front of the card. Magnetic Stripe Reader The component of a point-of-sale device that electronically reads the information on a payment card’s magnetic stripe. Mail Order / Telephone Order (MO / TO) A merchant, market, or sales environment in which mail or telephone sales are the primary or a major source of income. Such transactions are frequently charged to customers’ bankcard accounts. See also: Card-not-present. 73
Merchant Agreement The contract between a merchant and a merchant bank under which the merchant participates in a credit card company’s payment system, accepts credit cards for payment of goods and services, and agrees to abide by certain rules governing the acceptance and processing of credit card transactions. Merchant agreements may stipulate merchant liability with regard to chargebacks and may specify time frames within which merchants are to deposit transactions and respond to requests for information. Merchant Bank A financial institution that enters into agreements with merchants to accept credit cards as payment for goods and services; also called acquirers or acquiring banks. Merchant Chargeback Monitoring Program (MCMP) A program that alerts merchant banks when one of their merchants has a chargeback-to-transaction rate of over one percent. Merchants then work with the bank to reduce their chargeback rates to acceptable levels. Failure to reduce chargebacks can result in fines for a merchant. Payment Gateway A system that provides services to Internet merchants for the authorization and clearing of online credit card transactions. Pick-Up Response This response indicates that the card issuer would like the card to be confiscated from the customer. However, USF Employees should not attempt to pick up credit cards, even when the card issuer requests this action, as this could potentially cause confrontation and safety issues. Point-of-sale Terminal (POS terminal) The electronic device used for authorizing and processing bankcard transactions at the point of sale. Printer Number A four-digit number that is printed below the first four digits of the printed or embossed account number on valid credit cards. The four-digit printed number should be the same as the first four digits of the account number above it. The printed four-digit number is one of the card security features that merchants should check to ensure that a Card-Present transaction is valid. Representment A chargeback that is rejected and returned to a card issuer by a merchant bank on the merchant’s behalf. A chargeback may be represented, or redeposited, if the merchant or merchant bank can remedy the problem that led to the chargeback. To be valid, a representment must be in accordance with Payment Card Industry Operating Regulations. 74
Sales Receipt The paper or electronic record of a bankcard transaction that a merchant submits to a merchant bank for processing and payment. In most cases, paper drafts are now generated by a merchant’s POS terminal. When a merchant fills out a draft manually, it must include an imprint of the front of the card. Skimming The replication of account information encoded on the magnetic stripe of a valid card and its subsequent use for fraudulent transactions in which a valid authorization occurs. The account information is captured from a valid card and then re-encoded on a counterfeit card. The term “skimming” is also used to refer to any situation in which electronically transmitted or stored account data is replicated and then re-encoded on counterfeit cards or used in some other way for fraudulent transactions. Split Tender The use of two forms of payment, or legal tender, for a single purchase. For example, when buying a big-ticket item, a cardholder might pay half by cash or check and then put the other half on his or her credit card. Individual merchants may set their own policies about whether or not to accept split-tender transactions. Third-Party Processor A non-member organization that performs transaction authorization and processing, account record keeping, and other day-to-day business and administrative functions for issuers and merchant banks. Transaction The act between a cardholder and merchant that results in the sale of goods or services. Unsigned Card A seemingly valid credit card that has not been duly signed by the legitimate cardholder. Merchants cannot accept an unsigned card until the cardholder has signed it, and the signature has been checked against a valid, government-issued Photo ID, such as a driver’s license or passport. Voice Authorization An authorization obtained by telephoning a voice authorization center. Voice Authorization Center An operator-staffed center that handles telephone authorization requests from merchants who do not have electronic POS terminals or whose electronic terminals are temporarily not working, or for transactions where special assistance is required. Voice authorization centers also handle manual authorization requests and Code 10 calls. 75
Resources Office of University Audit & Compliance Online Business Processes Additional training resources are available on the University Controllers Office website o UCO Website About UCO Training Banking and Cash Management Credit Card Reconciliation Process Lock Boxes and ACH’s Internal Controls Separation of Duties 76
Are you ready for the Quiz? 77