UCR

UCR Policies and Procedures

Printer Friendly Version

For a hardcopy pdf of this document, contact the Chief Compliance Office (2-8246).

 

Policy Title:                     Credit/Debit Card Payments - Acceptance of

 

Policy Number:               200-17

 

Responsible Officer:

Campus Cashier Coordinator/Director of Student Business Services--Main Cashiers Office

Responsible Office:

Student Business Services--Main Cashiers Office

Origination Date:

05/19/2014

Date of Revision:

02/26/2019

Date of Last Review:

02/26/2019

Scope:

Guidance in Processing of & Departmental Responsibilities for Accepting Debit/Credit Cards as Form of Payment

    I.  Policy Summary

The purpose of this policy is to ensure that all merchants are in compliance with University of California, Riverside (UC Riverside) policies and procedures, appropriate minimum security standards for processing credit and debit card information are identified and adhered to, and prior approval is secured before credit and debit card (hereinafter payment card) transactions can be executed.

 

   II.  Definitions/Acronyms

·  BAMS     Bank of America Merchant Services

·  CFAO     Chief Financial Administrative Officer

·  FSSC      Financial Systems Steering Committee

·  FDMS     First Data Merchant Services

·  FAU        Full Accounting Unit

·  IVR         Interactive Voice Response

·  MID        Merchant Identification Number

·  PCI         Payment Card Industry

 

 III.  Procedures

When an operational unit at UC Riverside elects to use a payment card for the purchase of goods and services, it must first contact the University Credit Card Coordinator. UC Riverside has established business relationships with four major credit card networks:  1) Visa; 2) MasterCard; 3) Discover; and 4) American Express. Each operational unit electing to use a payment card for the purchase of goods and services must be assigned a unique Merchant Identification Number (MID) corresponding to one of three payment card types:  1) Visa/MasterCard; 2) Discover, or 3) American Express. A separate MID must always be assigned for American Express payment cards.

 

The University of California Office of the President (UCOP) contracts with First Data Merchant Services (FDMS) and its joint venture partner, Bank of America Merchant Services (BAMS), to process transactions of Visa, MasterCard, and Discover payment cards. In addition, UC Riverside uses CashNet for Internet/web processing. The services provided by FDMS include:

·  sending transactions to the issuing agency of the payment card for billing;

·  collecting funds from the issuing agency of the payment card;

·  depositing the funds collected to the designated UC Riverside account;

·  reconciling disputed charges; and

·  providing a monthly statement to the merchant for transactions and fees.

 

Because American Express does not allow third party processing, FDMS forwards the transactions to them for processing. American Express provides separate monthly statements to the merchants on transactions and fees.

 

The operational unit requests permission from the CFAO of their organization to establish a MID in order to accept payment cards for the purchase of goods and services. The CFAO reviews the request to ensure it is in line with the mission of the operational unit, rates are properly developed, and appropriate resources are available to manage the process. If acceptable, the CFAO approves/endorses the request and forwards it to cashandmerchants@ucr.edu Campus Credit Card Coordinator, who then reviews the proposal to ensure all costs associated with accepting credit cards are built into the proposed rates (e.g., credit card discount fees, processing fees, transactional fees, required equipment/software costs, internet processing fees [if applicable, servers [if applicable], maintenance [if applicable], and any other departmental costs required for support of this service). The Credit Card Coordinator also reviews to verify that the method of credit card acceptance and equipment are acceptable in meeting campus PCI standards and approves the request to initiate the MID establishment.

 

The Credit Card Coordinator initiates the establishment of the MID by submitting a New Location Request Form to FDMS. Each MID contains an associated merchant name. This name appears on the credit/debit card statement of the purchaser. The default merchant name will be UCR (department name), unless a reasonable alternative is specifically requested. In the case of multiple MIDs under a department, the department must request meaningful and unique merchant names for each MID. A separate MID is required for each alternative payment channel (i.e., Internet versus over-the-counter/card present). MID establishment takes approximately 7-10 working days.

 

The Main Cashiers Office notifies the departmental contact(s) and Accounting of all newly established MIDs. The Main Cashiers Office coordinates the lease/purchase of card swipe terminals from FDMS (if applicable) and set up of the processing system with the departmental contact(s). Regardless of the system used, the department must balance, close out, and settle the total credit/debit card transactions on a daily basis by MID. Based upon the daily transactions, the department prepares a deposit through the Cash Collection Reporting and Reconciliation System (CCRRS) to record the sales in their departmental Full Accounting Unit (FAU). The CCRRS must indicate the daily transactional totals by credit card type to ensure accurate reconciliations by the department/merchant and Accounting. Once the Main Cashiers Office verifies the CCRRS, the deposit will appear on the departmental ledgers under source code CCD.


Staff handling cash and cash equivalents must comply with Business & Finance Bulletin BUS 49:  Policy for Handling Cash and Cash Equivalents (http://policy.ucop.edu/doc/3420337/BFB-BUS-49). 

All staff handling credit cards must take “Cash Handling--The Basics” as well as “Security Awareness Training (SAT)” annually, offered on the UC Learning Management System (LMS).

 

Given risks and limited resources, the campus has a central campus Internet payment solution. This gateway securely links to a single third party processor for authorizations/approvals. The University requires merchants to use secure servers when providing for the purchase of services via the web.

 

Merchants are prohibited from storing credit card information on their servers. Additionally, the merchant's website must link to the campus hosted gateway to process payments. The gateway securely accepts the credit/debit card information from the customer and passes the encrypted transaction to this payment solution. The transaction is processed and a status message is sent back to the merchant via the gateway. The transaction status can range from notification of a successful submission, to several types of errors that can occur when credit/debit card information is submitted unsuccessfully. The department/ merchant will need to have procedures in place for resolving error conditions.

 

All merchants accepting credit/debit card payments via the web must use an e-business application and a secure server that handles all business processes. This e-business application collects customer information, maintains product/service information, processes orders for goods or services, and records only the credit card processor approval status. Campus servers and PCs cannot store credit/debit card information. Departments must coordinate with Information Technology Solutions for hardware and application specifications. Departments must adhere to all UC Policy & Procedures regarding data/information privacy and Business & Finance Bulletin IS-3 (http://policy.ucop.edu/doc/7000543/BFB-IS-3).

 

    IV.  Other Systems and Exceptions

No UC Riverside employee or third party payment processor engaged by the University may process or accept payments by payment card without prior approval of the campus Credit Card Coordinator.

 

If a department is considering a system other than those listed above, an exception request form (www.sbs.ucr.edu/merchants) must be submitted to their Organizational CFAO describing the proposal. This request must include a detailed justification why it is necessary to use something other than the standard campus systems and specific information on the proposed system. The Organizational CFAO reviews the proposal to verify that the business is in line with the mission of the unit and that resources are available to administer the proposed system and processes. If the proposal is acceptable, it is forwarded to cashandmerchants@ucr.edu and the Campus Credit Card Coordinator, who reviews the commitment of University resources for the proposed system, the rates involved, and the impact on campus community. If approved, the Credit Card Coordinator must review the final product prior to implementation of the system.

 

   V.  Accepting a Credit/Debit Card as Payment

The credit/debit card sale transaction is processed at the time the goods or services are delivered. If the goods cannot be shipped immediately, the credit/debit card must not be charged until the items are delivered.

 

Each sale transaction must be authorized first. An authorization verifies that the credit/debit card is valid and there is a sufficient credit limit available for the sale. An authorization will expire in 7-30 days depending on the type of card and the type of transaction. If the authorization has expired, another authorization will need to be executed before the sale transaction can be processed.

 

The department MUST ensure adequate security levels exist when accepting credit/debit card information for payment.

 

**Acceptable and non-acceptable methods to receive credit/debit card information can be found on www.sbs.ucr.edu/merchants 

 

  

    VI.  Refunds

Credit Card Operating Regulations require that all refunds MUST be issued to the same credit/debit card as the original sale. Refunds CANNOT be made to a different credit card. The process for issuing refunds varies depending on the type of payment system used. Refunds CANNOT be issued before the end of day settlement has been processed. Banner credit card refunds must be coordinated with Student Business Services and the Main Cashiers Office to ensure proper posting to the general ledger and may require unique Detail Codes. For those merchants authorized to charge service fees, note the service fee portion of the sale is NOT refundable.

 

Due to the potential for fraud, departments must carefully review operational procedures and determine staff members authorized to issue refunds. It is required that a department manager or supervisor with no cashiering functions be designated. Credit Card Terminals MUST have a unique password for refunds and voids to be used by the manager or supervisor. All refunds should be documented via a log with the reason for the refund (i.e., return of goods sold).

  

Under exceptional circumstances, such as when the credit/debit card account is closed, the refund can be processed via ePay with supporting documentation and settlement receipt attached.

 

 VII.  Chargebacks

There are various instances when FDMS will debit the campus' bank account to reverse a credit/debit card transaction. The reversal is referred to as a chargeback. A notice of chargeback will be sent directly to the department. If the Main Cashiers Office receives the notice, it will be forwarded on the same day received to the department contact's fax number. In addition to the notice, FDMS sends a Merchant Chargeback Summary, Chargeback Advice Form, and Chargeback Response Form to the designated departmental contact person. Accounting charges the department FAU for all chargebacks appearing on the campus bank statement.

 

It is a violation of Visa/MasterCard rules and regulations to re-bill a customer's credit card for a transaction that was charged back. If the charge is legitimate, an alternate method must be used for payment.

 

For a fee, merchants can dispute a chargeback by filing a request for arbitration with FDMS (Visa/Master/Discover) or American Express. Disputes must be initiated within 12 days or no further action can be taken. In certain circumstances, FDMS also provides good faith collection services for a fee. Contact the Main Cashiers Office for additional information.

 

VIII.  Interchange Rates

Credit card companies charge fees known as Interchange Rates, which include discount fees, processing fees and transactional fees. Fees vary based on type of transaction (i.e., card present, card not present, electronic commerce, etc.) and on the compliance of the transaction with processing guidelines. These guidelines include, among others, the use of the Address Verification Service (AVS):  a risk management tool that compares the customer's address for the sale with the address on record for the credit/debit card account, as well as an authorization occurring within 48 hours. Visa and MasterCard have similar, yet slightly different, fee structures. Discover and American Express are independent companies with their own fee structures. Internet gateways fees are accessed based on the aggregated number of transactions for all UC merchants and include a campus based transactional fee.

 

Visit www.sbs.ucr.edu for a complete list of Interchange Fees and their qualification guidelines.

 

  IX.  Service Fees

In order for a merchant to charge a service fee, campus approval must be obtained in advance. A service fee is assessed to cover the costs of offering an automated payment channel such as the Web or IVR. It may not be charged solely for the convenience of accepting the credit card, but rather for the convenience of an alternative payment channel in a non-face-to-face environment. Service fees must be charged to all payment types within a payment channel. For example, if service fees were charged for a merchant's web transactions, then all payment types including credit cards, debit cards, and ACH would be subject to the same convenience fee. In addition, each credit card company has unique regulations regarding the assessment of service fees. With this in mind, UC Riverside service fees can only be charged by approved merchants on internet transactions; AND only the campus predetermined service fee authorized merchants. The service fee portion of the purchase is not refundable.   

 

The campus approved standard service fee is based upon a percentage of the transaction amount. Only approved merchants can assess a service fee, and it must be at the standard campus rate. Student charges that are billed through Banner (e.g., tuition/fees, housing, parking) will be assessed a service fee for internet credit card payments.  

 

 

   X.  Monthly Activity Statements

FDMS provides monthly statements by MID of VISA, MasterCard, and Discover transactions and fees; FDMS also provides a month-end recap of total net sales by credit card type for each MID. American Express provides a separate monthly statements to merchants on daily transactions by MID and associated fees per transaction.

 

  XI.  Departmental Responsibilities include:

·  Coordinating the acceptance of credit/debit cards with the campus Credit Card Coordinator before any systems and/or software are purchased. 

·  Completing the appropriate forms for establishing MIDs and requesting exceptions, routing all form to their Organizational CFAO.

·  Purchasing/leasing approved processing mechanism (or requesting exceptional approval).

·  Coordinating with the Main Cashiers Office regarding set up.

·  Completion of the annual Payment Card Industry (PCI) Data Security Standards (DSS) validation process Self-Assessment Questionnaire (SAO).

·  Ensuring staff with credit/debit card processing responsibilities have passed background checks in accordance with UC Personnel Policy for Staff Members UCR Local HR Procedure 21 (https://hr.ucr.edu/policies/policiesandcontracts/ppsm21pro.html).

·  Ensure annual completion of Cash Handling (search “Cash Handling--The Basics” in LMS) and PCI Security Awareness training for all departmental staff (search "PCI DSS" in LMS).

·  Ensuring staff with credit/debit card processing responsibilities comply with Business & Finance Bulletin BUS 49:  Policy for Handling Cash and Cash Equivalents (http://policy.ucop.edu/doc/3420337/BFB-BUS-49).

·  Communication of any suspected credit card security breach to the Campus Credit Card Coordinator immediately.

·  Maintaining an inventory list of payment devices/equipment that includes device description, serial number, and location.

·  Daily inspection of payment devices for tampering and maintaining a log documenting the review process.

·  Payment devices/equipment must be kept in a secure location with limited physical access to authorized personnel designated to handle credit card payments.

·  Balancing, closing out, and settling all credit/debit card activity daily.

·  Preparing the required CCRRS entry (if applicable) with appropriate segregation of credit card types to record credit card revenue in the general ledger.

·  Reconciling the monthly activity reports to the departmental ledgers. 

·  Processing refunds according to policy and ensuring segregation of duties.

·  Responding to Media/Bank Retrieval Requests within the required timeframe.

·  Immediately researching and responding to chargeback notification.

·  Reviewing Duplicate Transaction Reports.

·  Reviewing and resolving error/reject reports. 

·  Internet/web transactions:

o  Transacting via a secure web server.

o  Coordinating with Student Business Services for access to Campus Gateway.

o  Adhering to the service fee policy (if exception approved).

·  Understanding and adhering to these policy and procedures.

 

 XII.  Contacts

·  Asirra Suguitan, Credit Card Coordinator (951) 827-3991

o    Asirra.Suguitan@ucr.edu

·  Suzanne Bailey, Main Cashiers Office Manager (951) 827-3209

o    Suzanne.Bailey@ucr.edu

·  Direct questions regarding the acceptance of credit/debit cards to the campus Credit Card Coordinator or cashandmerchants@ucr.edu.

 

For further information, visit http://www.sbs.ucr.edu/merchants/.

XIII.   Revision History

The policy and associated procedures will be reviewed, at a minimum every two years, by a representative of Business and Administrative Services. The Office of Compliance will update this policy and associated procedures to reflect changes to related policies or governing standards, regulations, laws, and other such guidance as often as required.