Transcript University-Wide Funds Handling Guidelines

CREDIT CARDS
West Virginia University
Revenue Services





Training
Setup
PCI
Accepting Credit
Cards
Customer Receipts






Timeliness
Refunds
Cardholder Data
Security
Disposal
Reconciliation


All employees responsible for collecting
receipts are required to complete the
University’s Funds Handling Training
Program.
Employees are also required to be
knowledgeable of their department’s
specific Funds Handling Procedures.

Departments that choose to accept credit
cards must contact Revenue Services and
complete the Point of Sale (POS) Credit Card
Setup Form and the Request for Depository
Designation for Credit Cards Form.


All departments must maintain compliance
with the Payment Card Industry Data
Security Standard (PCI DSS).
All departments wishing to use third party
vendors must have PCI-DSS compliance
verified by Revenue Services.
Control Objectives
Build and maintain a secure network.
Requirements
1.
2.
Install and maintain a firewall configuration to protect
cardholder data.
Do not use vendor-supplied defaults for system
passwords and other security parameters.
Protect Cardholder data.
3.
4.
Protect stored cardholder data.
Encrypt transmission of cardholder data across open,
public networks.
Maintain a vulnerability management program.
5.
6.
Use and regularly update anti-virus software.
Develop and maintain secure systems and applications.
Implement strong access control measures.
7.
Restrict access to cardholder data by business need-toknow.
Assign a unique ID to each person with computer
access.
Restrict physical access to cardholder data.
8.
9.
Regularly monitor and test networks.
10. Track and monitor all access to network resources and
cardholder data.
11. Regularly test security systems and processes.
Maintain an information security policy.
12. Maintain a policy that addresses information security.


Individuals must determine that the signature
on the credit card sales draft is the same as
the authorized signature provided on the
back of the card.
If the back of the credit card is not signed, ask
to see the customer’s identification, such as a
driver’s license.


All point of sale customers must receive a
receipt for credit card transactions, such
as a validated copy of document, cash
register receipt, credit card terminal
receipt or copy of pre-numbered receipt
from cash receipt book.
Each employee responsible for collecting
receipts must close out cashiering
operations (credit card terminal) at the
end of their shift.



Credit Card transactions are to
be batched and settled daily.
Send Miscellaneous Receipts
and corresponding Credit Card
Activity Reports to Revenue
Services (or keying location)
upon settlement.
Decentralized keyers should
forward all Credit Card Activity
Reports received to Revenue
Services.
Credit card refunds must be processed
back to the original transaction and
source credit card.
 Departments whose merchant accounts
are identified as having unmatched credit
card refund transactions are contacted by
Revenue Services and asked to complete a
Credit Card Refund Reconciliation Report
for further investigation.
 Discrepancies are reported to the Director
of Financial Services.

Protect cardholder information so that only the last four
digits of the credit card number are displayed or printed.
 Credit card terminals should be updated to meet this
requirement.
 Cardholder data received on forms or applications must
be protected.
 Consider redesigning forms so cardholder data can be
separated and cross-shredded.

If possible, eliminate the
need to store cardholder
data.
 Store only credit card
information that is critical to
the business: name, account
number, and expiration
date.
 Never store the three or
four-digit Card Verification
Value (CVV2) code in any
form.




Electronically stored credit
card data must be encrypted
or truncated.
Transmission/E-mailing of
sensitive credit card data is
prohibited unless encrypted or
truncated.
Use appropriate facility entry
controls to limit and monitor
physical access to systems and
equipment that store, process,
or transmit cardholder data.


Restrict access to cardholder data only to
those individuals whose job requires such
access.
Store and secure cardholder data in locked
containers, in secured areas with limited
access.
Constant security of credit card
numbers and credit card
machines should be continuously
maintained.
 Do not release credit card
information in any form unless
there is a legitimate business
purpose and then only after the
request for information is
reviewed and approved by
department management.


The loss or theft of any
materials containing
cardholder data should
be immediately
reported to your
department
management, the
University Police
Department, and
Revenue Services.
Dispose of cardholder data
according to a schedule
based on business, legal
and/or regulatory
requirements as documented
by the department.
 Cardholder data must be
disposed of by overwriting or
degaussing magnetic media;
paper must be crossshredded.



Departments must verify all their deposits to
the University accounting system on a
monthly basis.
All discrepancies must be corrected by the
department via the University accounting
system.
Revenue Services
B-33 Stewart Hall
PO Box 6003
Morgantown, WV 26506
Phone: (304) 293-4006
Fax: (304) 293-7337
[email protected]