Credit Card Processing: Difference between revisions

From University of Nebraska Medical Center
Jump to navigation Jump to search
m (updated Controller email)
 
(17 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[Human Resources|Human Resources]] |[[Safety/Security|Safety/Security]] | [[Research Compliance|Research Compliance]] | [[Compliance|Compliance]] | [[Privacy/Information Security|Privacy/Information Security]] | [[Business Operations|Business Operations]] | [[Intellectual Property|Intellectual Property]]
<table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Human Resources]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Safety/Security]] </td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Research Compliance]] </td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Compliance]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Privacy/Information Security]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Business Operations]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Intellectual Property]]</td>
</tr>
</table>
<br />
[[General Accounting]] | [[SBIR/STTR Program Participation]] | [[Supplemental Compensation Plan]] | [[Facilities Management/Planning]] | [[Purchasing]] | [[Public Affairs]] | [[Facility Identification]] | [[Serving Alcoholic Beverages]] | [[Travel and Reimbursement]] | [[State Vehicles]] | [[Reproducing Copyrighted Materials]] | [[Credit Card Processing]] | [[Student Training Agreement]] | [[Volunteer]] | [[Cash Handling]] | [[Fraud]] | [[Assigning Research Lab Space]] | [[Space Scheduling and Fundraising]] | [[International Health Education]] | [[Faculty Personnel Records]] | [[Cellular Phone]] | [[Off-campus Graphic Design and Related Printing]] | [[Off-campus Photography]] | [[Tax Exempt Financing and Tracking of Both Qualified Use and Non-Qualified Use of Research Space]] | [[Secondary Logos]] | [[Social Media]] | [[Accounts Receivable Management]]
<br /><br />
<br /><br />
[[General Accounting]] | [[SBIR/STTR Program Participation]] | [[Supplemental Compensation Plan]] | [[Facilities Management/Planning]] | [[Purchasing]] | [[Public Affairs]] | [[Facility Identification]] | [[Serving Alcoholic Beverages]] | [[Travel and Reimbursement]] | [[State Vehicles]] | [[Reproducing Copyrighted Materials]] | [[Credit Card Processing]] | [[Student Training Agreement]] | [[Non-faculty Volunteers]] | [[Cash Handling]] | [[Fraud]] | [[Assigning Research Lab Space]] | [[Public Research Lab Space]] | [[International Health Education]] | [[Faculty Personnel Records]] | [[Cellular Phone]] | [[Off-campus Graphic Design and Related Printing]] | [[Off-campus Photography]] | [[Tax Exempt Financing and Tracking of Both Qualified Use and Non-Qualified Use of Research Space]] | [[Secondary Logos]] | [[Social Media]]
Policy No.: '''6050'''<br />
Effective Date: '''01/10/07'''<br />
Revised Date: '''06/30/14'''<br />
Reviewed Date: '''06/30/14'''
<br /><br />
<br /><br />
POLICY NO: '''6050'''<br />
'''<big>Bank Card Processing Policy</big>'''
EFFECTIVE DATE: '''01/10/07'''<br />
REVISED DATE: '''01/08/09'''<br />
REVIEWED DATE: '''01/07/09'''<br />
<br /><br />
 
<big>Credit Card Processing Policy</big>
<br /><br />
 
== Basis for Policy ==
== Basis for Policy ==
 
It is the policy of the University of Nebraska Medical Center (UNMC) to establish good internal controls over the handling of bank card transactions to adequately safeguard and properly record UNMC assets and to protect the employees who handle those assets. Further, it is the policy of UNMC to comply with all [http://www.nebraskalegislature.gov/laws/laws.php state regulations] and the Payment Card Industry Data Security Standards (PCI/DSS).
It is the policy of the University of Nebraska Medical Center (UNMC) to establish good internal controls over the handling of credit card transactions to adequately safeguard and properly record UNMC assets and to protect the employees who handle those assets.&nbsp; Further, it is the policy of UNMC to comply with all [http://www.nebraskalegislature.gov/laws/laws.php state regulations] and the Payment Card Industry Data Security Standards (PCI/DSS).
==Definitions==
 
Bank card is defined as credit cards, debit cards, ATM cards and any other card or device, other than cash or checks, issued by a bank or credit union that is normally presented by a person seeking to make payment. The process of paying is considered as the transaction.<br />
== Authority Over Credit Card Transactions ==
<br />
 
Payment Card Industry Data Security Standards (PCI/DSS) are guidance for organizations to assist in providing data security on payment card transactions.
It is the policy of the University of Nebraska Medical Center that all credit card transactions on the UNMC campus will be under the control of the Controller.&nbsp; Web based credit card transactions must utilize the standard UNMC application.
== Authority Over Bank Card Transactions ==
 
It is the policy of the University of Nebraska Medical Center that all bank card transactions on the UNMC campus will be under the control of the Controller. Web-based bank card transactions must utilize the standard UNMC application provided by Information Technology Services.  
== Credit Card Reporting ==
==Bank Card Reporting ==
 
Bank card collections received by departments for UNMC will be submitted along with cash/check collections and a Cash Remittance Report to the [https://info.unmc.edu/management/finance/cashering/ Finance Cashier].
Credit card collections received by departments for UNMC will be submitted along with cash/check collections and a Cash Remittance Report and related pre-numbered receipt slips to the [http://app1.unmc.edu/bus&fin/index.cfm?L2_ID=6&L1_ID=4&L3_ID=26&CONREF=25 Finance Cashier].


== Internal Controls ==
== Internal Controls ==
 
*Departments will maintain written detailed internal procedures describing the proper handling of bank card transactions. These internal procedures must address the following, at a minimum;
Departments are required to establish the following internal controls over credit card transactions:
**The bank card swipe terminal must be located in a position that prohibits direct physical interaction from unauthorized individuals.
 
**Periodically inspect terminal surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
* Departments will maintain written detailed internal procedures describing the proper handling of credit card transactions.
**Personnel involved with bank card transactions must document knowledge of their awareness to attempted tampering or replacement of devices by completing the UNMC PCI 3.0 Point of Sale training material, which will be retained by the Finance Cashier. 
* Under no circumstances should credit card information be entered and stored on any computer database.&nbsp; UNMC has made the decision to outsource the credit card processing.&nbsp; UNMC ITS Application Services has a module which is utilized to bridge the web application which requires a credit card payment and the credit card processing company.
*Under no circumstances should bank card information be stored on any computer system. This includes, but is not limited to:  emails, documents, spreadsheets and databases.
*UNMC outsources e-commerce bank card processing. UNMC ITS Application Services has a module which is utilized to bridge the web application which accepts a bank card payment and the card processing company.
**All bank card transactions processed by UNMC Staff, on behalf of the customer, must go through the bank card terminals provided by the Finance Cashier. Under no circumstances, shall a UNMC Staff member enter a bank card number into a UNMC Web Application on behalf of the cardholder.
== Auditing Cash Funds ==
== Auditing Cash Funds ==
<br /><br />
All bank card transactions will be reviewed periodically and confirmed annually to assist in maintaining proper accountability and internal control. In addition, written departmental bank card procedures will be reviewed for conformity with UNMC policies, State Treasurer regulations, and Payment Card Industry Data Security Standards.
All credit card transactions will be reviewed periodically and confirmed annually to assist in maintaining proper accountability and internal control. In addition, written departmental credit card procedures will be reviewed for conformity with UNMC policies and for proper internal control.
==Technical Controls==
<br /><br />
All bank card transactions will be processed in conformance with the Payment Card Industry Data Security Standards. A secure network environment is established for processing of bank card transactions. A vulnerability management program is in place to ensure that the technical controls are functioning properly. Technical controls are in place to ensure that identity and access management is limited to those with a need to access the data in order to perform their job duties. Appropriate audit logging is enabled in order to track and monitor access. In the case of an information security event is found (such as an unauthorized wireless access point), the organization will follow the Incident Response Security Procedure. All members of UNMC complete annual information security compliance training.<br />
For more detailed information, see the [[Credit Card Handling Procedures]] or contact the [mailto:ckirchner@unmc.edu Controller].
<br />
 
For more detailed information, see the [[Bank Card Handling Procedures]] or contact the [mailto:mhrncirik@unmc.edu Controller].<br />
<br /><br />
<br />
 
This page maintained by [mailto:dpanowic@unmc.edu dkp].
This page maintained by [mailto:dpanowic@unmc.edu dkp].

Latest revision as of 15:45, July 26, 2023

Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property


General Accounting | SBIR/STTR Program Participation | Supplemental Compensation Plan | Facilities Management/Planning | Purchasing | Public Affairs | Facility Identification | Serving Alcoholic Beverages | Travel and Reimbursement | State Vehicles | Reproducing Copyrighted Materials | Credit Card Processing | Student Training Agreement | Volunteer | Cash Handling | Fraud | Assigning Research Lab Space | Space Scheduling and Fundraising | International Health Education | Faculty Personnel Records | Cellular Phone | Off-campus Graphic Design and Related Printing | Off-campus Photography | Tax Exempt Financing and Tracking of Both Qualified Use and Non-Qualified Use of Research Space | Secondary Logos | Social Media | Accounts Receivable Management

Policy No.: 6050
Effective Date: 01/10/07
Revised Date: 06/30/14
Reviewed Date: 06/30/14

Bank Card Processing Policy

Basis for Policy

It is the policy of the University of Nebraska Medical Center (UNMC) to establish good internal controls over the handling of bank card transactions to adequately safeguard and properly record UNMC assets and to protect the employees who handle those assets. Further, it is the policy of UNMC to comply with all state regulations and the Payment Card Industry Data Security Standards (PCI/DSS).

Definitions

Bank card is defined as credit cards, debit cards, ATM cards and any other card or device, other than cash or checks, issued by a bank or credit union that is normally presented by a person seeking to make payment. The process of paying is considered as the transaction.

Payment Card Industry Data Security Standards (PCI/DSS) are guidance for organizations to assist in providing data security on payment card transactions.

Authority Over Bank Card Transactions

It is the policy of the University of Nebraska Medical Center that all bank card transactions on the UNMC campus will be under the control of the Controller. Web-based bank card transactions must utilize the standard UNMC application provided by Information Technology Services.

Bank Card Reporting

Bank card collections received by departments for UNMC will be submitted along with cash/check collections and a Cash Remittance Report to the Finance Cashier.

Internal Controls

  • Departments will maintain written detailed internal procedures describing the proper handling of bank card transactions. These internal procedures must address the following, at a minimum;
    • The bank card swipe terminal must be located in a position that prohibits direct physical interaction from unauthorized individuals.
    • Periodically inspect terminal surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
    • Personnel involved with bank card transactions must document knowledge of their awareness to attempted tampering or replacement of devices by completing the UNMC PCI 3.0 Point of Sale training material, which will be retained by the Finance Cashier.
  • Under no circumstances should bank card information be stored on any computer system. This includes, but is not limited to: emails, documents, spreadsheets and databases.
  • UNMC outsources e-commerce bank card processing. UNMC ITS Application Services has a module which is utilized to bridge the web application which accepts a bank card payment and the card processing company.
    • All bank card transactions processed by UNMC Staff, on behalf of the customer, must go through the bank card terminals provided by the Finance Cashier. Under no circumstances, shall a UNMC Staff member enter a bank card number into a UNMC Web Application on behalf of the cardholder.

Auditing Cash Funds

All bank card transactions will be reviewed periodically and confirmed annually to assist in maintaining proper accountability and internal control. In addition, written departmental bank card procedures will be reviewed for conformity with UNMC policies, State Treasurer regulations, and Payment Card Industry Data Security Standards.

Technical Controls

All bank card transactions will be processed in conformance with the Payment Card Industry Data Security Standards. A secure network environment is established for processing of bank card transactions. A vulnerability management program is in place to ensure that the technical controls are functioning properly. Technical controls are in place to ensure that identity and access management is limited to those with a need to access the data in order to perform their job duties. Appropriate audit logging is enabled in order to track and monitor access. In the case of an information security event is found (such as an unauthorized wireless access point), the organization will follow the Incident Response Security Procedure. All members of UNMC complete annual information security compliance training.

For more detailed information, see the Bank Card Handling Procedures or contact the Controller.

This page maintained by dkp.