The following procedures are recommended to carry out the intent of UA Little Rock Policy 303.1 – Collection of University Funds and Compliance to Payment Card Industry (PCI) Regulations.
Definitions
Cardholder data. The full magnetic stripe of the card or the entire card number plus any of the following: cardholder name, expiration date, service code.
Cash. All monetary resources, including coins, currency, checks, credit cards, or any other form of payment received by the university.
PCI-DSS. The Payment Card Industry Data Security Standard was adopted to assure the protection of customer data and credit card numbers.
PCI environment. This includes computers, network hardware, and the segment of the UA Little Rock network (PCI VLAN) configured to meet the PCI standards for electronic submission, processing, or storage of cardholder data.
Procedures
UA Little Rock Policy 303.1 – Collection of University Funds and Compliance to Payment Card Industry (PCI) Regulations establishes guidelines for the collection, control, and deposit of cash receipts. Campus departments which collect cash for events or other purposes must be authorized by the Bursar’s Office prior to receiving cash. In addition, they must develop written procedures governing cash handling and adherence to PCI compliance regulations.
Department Procedures. Title 19, Chapter 4, Subchapter 5 of the Arkansas State Accounting and Budgetary Procedures Manual, entitled “R4-19-4-501 Cash Receipts Internal Control,” sets forth the guidelines to be used by UA Little Rock in developing those procedures. Written procedures should include, at a minimum, the persons authorized to collect cash, method of documenting cash receipts, security procedures, reconciliation procedures, and depository procedures. Further, written procedures should document that the department will comply with PCI compliance guidelines. Suggested guidelines in each of these areas are outlined below.
Collection of Funds Guidelines
Persons authorized to collect cash. The duties of collecting cash, maintaining documentation, preparing deposits, and reconciling records should be separated among different employees. When this is not feasible, strict individual accountability and management supervision and review is required. The department’s written procedures should name the individual employees (or the position title) who are authorized to perform cash handling duties.
Method of documenting cash receipts. Departments that collect cash must have acceptable documentation for all amounts collected. Computer-generated receipts, cash register receipts, or pre-numbered receipt books or tickets are examples of acceptable forms of documentation. For audit purposes, all documentation should be retained in a separate location from the place where cash is stored. All voided transactions (receipts) should be clearly marked as such and have proper authorization.
Security procedures. Procedures should be established to maintain a safe and secure working environment to ensure the safety of the funds and of the employee. Cash must be kept in a safe or locked container when not in use, the number of employees who have access to cash should be kept to a minimum, and cash should never be left unattended. Finally, the department must ensure that its procedures comply with PCI compliance regulations, as more fully detailed below.
Reconciliation procedures. Cash receipts must be reconciled to the source documentation on a regular basis. Ideally, reconciliation should be daily, but at a minimum, each time a deposit is made. The reconciliation process and frequency should be specific in the written procedures. Any overages and shortages discovered in the reconciliation process should be documented and approved by a department supervisor. Shortage amounts in excess of any amount must be reported to Public Safety. If there appears to be a pattern of overages or shortages, this information should be disclosed immediately to the Bursar’s Office.
Depository procedures. All cash received must be deposited. Deposits to a UA Little Rock designated bank account or to the Cashier’s Office must be made daily. A Departmental Deposit Form should accompany the deposit to the Cashier’s Office. If a deposit is made to a UA Little Rock designated bank account independent of the Cashier’s Office, the procedures should be very specific about this process. It is important that cash be deposited to the Cashier’s Office promptly at the end of the fiscal year. Each year, the Bursar’s Office will issue a memorandum near the middle of June stating the deadline for the submission of cash for that fiscal year.
Refunds or payments cannot be made directly from funds received from cash receipts. All refunds must be processed through appropriate procedures as established by the Bursar’s Office.
Authorization. The department procedures should be summarized and forwarded along with the attached authorization form to the Bursar’s Office. No cash should be collected until the authorization form has been approved.
PCI Compliance Guidelines
Access to Customer Credit Card Data
- Access is authorized only for university personnel who are responsible for processing or facilitating credit card transactions.
- Only authorized university personnel may process credit card transactions or have access to documentation related to credit card transactions.
Transmission of Credit Card Information
- Insecure (unencrypted) transmission of cardholder data is prohibited. Credit card numbers and cardholder data may not be emailed, faxed, or sent via any electronic messaging technologies such as instant messaging or chat.
Telephone Payments
- When recording credit card information for processing via a dial-up terminal, only cardholder name, account number, expiration date, zip code, and street address may be recorded. It is not permissible to record and store the three-digit security code (CVV2).
- Store transaction documentation and merchant receipt in a secure (locked) area.
- Shred all transaction documentation upon completion of transaction.
Card Present Transactions (Point of Sale)
- Provide receipt to customer.
- Store transaction documentation and merchant receipt in a secure (locked) area in accordance to the department’s retention policy.
Receipt of Credit Card Information in Email
- Under no circumstances will credit card numbers received in email be processed.
- The recipient of the credit card number will respond to the sender offering an acceptable method for transmitting card information, such as over the phone or through a UALR payment portal. See Exhibit “A” for an example response.
Processing Credit Card Transactions and Storage of Cardholder Data on Campus Computers
- Offices that make payment card transactions on the web (that is, enter a customer’s credit card number on a website in payment for a purchase at or donation to the university) must do so from a computer designated for that purpose on the campus PCI VLAN.
- Card numbers must not be entered on any computer that is not expressly designated as belonging to the PCI environment.
- Cardholder data should not be stored electronically. If there is a documented requirement for such storage, appropriate encryption must be used and data must be stored on a computer belonging to the PCI environment.
Delivery of Transaction Documents to Cashier’s Office (for staff at peripheral locations)
- Prepare Departmental Deposit Form.
- Personally delivery, or send by a bonded courier employed by UA Little Rock, all transaction documentation to the Cashier’s Office. Never send transaction information through campus mail.
Securing Transaction Documents
- During window session, place merchant receipt and other transaction documents in drawer. At work station, store securely until session materials are placed in vault at end of day.
- Any transaction documentation retrieved from the vault for review or refund purposes must be handled securely and placed back in the vault as soon as possible but no later than the end of the business day.
Retention and Destruction of Cardholder Data
- Cardholder data should be retained in a secure location only as long as is necessary for business purposes.
- Cardholder data will be destroyed when no longer needed. Paper documentation will be cross-cut shredded.
