UCR Policies and Procedures

    I.  Policy Summary

The purpose of this policy is to ensure that all merchants are in compliance with the campus policies and procedures, appropriate minimum security standards for processing credit and debit card information at University of California, Riverside (UCR) are identified and adhered to, and that prior approval is secured before credit and debit card (hereinafter payment card) transactions can be executed.

 

   II.  Acronyms (Alphabetized List of "Uncommon" Terms)

·  CFAO     Chief Financial Administrative Officer

·  FSSC      Financial Systems Steering Committee

·  FDMS     First Data Merchant Services

·  FAU        Full Accounting Unit

·  IVR         Interactive Voice Response

·  MID        Merchant Identification Number

·  PCI         Payment Card Industry

 

 III.  Procedures

When a campus department decides to accept credit/debit cards for the purchase of goods and services, the effort must be coordinated with the campus Credit Card Coordinator. The campus has established business relationships with four major credit card types: Visa, MasterCard, Discover, and American Express. Each department, or operational unit, electing to accept credit cards must be assigned a unique Merchant Identification (MID) Number based on card type: Visa/MasterCard, Discover, and American Express. A separate MID must always be assigned for American Express.

 

As of the issue date of this policy, the UC System contracts with First Data Merchant Services (FDMS) and its joint venture partner, Bank of America Merchant Services (BAMS), to provide credit/debit card processing for Visa, MasterCard, and Discover. In addition, the campus uses CashNet for Internet/web processing. Services provided by FDMS include sending transactions to the purchaser's credit/debit card issuing company for billing, collecting the funds from the issuing company, depositing the fund to University's bank account, reconciling disputed charges, and uing agency of the payment card for billing, and providing a monthly statement to the merchant for transactions and fees. American Express does not allow third party processing, so FDMS forwards the transactions to them for processing. American Express provides separate monthly statements to the merchants on transactions and fees.

 

The department requests permission from the Organizational CFAO to accept credit cards for payment and establish a merchant ID. The Organizational CFAO reviews the request to ensure the business is in line with the unit's mission, rates are properly developed, and appropriate resources are available to manage the process. If acceptable, the CFAO approves/endorses the request and forwards it to cashandmerchant@ucr.edu Campus Credit Card Coordinator, who then reviews the proposal to ensure all costs associated with accepting credit cards are built into the proposed rates (e.g., credit card discount fees, processing fees, transactional fees, required equipment/software costs, internet processing fees (if applicable), servers (if applicable), maintenance (if applicable), and any other departmental costs required for support of this service). The Credit Card Coordinator also reviews to ensure method of credit card acceptance and equipment is acceptable in meeting campus PCI standards and approves the request to initiate the MID establishment.

 

The Credit Card Coordinator initiates the establishment of the MID by submitting a New Location Request Form to FDMS. Each MID contains an associated merchant name;  this name appears on the purchaser's credit/debit card statement. The default merchant name will be UCR (department name), unless a reasonable alternative is specifically requested. In the case of multiple MIDs under a department, the department must request meaningful and unique merchant names for each MID. A separate MID is required for each alternative payment channel (i.e., Internet versus over-the-counter/card present). 

 

MID establishment takes approximately 10-15 working days.

 

The Main Cashiers Office notifies the departmental contact(s) and Accounting of all newly established MIDs. The Main Cashiers Office coordinates the lease/purchase of card swipe terminals from FDMS (if applicable) and set up of the processing system with the departmental contact(s). Regardless of the system used, the department must balance, close out, and settle the total credit/debit card transactions on a daily basis by MID. Based upon the daily transactions, the department prepares a deposit through the Cash Collection Reporting and Reconciliation System (CCRRS) to record the sales in their departmental Full Accounting Unit (FAU). The CCRRS must indicate the daily transactional totals by credit card type to ensure accurate reconciliations by the department/merchant and Accounting. Once the Main Cashiers Office verifies the CCRRS, the deposit will appear on the departmental ledgers under source code CCD.

Staff handling cash and cash equivalents must comply with Business & Finance Bulletin BUS 49: Policy for Handling Cash and Cash Equivalents.

 

All staff handling credit cards must take “Cash Handling: The Basics” as well as “Security Awareness Training (SAT)” annually, offered on UC Learning Management System (LMS).

 

Given risks and limited resources, the campus has a central campus Internet payment solution. This gateway securely links to a single third-party processor for authorizations/approvals. UC requires merchants to use secure servers when providing for the purchase of services via the web.

 

Merchants are prohibited from storing credit card information on their servers and the merchant's web site must link to the campus hosted gateway to process payments. The gateway securely accepts the credit/debit card information from the customer and passes the encrypted transaction to this payment solution. This processes the transaction and returns and a status back to the gateway, which will be forwarded to the merchant. The transaction status can range from notification of a successful submission, to several types of errors that can occur when credit/debit card information is submitted unsuccessfully. The department/merchant will need to have procedures in place for resolving error conditions.

 

All merchants accepting credit/debit card payments via the web must use an e-business application and a secure server that handles all business processes. In other words, the e-business application collects customer information, maintains product/service information, processes orders for goods or services, and records only the credit card processor approval status. Campus servers and PCs cannot store credit/debit card information. Departments must coordinate with ITS for hardware and application specifications. Departments must adhere to all UC Policy & Procedures regarding data/information privacy and Business & Finance Bulletin IS-3 (http://policy.ucop.edu/doc/7000543/BFB-IS-3).

 

    IV.  Other Systems and Exceptions

No UCR employee or third-party payment processor engaged by the UCR may process or accept payments by payment card without prior approval of the campus Credit Card Coordinator.

 

If a department is considering a system other than those listed above, an exception request form (https://sbs.ucr.edu/campus-merchant-resources) must be submitted to their Organizational CFAO describing the proposal. This request must include a detailed justification why it is necessary to use something other than the standard campus systems and specific information on the proposed system. The Organizational CFAO reviews the proposal to ensure the business is in line with the unit's mission and that resources are available to administer the proposed system and processes. If the proposal is acceptable, it is forwarded to cashandmerchant@ucr.edu and the Campus Credit Card Coordinator, who reviews the commitment of University resources for the proposed system, the rates involved and the impact on campus community. If approved, the Credit Card Coordinator must review the final product prior to implementation of the system.

 

   V.  Accepting a Credit/Debit Card as Payment

The credit/debit card sale transaction is processed at the time the goods or services are delivered. If the goods cannot be shipped immediately, the credit/debit card must not be charged until the items are delivered.

 

Each sale transaction must be authorized first. An authorization verifies that the credit/debit card is valid and there is a sufficient credit limit available for the sale. An authorization will expire in 7-30 days depending on the type of card and the type of transaction. If the authorization has expired, another authorization will need to be executed before the sale transaction can be processed.

 

The department MUST ensure adequate security levels exist when accepting credit/debit card information for payment.

 

**Acceptable and non-acceptable methods to receive credit/debit card information can be found on https://sbs.ucr.edu/campus-merchant-resources.  

 

  

    VI.  Refunds

Credit Card Operating Regulations require that all refunds MUST be issued to the same credit/debit card as the original sale. In other words, refunds cannot be made to a different credit card. The process for issuing refunds varies depending on the type of payment system used. Refunds CANNOT be issued before the end of day settlement has been processed. Banner credit card refunds must be coordinated with Student Business Services and the Main Cashiers Office to ensure proper posting to the general ledger and may require unique Detail Codes. For those merchants authorized to charge service fees, note the service fee portion of the sale is NOT refundable.

 

Due to the potential for fraud, departments must carefully review operational procedures and determine staff members authorized to issue refunds. It is required that a department manager or supervisor with no cashiering functions be designated. All refunds should be documented via a log with the reason for the refund (i.e., return of goods sold).

 

Credit Card Terminals MUST have a unique password for refunds and voids to be used by the manager or supervisor. 

  

Under exceptional circumstances, such as when the credit/debit card account is closed, the refund can be processed via ePay with supporting documentation and settlement receipt attached.

 

 VII.  Chargebacks

There are various instances when FDMS will debit the campus' bank account to reverse a credit/debit card transaction. The reversal is referred to as a chargeback. A notice of chargeback will be sent directly to the department. If the Main Cashiers Office receives the notice, it will be forwarded on the same day received to the department contact's fax number. In addition to the notice, FDMS sends a Merchant Chargeback Summary, Chargeback Advice Form, and Chargeback Response Form to the designated departmental contact person. Accounting charges the department FAU for all chargebacks appearing on the campus bank statement.

 

It is a violation of Visa/MasterCard rules and regulations to re-bill a customer's credit card for a transaction that was charged back. If the charge is legitimate, an alternate method must be used for payment.

 

For a fee, merchants can dispute a chargeback by filing a request for arbitration with FDMS (Visa/Master/Discover) or American Express. Disputes must be initiated within 12 days or no further action can be taken. In certain circumstances, FDMS also provides good faith collection services for a fee. Contact the Main Cashiers Office for additional information.

 

VIII.  Interchange Rates

Credit card companies charge fees known as Interchange Rates, which include discount fees, processing fees and transactional fees. Fees vary based on type of transaction (i.e., card present, card not present, electronic commerce, etc.) and on the compliance of the transaction with processing guidelines. These guidelines include, among others, the use of the Address Verification Service (AVS: a risk management tool that compares the customer's address for the sale with the address on record for the credit/debit card account) and an authorization occurring within 48 hours. Visa and MasterCard have similar, but different, fee structures. Discover and American Express are independent companies with their own fee structures. Internet gateways fees are accessed based on the aggregated number of transactions for all UC merchants and include a campus based transactional fee.

  

  IX.  Service Fees

In order for a merchant to charge a service fee, campus approval must be obtained in advance. A service fee is assessed to cover the costs of offering an automated payment channel such as the Web or IVR. It may not be charged solely for the convenience of accepting the credit card, but rather for the convenience of an alternative payment channel in a non-face-to-face environment. Service fees must be charged to all payment types within a payment channel. For example, if service fees were charged for a merchant's web transactions, then all payment types including credit cards, debit cards, and ACH would be subject to the same convenience fee. In addition, each credit card company has unique regulations regarding the assessment of service fees. With this in mind, UCR service fees can only be charged by approved merchants on internet transactions; AND only the campus predetermined service fee authorized merchants. The service fee portion of the purchase is not refundable.   

 

The campus approved standard service fee is based upon a percentage of the transaction amount. Only approved merchants can assess a service fee, and it must be at the standard campus rate. 

 

Student charges that are billed through Banner (e.g., tuition/fees, housing, parking, etc.) will be assessed a service fee for internet credit card payments.  

 

 

   X.  Monthly Activity Statements

FDMS provides monthly statements by MID of VISA, MasterCard, and Discover transactions and fees; FDMS also provides a month-end recap of total net sales by credit card type for each MID. American Express provides a separate monthly statements to merchants on daily transactions by MID and associated fees per transaction.

 

  XI.  Departmental Responsibilities

Departmental responsibilities include:

·  Coordinating the acceptance of credit/debit cards with the campus Credit Card Coordinator before any systems and/or software are purchased. 

·  Completing the appropriate forms for establishing MIDs and requesting exceptions, routing all form to their Organizational CFAO.

·  Purchasing/leasing approved processing mechanism (or requesting exceptional approval).

·  Coordinating with the Main Cashiers Office regarding set up.

·  Completion of the annual Payment Card Industry (PCI) Data Security Standards (DSS) validation process Self-Assessment Questionnaire (SAO).

·  Ensuring staff with credit/debit card processing responsibilities have passed background checks in accordance with UC Personnel Policy for Staff Members UCR Local HR Procedure 21 (https://hr.ucr.edu/document/local-procedure-21-selection-and-appointment).

·  Ensure annual completion of Cash Handling (search “Cash Handling: The Basics” in LMS) and PCI Security Awareness Training for all departmental staff (search "PCI DSS" in LMS).

·  Ensuring staff with credit/debit card processing responsibilities comply with Business & Finance Bulletin BUS 49: Policy for Handling Cash and Cash Equivalents (http://policy.ucop.edu/doc/3420337/BFB-BUS-49).

·  Communication of any suspected credit card security breach to the Campus Credit Card Coordinator immediately.

·  Maintaining an inventory list of payment devices/equipment that includes device description, serial number, and location.

·  Daily inspection of payment devices for tampering and maintaining a log documenting the review process.

·  Payment devices/equipment must be kept in a secure location with limited physical access to authorized personnel designated to handle credit card payments.

·  Balancing, closing out, and settling all credit/debit card activity daily.

·  Preparing the required CCRRS entry (if applicable) with appropriate segregation of credit card types to record credit card revenue in the general ledger.

·  Reconciling the monthly activity reports to the departmental ledgers. 

·  Processing refunds according to policy and ensuring segregation of duties.

·  Responding to Media/Bank Retrieval Requests within the required timeframe.

·  Immediately researching and responding to chargeback notification.

·  Reviewing Duplicate Transaction Reports.

·  Reviewing and resolving error/reject reports. 

·  Internet/web transactions:

o  Transacting via a secure web server.

o  Coordinating with Student Business Services for access to Campus Gateway.

o  Adhering to the service fee policy (if exception approved).

·  Understanding and adhering to these policy and procedures.

 

 XII.  Contacts

       Direct questions regarding the acceptance of credit/debit cards to the campus Credit Card Coordinator or cashandmerchant@ucr.edu.

 

     For further information, visit http://www.sbs.ucr.edu/campus-merchant-resources.