FN07 Electronic Payments - Credit Cards

Contents:

• PURPOSE:
• SCOPE:
• DEFINITIONS:
• POLICY:
  • GENERAL RESPONSIBILITIES:
  • CREDIT CARD PROCESSING:
    • Merchant Responsibilities:
  • ESTABLISHING A MERCHANT ACCOUNT OR TERMINAL:
  • CONTROL AND REPORTING:
  • TERMINATING MERCHANT OR TERMINAL IDs:
  • RETURNS AND REFUNDS:
  • DOCUMENTATION OF CARDHOLDER COMPLAINTS:
  • SANCTIONS:
• FURTHER INFORMATION:
• CROSS REFERENCES:
• REVISION HISTORY:

PURPOSE:

To outline the Pennsylvania State University's (“University” or “Penn State”) policy on the acceptance of electronic payments, specifically credit cards, as a form of payment by University areas or departments. For this policy, the term "credit cards" shall also be construed to include "credit-card-branded," "debit cards" and "check cards." Only units which have established merchant accounts, approved through the Office of Budget and Finance, are permitted to accept credit cards as payment.

Online systematic acceptance of other forms of electronic payments, such as wires, EFTs and ACHs, must be approved by the Associate Vice President for Budget and Finance. The use of other electronic payments such as wires, EFTs, and ACHs are not within the scope of this policy. The use of third-party payment services to process payment for goods or services offered by any University unit are not permitted, unless explicitly approved by the Associate Vice President for Budget and Finance.

SCOPE:

The University’s financial policies are applicable throughout the University, including all direct and indirect subsidiaries, and are required to be followed by all University employees who engage in financial, accounting, purchasing or other transactions, including University employees who in the course of their assigned duties engage in such transactions on behalf of third parties such as the Penn State Alumni Association or other related entities. The University’s financial policies are not applicable to Penn State Health or its subsidiaries, or to Penn College of Technology, each of which has its own financial policies.

DEFINITIONS:

• Automated Clearing House (ACH) – This is a funds transfer system that was developed as an electronic payment alternative to checks. While Fedwire is real-time transfer system, ACH uses a batch settlement process which typically provides for next day settlement making it much less expensive than Fedwire. An example of an ACH transaction is a pre-authorized debit to a checking or savings account or direct deposit of payroll.
• Card Brands – Visa, MasterCard, Discover, and American Express are examples of Card Brands.
• Debit/ATM Cards – A type of Payment Card that deducts payments directly from an individual’s checking account.
• e-Commerce – The process of conducting payment transactions over a computer network, usually the Internet. In e-commerce the merchant card is usually not present; instead, the payer enters that data into a web-based form remotely.
• e-Merchant – a merchant who uses an e-commerce system to generate revenue.
• Federal Regulations – Electronic payments fall under numerous banking and disclosure regulations. Examples include Reg E., Reg J., Electronic Funds Transfer Act (1978), USA Patriot Act, and Fair and Accurate Credit Transactions Act
• Fedwire – This is a funds transfer system administered by the Federal Reserve. It is a real-time method of transferring funds between parties.
• Financial Institution – A bank, credit union, brokerage house or financial services provider.
• Merchant – a department, business area, or other university organization that collects revenue. Although merchants may receive payments in various forms (i.e., cash, check, voucher) this policy applies to merchants who wish to receive at least some of their payments from credit or debit card transactions.
• Merchant ID – A merchant identification code assigned by the credit card processor and is used to identify the owner of merchant card transactions.
• Mobile Payments – Electronic transactions that are transacted with a mobile phone.
• National Automated Clearing House Association (NACHA) – the regulatory body for the ACH payment network.
• Payment Card – Credit Cards (e.g., VISA, MasterCard, and Discover, American Express, Diners Club), Debit and Smart cards.
• Payment Card Industry Data Security Standard (PCI DSS) – an industry standard that sets technical and compliance standards for protecting cardholder data. PCI DSS is supported by VISA, MasterCard, Discover, and American Express and applies to everyone that stores, processes, or transmits cardholder data. Failure to comply with PCI DSS may result in substantial fines and increased auditing requirements if a breach occurs. The full text of the standard and other supporting documents is available at PCI Security Standards.
• Point-of-Sale (POS) System – a computer-based system that processes payments over a network. A POS system differs from an e-commerce system in that the payer and card are usually present at the time of the transaction.
• Processing Equipment – Credit card readers/printers, point of purchase terminals/printer.
• Service Provider – The entity or entities selected by the Office of Budget and Finance who process Payment Card, Fedwire, and ACH transactions.
• Smart Card – A type of Payment Card that stores information and value on a computer chip embedded in the card.
• Terminal – a machine for electronically processing credit card payments. Card data may be captured by swiping the card through a designated slot in the terminal or by keying in the card number by hand. Payment information may be transmitted over phone lines or the Internet.
• Terminal ID – A unique identifier assigned by the processor to each card accepting device, whether it is a card swipe terminal, POS, or a connection through an e-Commerce gateway.

POLICY:

Merchant credit or debit card transactions are monetary transactions and are subject to the same control and reconciliation policies as cash transactions.

Merchant card transactions are governed by contractual agreement; therefore, independent establishment of payment processes may constitute a breach of contract.

GENERAL RESPONSIBILITIES:

Units which have a need to accept credit cards as a form of payment must carefully weigh the benefits and costs related to credit card processing.  Central Accounts Receivable does not accept credit card payments, Credit-Branded, Debit Cards, or Check Card Payments.  Security requirements for credit card data are strict and if not enforced, can result in significant monetary fines as well as damage to the reputation of the unit and the University.  The Budget Executive in the unit must approve the establishment of all merchant accounts and related terminal IDs within their area of responsibility.  Prior to approval, the Budget Executive must consider technical, financial, and administrative issues and costs arising from the acceptance of credit cards versus the business need for accepting such payments.

All revenues received through electronic payments must be for the benefit of Penn State and should be processed as outlined in Policy FN01 Cash Revenues. Only those areas with an approved merchant account are permitted to accept card payments on websites hosted on University computers and served by University networks or servers.  Payment processing should be managed through Penn State’s eCommerce solutions.  An individual may not collect or store electronic payment information through their personal website which is part of the Penn State network.  In no case may electronic payments, even through third-party vendors, be accepted for any commercial enterprise which results in personal gain to the individual involved. The University has a responsibility to its customers to protect credit card information, as well as to comply with the Payment Card Industry Data Security Standards (PCI DSS). The only credit card data that can be retained, on paper or electronically, is the last 4 digits of the card number, the expiration date, and the card type. Other credit card data, including the full card number, CVC2/CVV2/CID data, PIN/PIN block and track data from the full magnetic stripe, cannot be stored, post authorization.  This applies to all University systems, any University servers used or hosted by a third-party, as well as locally maintained systems, including databases, spreadsheets, email, imaging systems, and paper files.  Exceptions must be specifically approved by the Office of Information Security. Exceptions must be specifically approved by the Associate Vice President for Budget and Finance.

The University also has a responsibility to adequately protect all payment information that is defined in University Policy AD53 Privacy Policy, as Personally Identifiable Information (PII). All records containing PII must be properly classified and secured in accordance with University Policy AD95 Information Assurance and IT Security and its corresponding Security Standards.

CREDIT CARD PROCESSING:

MERCHANT RESPONSIBILITIES:

All University units with merchant accounts, including all terminal IDs tied to a merchant account, are responsible for the following::

• Compliance with all merchant rules established by the credit card companies which apply to the unit, which are available for review on the PSU Merchant Management website;
• Compliance with Payment Card Industry Data Security Standards (PCI DSS), including completion of the annual self-assessment questionnaire;
• Completion of required testing of security systems, network processes, and scheduling of quarterly scans, if processing credit cards through a network;
• Establishment of clear policies regarding returns and refunds, in compliance with University policy and merchant rules; and
• Notification to the Office of Information Security (OIS) at security@psu.edu of any suspected breaches.

Special charges or discounts resulting in a price differential between a credit card transaction and a transaction paid by cash or check are not permitted. Merchants must incorporate all costs related to credit card processing into fees charged for goods and services. The only exceptions are for a convenience fee for student account payments through LionPATH, or exceptions permitted under the conditions of the credit card merchant rules which have been reviewed and approved by the Associate Vice President for Budget and Finance. For example, merchants are not permitted to charge an additional fee if a payment is made by credit card versus cash or check.

ESTABLISHING A MERCHANT ACCOUNT OR TERMINAL ID:

University units that wish to accept credit cards as a form of payment must first collaborate with the Financial Officer and IT leader for the business area to determine if applying for an account is appropriate. In some cases, a unit may have a merchant account, but may have a need to set up a unique Terminal Identification (TID) under that merchant account for a particular unit. If agreement is reached that a merchant account and/or terminal is appropriate, the unit must apply by completing a Credit Card Processing Terminal Request to add a terminal and Credit Card Processing Merchant Request. This application must be completed in full, with the required signatures obtained. The Financial Officer is responsible for forwarding the request to the Office of Budget and Finance for final approval and processing.

Units applying for a merchant account or terminal ID must have a clear business purpose for processing credit card transactions, and will need to identify annual expected dollar volume, transaction volume and expected means of receiving credit card information (in person, phone, fax, mail, web). Units are responsible for all setup, operations, and maintenance costs, including security and breach management. On the application form, the unit must indicate which credit card processing will be used. Applications for merchant accounts may be denied if it is determined that another unit should be processing such payments, for example:

• Only the Office of the Bursar may process credit card transactions for fees on the student account.
• Conferences and other programs with an external audience must be arranged through Outreach, per Policy AD03 Conducting Educational Programs Using the Name of the University

If an application for a new merchant account or terminal ID is approved, the Office of Budget and Finance will coordinate with the credit card processor to establish a new merchant account (or terminal ID). The Office of Budget and Finance, will notify the Financial Officer when the account is established.

If any changes are made in how credit card transactions are processed, a revised Credit Card Processing Merchant Request must be submitted and approved.

CONTROL AND REPORTING:

It is the responsibility of the area that accepts credit cards to assure that all credit card sales are recorded on area and University accounting records. The selling unit must establish strict internal controls and reconciliation methods to assure that credit card sales have been properly recorded on central University records. In addition, credit card sales must be reported to the University on a Cash Journal Entry, or through the appropriate LionPATH reporting channels. Credit card sales must be reported to the University the same day or the following business day that they are reported to the contracting bank (upon settlement).

TERMINATING MERCHANT OR TERMINAL IDs:

Units who no longer have a need for a merchant or terminal ID must contact the Office of Budget and Finance, through their Financial Officer, to formally terminate the merchant ID or terminal ID. The Office of Budget and Finance will notify other offices, such as Office of Information Security, as well as contacting the processor to close the account. Units are responsible for maintaining records for three years even though the merchant account or terminal ID has been closed.

RETURN AND REFUNDS:

Selling units which participate in credit card sales must offer an equitable exchange or return policy. In cases where the customer wishes to return a purchase for credit, or receive a refund for unused services, a credit must be issued via the same credit card that was used to process the original sales transaction. Refunds by cash are not permitted. Refunds by check are permitted only when a credit cannot be issued through the original credit card processing resources. Refer to Policy FN08 Refunds for guidance on refunds by check.

DOCUMENTATION OF CARDHOLDER COMPLAINTS:

As a merchant, units are required to keep a written record of all customer complaints where a credit card was used for payment. The follow information must be included in your written record for future reference:

• Cardholder’s name
• The units reference number, account number, or order number (but NOT the cardholder's full or credit card number)
• The date and time the cardholder asserted the claim
• The nature of the claim
• The action taken to resolve the dispute (this section should be very detailed)

This documentation should be kept with your original transaction information so that everything is together and can be accessed in the future if needed.

Handling of cardholder complaints/disputes must follow the specific procedures as required by the Merchant Services Agreement and comply with the Fair Credit Billing Act. The University processor should be contacted with any questions regarding the handling of cardholder complaints.

Chargebacks must be responded to in a timely basis. More detail on chargeback procedures is available on the PSU Merchant Management website.

SANCTIONS:

Compliance- Merchants who are not compliant with approved security, storage, and processing procedures per both University and PCI DSS standards will have merchant accounts revoked or suspended.

Security Issues- The unit's network connection may be disabled due to breach or other security issue. Employees involved in breaches of credit card information are subject to the full range of sanctions, including loss of computer or network access privileges, disciplinary action, suspension, termination of employment and possible legal action. Some violations may constitute criminal offenses under local, state, or federal laws. The University will carry out its responsibility to report such violations to appropriate authorities.

FURTHER INFORMATION:

For questions, additional detail, or to request changes to this policy, please contact the Office of Budget and Finance.

CROSS REFERENCES:

• Policy AD03 Conducting Educational Programs Using the Name of the University
• Policy AD53 Privacy Policy
• Policy AD95 Information Assurance and IT Security
• Policy FN01 Processing Cash Revenues
• Policy FN08 Refunds
• Policy FN23 Identity Theft Detection, Prevention and Mitigation Program
• PSU Merchant Management Website
• Credit Card Processing Merchant Request Form
• Credit Card Processing Terminal Request Form

REVISION HISTORY:

Most recent changes:

• February 1, 2023 - Editorial Changes.  Changed all references to the Associate Vice President for Finance to the Associate Vice President for Budget and Finance, per the directive of the Senior Vice President for Finance and Business.

Revision History (and effective dates):

• January 5, 2023 - Editorial Changes.  Changed all references to the Office of the Corporate Controller to the Office of Budget and Finance, per the directive of the Associate Vice President for Finance.
• October 25, 2022 - Policy rewritten to document SIMBA and LionPATH processes
• November 8, 2018 - Subject Matter Expert added.
• September 10, 2018 - Editorial changes to correct hyperlinks and remove redundant Date Approved, Date Published, and Effective date.
• September 25, 2013 - Editorial changes. Addition of policy steward information, in the event that there are questions or requests for changes to the policy.
• September 21, 2011 - Editorial change in PURPOSE section, second paragraph, to clarify approval requirements for other forms of electronic payments, such as wires, EFTs and ACHs.
• November 30, 2010 - Significant changes have been made to bring this policy in line with current University and industry practices.
• March 30, 2004:
  • Significant changes have been made to bring this policy in line with current University and industry practices.
  • The Corporate Controller's Office and Administrative Information Services (AIS) administer the only resources authorized for establishing merchant accounts and processing credit card payments at Penn State. Individuals and areas are not permitted to make alternative arrangements.
  • Added Financial Officers to approval process for allowing areas to accept credit cards.
  • Use of the AIS eCommerce system was added.
  • Now allows surcharges to be added for credit card payments but under eLion only.
  • "Office of Administrative Systems" changed to "Administrative Information Services" and the "Associate Treasurer" to "Corporate Controller's Office."
  • The DEPOSIT section was deleted since paper credit card slips are no longer used with the advent of electronic processing.
  • Editorial changes for clarity.
• January 24, 2000 - The section INTERNET/INTRANET SALES was added.
• September 16, 1992 - Added the section LIMITATIONS, and revised wording regarding the Report of Cash Receipts.
• March 27, 1991 - Limited holding of credit card slips to no more than three days.
• May 31, 1989 - Changed "Assistant Treasurer" to "Associate Treasurer."
• January 22, 1988 - Under the section CONTROL AND REPORTING, added provisions for the Integrated Student Information System. Under the DEPOSIT section, added provision for electronic data capture.
• November 21, 1986 - Changed " Director of Financial Management" to "Assistant Treasurer." Expanded charges to be absorbed by department to include any bank charges. Other editorial changes for clarity.
• August 15, 1986 - Minor editorial changes for clarity.
• July 25, 1983 - Redesignated from CS07 to FN07.
• September 3, 1980 - New Policy.