UGA Extension Credit Card Processing Training

Slides:



Advertisements
Similar presentations
© 2007 First Data Corporation. All Rights Reserved. This document contains unpublished, confidential and proprietary information of First Data Corporation.
Advertisements

JPMorgan Chase Purchasing Card Training
Procurement Card Presented By: Denise Matias, CAH March 20, 2013.
Procurement Card Policies and Guidelines Arkansas Tech University.
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Audits: How to Prepare and What to Expect Council of Senior Business Administrators Focus Session April 21, 2004 James Laird Assistant Dean for Finance.
PACESetters 1 Purchasing Card (P-Card)Practices for a Transparent World presented by the Division of Finance July 1, 2013.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Youngstown State University PCI Training enter or left click on mouse to advance slides.
Purchasing Card Record Keeping & Retention REVISED
Viterbo University Credit Card Training Updated
Online Course This online course takes approximately 30 minutes to complete. You must successfully pass the exam with an 80%. Cash Management Training.
Procurement Card Presented By: Denise Matias, CAH February 1, 2012.
Property Control Asset Forms Property Control Website URL:
Cash Handling and Funds Collection Policies and Procedures.
Money Handling Procedures Updated by Roger Sparrow, Karen Ramage & David Herbst April 2014.
Credit Card Merchant Training PCI Why Now? In October 2015, there will be a fraud liability shift that will affect merchants not able to accept.
Hawk card (ID) Higher One card Hawk Card Vs. HigherOne card.
Card Verifying and Approvals Office of the Controller.
e-Learning Module Credit/Debit Payment Card Acceptance and Security
1 Banking and Reconciliation. 2 To Certify As A Cash Handler  Visit the training website  Review the Payment Card Industry (PCI)
CASH HANDLING POLICIES AND PROCEDURES TRAINING
1 10/2013. This training is provided for cashiers, phone-a-thon participants, and fiscal personnel involved in payment card activities that are never.
EASTERN KENTUCKY UNIVERSITY PROCUREMENT CARD TRAINING Office of Card Services
Commercial Card Expense Reporting (CCER) The Trustees of Roanoke College An internet solution Accessed via Wells Fargo’s secure Commercial Electronic Office.
Purchasing Card Program (P-Cards)
Commercial Card Expense Reporting (CCER) The Trustees of Roanoke College An internet solution Accessed via Wells Fargo’s secure Commercial Electronic Office.
UCONN PAYMENT STORE OFFICE OF THE BURSAR. WHAT IS A UCONN PAYMENT STORE? A new payment option for smaller departments to accept credit card payments online.
Fraud Procedures Tips for Mitigation Fraud Case Process.
Travel Charge Card Training
Payment Card Industry (PCI) Rules and Standards
University of South Florida Credit Card Presentation
Cash Handling – It’s my job
“CABS” Customer Account Billing System
UW Whitewater Procurement Card Program
Payment Card Industry (PCI) Rules and Standards
PCI-DSS Security Awareness
What Do I Need To Comply? A written policy for your unit detailing how you process payments; Cash Handling Training, renewed every two years; A safe,
P-Cardholder Training
Credit Card Training Updated
Multnomah Education Service District
Larry Brownfield, CPO, OHE – KOA, Inc.
Multnomah Education Service District
Cash Handling – It’s my job
SANTA ROSA COUNTY SCHOOL BOARD Procurement Card (PCard)
UGA Extension PCI DSS Awareness Training
UNDERSTANDING AND WRITING ACCESS PROPOSALS
Presented By: Denise Matias, CAH February 1, 2012
Internal Controls.
Red Flags Rule An Introduction County College of Morris
Limited Purchase Checks (LPCs)
Credit Card Training Updated
Document Custodian of the Drop Safe Log
Retail Markets Producer Portal Demo.
University of South Florida Credit Card Presentation
Cash Handling Policies and Procedures
SANTA ROSA COUNTY SCHOOL BOARD Procurement Card (PCard)
P-Card statements will be generated when transactions have taken place and ed to cardholders monthly. Statements print budget code information for.
PCI Device Inspections
Property Control Asset Forms
Internal Controls.
UD PCI GUIDELINES A guide for compliance with PCI DSS and the University of Delaware Payment Card Program ALWAYS Process payments immediately using a solution.
Credit Card Training Updated
Cash Handling Policies and Procedures
Payment Card Industry Data Security Standards (PCI-DSS) Training
Internal Controls.
Presentation transcript:

UGA Extension Credit Card Processing Training Notes: The purpose of this training is to review the current UGA CES Credit Card Machine Policy. This training is required for all personnel who handle credit cards in a County Office. Upon completion of this training, please review the policy and complete the PCI-DSS awareness training. The policy and the PCI-DSS awareness training may be found at the following website: http://intranet.caes.uga.edu/coextopr/fiscalcomp/index.html Presented by the CAES Business Office

UGA CES Credit Card Machine Policy All UGA Extension Offices who process credit card payments must adhere to the UGA CES Credit Card Machine Policy Must be reviewed before processing credit card payments Provides minimum required policies and procedures Each office must have their own office specific policies and procedures in addition to these policies. The policy and a template for office specific policies may be found at the following website: http://intranet.caes.uga.edu/coextopr/fiscalcomp/index.html Notes: Upon completion of this training and other required trainings, please review the office specific policy template on the CAES Fiscal Compliance Reporting webpage. Use the template to create your own office specific policies.

Operating the Credit Card Terminal Currently the approved credit card devices include the FD410, FD130, FD200, FD35, FD400GT, Clover Mini, Clover Mobile, Clover Go, Clover Flex and Clover Station. The following links include instructional demos the devices from First Data: FD410 (https://www.firstdata.com/demos/terminal_demos/FD410.html) FD130 (https://www.firstdata.com/demos/terminal_demos/FD130_Demo.html) FD200 (https://www.firstdata.com/demos/terminal_demos/FD200Ti_FD200_demo_mobile.swf.html) FD35 (https://www.firstdata.com/demos/terminal_demos/FD-35_Demo.mobile.html) FD400GT (https://www.firstdata.com/demos/terminal_demos/FD400GT_Demo.mobile.html) Information on Clover devices may be reviewed on the following website: www.clover.com Review the demos for assistance in operating your specific machine and for printing required reports. Notes: If you have a credit card terminal other than the currently approved terminals, then contact the CAES Business Office to return your current device and either purchase or rent an approved machine.

Credit Card Terminals MUST be connected to analog phone lines! Notes: Credit card terminals may not be connected to your network. This changes the compliance requirements for County Offices and greatly increases the risk of identity theft. If your office does not possess analog phone lines, then you will want to purchase the cellular mobile credit card machine. The compliance requirements for the mobile machine as the same as other terminals connected through an analog phone line.

Set up Process and Forms of Payment Offices who wish to accept credit card payments must obtain approval from their respective District Office. Contact the CAES Business Office to apply for a credit card terminal, return an older model, or to coordinate renting a terminal for specific periods of time Only approved card processing terminals may be used: Do not use any device or online payment portal that is not approved by the CAES Business Office Only VISA, Discover, and MasterCard cards may be accepted Notes:

Security and Control of Credit Card Terminals Credit Card Terminal must be actively tracked and inventoried: An inventory log may be found at the following website: http://intranet.caes.uga.edu/coextopr/fiscalcomp/index.html Must track the department, location, make, model, serial number, and individual responsible for the device Provide this information to your District office and the CAES Fiscal Compliance Coordinator. If information changes, then submit the form with the changes to both offices. Secure the credit card terminal during and after work hours. If possible, assign password or user identification to staff operating the terminals. Passwords and user identification should not be shared. Notes: You may provide this information to your District office when performing your regularly scheduled equipment inventory reporting. Please scan this information to the CAES Fiscal Compliance Coordinator as soon as you complete the form.

Credit Card Information (1) The credit cardholder information required to process transaction is: Dollar amount Photo ID Expiration date Signature Offices are encouraged to have the customer swipe or, if the card has a chip, then insert the card into the chip reader to process transactions. Manual entry processing costs are higher than swipe or chip use costs. Notes:

Credit Card Information (2) Notes: This is a reference of the information displayed on credit cards. If you are unsure of what information is required or how to find it, then please refer back to this slide. PAN stands for “primary account number”

Security of Cardholder Information and Records Retention Credit Card Deposit Logs and other documents substantiating revenue should be stored for 5 years. Signed merchant receipts and other documents with cardholder data should be kept for 1 year. They must be cross-shred a year after the processing date. Full credit card numbers and the 3-digit security code on the back of the card should NEVER be retained. Note that full credit card numbers may be recorded in order to process a transaction over the phone, but all except for the last 4 digits must be punched out immediately after processing the payment. Whiting or blacking out the numbers is NOT sufficient! Notes: Please note that the “cross-shred” requirement is a specific PCI-DSS requirement. It is not acceptable to simply tear up, black out, or throw away documentation. If you process a credit card transaction over the phone and record the full credit card number, then be sure to punch out the numbers with a hole puncher after processing the transaction. Again, this is a specific PCI-DSS requirement, so blacking or whiting out the numbers are not sufficient.

Credit Card Transactions over the Phone If the credit cards are taken over the phone the following additional information must be recorded: Full address Full credit card number (after use, all but the last 4 numbers must be punched out) Full name on the card Zip code Notation that this transaction was taken over the phone A credit card transactions over the phone record may be found at the at the following website: http://intranet.caes.uga.edu/coextopr/fiscalcomp/index.html Store this record along with the signed merchant copies of the receipts. They must also be cross-shred 1 year after the date of processing. Notes: Note that for manually entered transactions, the customer must also give you the expiration date and the security code information. However, this information may NOT be recorded in any form.

Credit Card Refunds/Credits Refunds must be processed back to the original card only. Since full credit card numbers are not retained, the customer must provide the number to you in order to process the refund. Refunds must be documented with the following information: Customer’s name Amount listed on the merchant copy of the receipt Reason for the refund Program or activity associated with the refund CEC’s signature of approval A credit card refunds record may be found at the at the following website: http://intranet.caes.uga.edu/coextopr/fiscalcomp/index.html Notes: The CEC must approve all credit card refunds before processing. If the CEC is not available at the time the refund is requested, then they must be contacted for approval prior to giving the refund and may sign the form once they return.

Processing Credit Card Transactions by Mail, Fax, or Online Credit card information may not be mailed or faxed to the office, or processed through online payment applications. Only card present transactions or transactions taken over the phone are acceptable methods for processing credit cards. Notes:

Daily Processes and Reports At the close of each business day or at the start of the following business day, the following close out steps must be performed: Print batch report. Record transactions into the daily credit card deposit record. All transactions must be entered into QuickBooks Online. Secure the terminal in a location with appropriate access restrictions Secure merchant copies of receipts and other documents with cardholder information in a location with appropriate access restrictions. Notes:

Monthly Processes and Reports Each month the following steps must be performed: The daily credit card deposit record, batch reports, refunds records are reviewed for the month. The bank statement is reconciled to QuickBooks Online and the monthly credit card deposit records. Monthly reconciliation of credit card deposit records are reviewed by the CEC. Notes: The review will occur concurrently with your monthly bank reconciliation.

Yearly Processes and Reports Complete annual SAQ and maintain PCI compliance at all times Notify the CAES Business Office’s Fiscal Compliance Coordinator of any proposed change in approved processing. Maintain internal documented policies and procedures and a data flow diagram Submit your policies and diagram to the CAES Business Office’s Fiscal Compliance Coordinator. Any updates to internal policies should be submitted annually along with the SAQ for that year. Maintain and update device list Maintain media transfer log for moving cardholder information Complete PCI-DSS awareness training Annual training is required for all employees who process credit cards All new employees who will handle credit cards must complete the training prior to processing credit cards Notes: The annual SAQ will be discussed more in the PCI-DSS awareness training. Templates for the data flow diagram, Office specific policies, device list, and media transfer log are available at the following website: http://intranet.caes.uga.edu/coextopr/fiscalcomp/index.html

Incident Response Should the office become aware that any cardholder data was subject to compromise, the office must inform their DED and the CAES Fiscal Compliance Coordinator. In addition, in the event of a compromise, follow the following procedures: Do not access or alter compromised systems Do not turn the compromised machine off; isolate compromised systems from the network Preserve logs and electronic evidence Log all actions taken Be on high alert and monitor all systems Notes:

Questions and Further Instructions Upon completing this training, please attest to your completion by clicking the following link and following the instructions provided: https://ugeorgia.qualtrics.com/jfe/form/SV_ac59KFG9xu9Jsgt Contact Information: Timothy Gray, CAES Fiscal Compliance Coordinator tgray88@uga.edu 706-542-1861 Notes: