Payment and Funds Handling

Compliance

A Funds Handling Training Presentation Presented at the Business Practices Seminar

February 24, 2012

1

o The first step to receive approval to accept credit cards is to call Visa

2

o Criminal background checks are required before employees or volunteers

can handle funds o It is OK for employees to keep cash at their desk in a locked drawer o If funds are collected on a regular basis deposits should be prepared daily o Employees who collect and deposit cash can also complete the reconciliation o Employees must be trained when hired, annually, and after a system or process change

o Employees can receive payment card information through their email

o The university is responsible for any costs that merchants incur to comply with accepting payment cards regulations o Departments must complete an annual self-assessment questionnaire and validation of compliance with PCI-DSS

o Departments do not need to keep a record of employee’s training

Funds are handled by many departments on campus (including cash, checks, credit cards)

Internal and External Audits – cash handling is a common problem at the university, with recommendations regarding segregation of duties, safeguarding funds on hand, and timeliness of deposits.

Departments make important decisions regarding the available payment avenues. Risk can be reduced by strengthening internal controls in the cash handling process and implementing alternate cashless payment avenues.

3

……..the principles of good funds handling

4

Funds Include: • Coins • Currency • Checks/Traveler’s Checks • Money Orders • Credit Card Transactions • Gift Cards • Hokie Passport • Electronic Funds Transfers (Wires, ACH, and EFT)

5

……..the principles of good funds handling are basically the same.

Segregation of Duties

Security Documentation Reconciliation

Management Review

6

First, lets talk about risk and controls….

Who or what is at risk?

7

Cash is stolen Cash is lost Statement of Account doesn’t agree with departmental internal records

The following results when controls are inadequate-- No audit trail Finger pointing/Accusations Lost revenues

Exposure of non-public personal financial information Identity Theft Reputation Risk Fines and Penalties if no compliant with laws and regulations

8

Remember – In the funds handling process, YOU are just as important as the cash………..

The controls (rules) that we will discuss are designed to protect you, your employees, your customers, and the funds being handled.

9

Risk and Controls

10

Perform criminal background checks for individuals handling funds before hiring or assigning new responsibilities

Department Evaluates Business Needs:

11

Is there a registration process?

Is there electronic commerce?

Is there collection of cash? Checks?

Is the activity approved?

Department develops a plan:

12

Is a change fund needed? How are funds received? Mail or in person? Online? Who is going to collect funds? Record the funds? How are funds going to be secured? Who is going to prepare the deposit? How? Where to deposit? When? Frequency? Reconciliation? Management Review? Who needs training? Are procedures documented?

Is a change fund needed? If you are going to make change, then you need a change fund. DO NOT use coin & currency received to create a change fund Never make change from your personal cash! Send written request for change fund to the Bursar’s Office Keep amount as low as possible Keep the cash safe Periodically document surprise counts of the change fund Change fund money should NEVER be deposited with money (income) collected.

= 13

How is cash received? Mail or in person? Who is going to collect the cash? Record the cash?

• Payments are recorded in a cash register, mail log, or pre-numbered duplicate receipts book. A receipt should always be provided to the customer for in-person transactions.

• Checks should be made payable to the Treasurer of Virginia Tech whether received by mail or in person.

•Checks should be restrictively endorsed upon receipt.

•Post-dated or foreign checks and money orders should not be accepted.

How is cash received? Mail or in person? Who is going to collect the cash? Record the cash? • Funds are balanced to the documents and/or receipts.

• Balanced funds should be documented on a cashier log.

• Voided and/or corrected transactions should be documented and

have management approval at the time of the transaction.

15

How is cash received? Mail or in person? Who is going to collect the cash? Record the cash? For proper segregation of duties, the person collecting cash can not have any other responsibilities related to cash handling. Other cash handling duties that conflict with cash collection include:

• preparing and making deposits, • reconciling statements of account, and • recoding charges and payments to customer accounts.

If this is occurring due to lack of staffing, compensating controls such as management oversight and review should be established and used.

Everyday, all money collected must be balanced! Compare the total cash, checks, credit card receipts, and other forms of cash equivalents to the cash register total, cashier/mail log, or pre-numbered receipts. Sign and date. No short-cuts!!!

17

“Now that we have collected the $$$$$$, what do we do with it?”

Balance Deposit Secure Reconcile

Let’s go back to Our checklist......

18

Depositor should be someone who didn’t collect the cash. Duties are comprised of: Verifying the funds and documents to the Cashier and/or Mail Log.

Depositor prepares a University Deposit Ticket in its entirety, This includes the correct Banner fund number, account code and amount.

For those depositing directly with the University’s bank, a bank deposit slip must also be completed in its entirety. This amount should agree with the total of the university deposit ticket and the combined totals of the ‘Cashier’ and/or ‘Mail Logs.’

The depositor is responsible for having the funds and university deposit ticket transported to the Customer Service Area of the University Bursar’s Office for deposit.

For those departments utilizing direct deposit, the depositor is responsible for having the funds, university deposit ticket and bank deposit slip transported to the University’s bank by the Virginia Tech Police Courier.

19

20

• For departments collecting funds on a regular basis (3 or more times per week) deposits should be prepared daily.

• For those departments receiving funds less frequently, deposits must be made each Friday or as soon as cumulative funds reach $250.00. All accumulated cash receipts totaling $250.00 or more must be deposited within 24 hours from the time of reaching this limit.

• Departments electing not to deposit daily assume more risk and are required to have acceptable safeguards in place.

21

Funds and receipts must be kept in secure locations. To protect the funds, they should be kept in a lockable container, such as a cash box, and stored in an area that is not visible to unauthorized personnel. The container should not be left unattended during the working day. At night or outside of business hours, all funds must be kept in a secured (locked) storage area, such as a locking file cabinet or safe. Manual receipts and the ‘Cashier/Mail Log’ should be stored separately from the funds in order to maintain accountability for loss in the event of a theft.

22

Check deposits may be mailed to the Office of the University Bursar (Attention: Customer Service, 150 Student Services Building, Mail Code 0143) providing the deposit:

1. Does NOT contain cash 2. Includes no more than 10 check items 3. Totals no more than $250.00

If checks are mailed, the department is responsible for lost deposits and having the checks reissued. Deposits containing cash must not be mailed to the University Bursar’s Office.

23

Don’t ever overlook this step!! Reconciliation must be performed by a person with no cash handling responsibilities.

Reconcile the validated deposit ticket to the departmental copy after the deposit has been made. Deposit tickets must be reconciled to the revenue items on the Banner Finance Reports.

24

Reconcilers should: Investigate and resolve discrepancies within 60 days. Completed reconciliations must be dated and signed by

the preparer when reviewed, dated and signed by an approved Department Head, Director or Manager.

Reconciler should not collect or deposit money to

maintain proper segregation of duties.

25

Establish written procedures for processing cash receipts.

Require that staff handling cash be properly trained & follow all procedures of the University’s funds handling policy.

Review and approve reconciliations monthly and ensure discrepancies are resolved within 60 days.

Ensure that all documentation reviewed is initialed (or signed) & dated. No matter who is collecting, depositing, and reconciling. . . Management is ultimately accountable.

26

One of the most important controls in the cash collection process, and often, the most difficult to manage. A different person should be involved in each step: billing, cash collecting, cash depositing, reconciliation, and management review. Let’s talk about how to manage segregation of duties.......

27

Management Review

Reconciling

Depositing

Billing Receive Funds

28

Ideally, a different person doing each of the procedures! This is the best way to assure ourselves that the process works well.

What if you don’t have 3 or 4 people to bill, collect, deposit and reconcile?

Even in a small department, billing should be done by someone who is not responsible for the cash handling process.

TIP: If you have items that you currently charge students, check with the Bursar’s office to see if accounts receivable can process these bills for you.

29

If you don’t think you have enough people to segregate the collecting, depositing and reconciling functions, you will have to develop “compensating controls”. Maintain individual accountability. Limit access to the funds. Deposit all receipts intact. Frequent supervisor/management review, reconciliation and oversight.

30

If access to cash cannot be restricted to a single individual, then the department should deploy appropriate mitigating controls, such as: • Logging transactions by individuals • Reconciling the cash between individuals having access to the cash.

31

If you have responsibility for taking the money deposits to the Bursar’s Office, 150 Student Services, please use good common sense. • Don’t be conspicuous. . . use a backpack! • Don’t take the same route or go at exactly the same time every day – don’t be predictable! •Call Bursar’s office to arrange for a secure pickup if a large volume of cash

32

Department develops a plan: Is a change fund needed? How is cash received? Mail or in person? Who is going to collect the cash? Record the cash? How is the cash going to be secured? Who is going to prepare the deposit? How? Where to deposit? When? Frequency? Reconciliation? Management Review? Who needs training?

33

34

Levels of acceptable risks are different

Procedures and controls are different Miscellaneous reimbursements (i.e. telephone

reimbursement) Misdirected payments, checks Frequent, recurring activities generating receipts or

receivables Annual activity with many receipts

35

Cash Checks HokiePassport

AccountsReceivable

Hokie Mart CommerceManager

Risk Supplies / Equipment People

High

Low / Moderate

Moderate

Moderate

Low / Moderate Low

Low Low Low Low Low

Low Low Low

Low / Moderate

Low / Moderate

36

High High

These costs apply to stand alone solutions

Who is involved in the funds handling process

What we do to generate the need for funds handling, types of funds permitted

When we collect funds (i.e. pay as you go, after order, after delivery)

Where funds are collected

How funds are collected

37

NOTE: DOES NOT ELIMINATE THE NEED FOR RECONCILIATION OF FINANCIAL ACTIVITIES

Frequent and recurring customer sales or services . . . HOKIEMART FOR INTERDEPARTMENTAL ACCOUNTS RECEIVABLE INVOICE with OPTION TO PAY ONLINE DIRECT DEPOSIT/ACH TRANSFER COMMERCE MANAGER

38

NOTE: DOES NOT ELIMINATE THE NEED FOR RECONCILIATION OF FINANCIAL ACTIVITIES

Frequent and recurring sales or services to other university departments. . . HOKIEMART FOR INTERDEPARTMENTAL Establish department as a vendor in HokieMart Customer places order in HokieMart Examples include Facilities, Software Sales,

UOPD Courses, CPEAAA

39

NOTE: DOES NOT ELIMINATE THE NEED FOR RECONCILIATION OF FINANCIAL ACTIVITIES

Frequent and recurring customer sales or services to individuals or external companies. . . ACCOUNTS RECEIVABLE Department enters charge into Banner Bursar bills and receives payment Department reconciles A/R payments to Finance

records Examples: Service Centers, InterLibrary Loans,

Lost Books, Honor Band Fees in the Music Department, Schiffert Health Center

40

NOTE: DOES NOT ELIMINATE THE NEED FOR RECONCILIATION OF FINANCIAL ACTIVITIES

Frequent and recurring customer sales or services . . .

INVOICE with OPTION TO PAY ONLINE Department prepares invoice in Banner A/R and mails to

customer Customer pays online using e-check, debit or credit Facilitates payment from customers required to use p- cards Bursar bills monthly for any outstanding receivables and receives payments Department incurs transaction costs which could be significant for debit and credit activity Examples: VT Magazine

41

NOTE: DOES NOT ELIMINATE THE NEED FOR RECONCILIATION OF FINANCIAL ACTIVITIES

Frequent and recurring customer sales or services . . .

DIRECT DEPOSIT/ACH TRANSFER Limited application Payments from international students Payments from other international

organizations, corporations Wires may be simpler for international

transactions to facilitate currency conversion

42

NOTE: DOES NOT ELIMINATE THE NEED FOR RECONCILIATION OF FINANCIAL ACTIVITIES

Frequent and recurring customer sales or services . . . COMMERCE MANAGER Pay as you go (no receivable is established) Customer places order from your website Examples: RecSports classes, Career Fairs,

Parking Tickets

43

Frequent and recurring customer sales or services . . . COMMERCE MANAGER Customer pays online using e-check, debit or credit Department incurs transaction costs which could be significant for debit and credit activity

NOTE: DOES NOT ELIMINATE THE NEED FOR RECONCILIATION OF FINANCIAL ACTIVITIES 44

Payment Card Industry Data Security Standards

University Policy 3610 – Accepting and Handling

Payment Card Transactions

45

46

12 Requirements

Elements of a Payment card

Departmental Responsibility

47

Payment Card Industry Data Security Standards (PCI DSS) The 5 members of the payment card industry banded

together to develop security standards To protect cardholder data To reduce losses against fraud

48

Protect customers against fraud and identity theft Mandated by credit card companies – Compliance is

mandatory in order to maintain the ability to accept payment cards.

For the university’s protection to avoid potential financial liabilities, loss of reputation and customers, as well as litigation.

49

Install and maintain a firewall configuration to protect card holder data

Do not use vendor – supplied defaults for system passwords and other security parameters

Keep cardholder data storage to a minimum; Do not store full track data, card validation codes, PIN, expiration dates; Mask number down to last four digits

Encrypt transmission of cardholder data across open public networks

Use and regularly update anti-virus software or programs

Develop and maintain secure systems and applications

Restrict access to cardholder data by business need to know

Assign a unique ID to each person with computer access

Restrict physical access to card holder data

Track and monitor all access to network resources and card holder data

Regularly test security systems and processes

Maintain a policy that addresses information security

50

Self Assessment PCI DSS Recommends SAQ’s

External Assessment

Validation requirement annually or upon change

51

SAQ Method of Acceptance Requirements Risk

D All other SAQ eligible service providers for all merchants not meeting the descriptions of SAQ A – C

289

C

Those who process cardholder data via payment applications connected to the internet but who do not store cardholder data on any computer system

64

C-VT Those who process cardholder data only via isolated virtual terminals on personal computers connected to the internet

51

B Those who process cardholder data only via imprint machines or via standalone, dial out terminals

29

A Third party hosted 13

52

Mos

t Ri

sk

Mod

erat

e Ri

sk

less

Ris

k

Cardholder data PAN (Primary Account Number) Expiration Date Cardholder Name

53

Sensitive Authentication Data CVC or CVV (Card Verification Code) – 3 or 4 digit code used

in card-not-present transactions Full Magnetic Stripe – data encoded in the magnetic stripe

for authorization during transactions when the card is swiped

54

CVC

Data Element Storage Permitted

Render Stored Account Data Unreadable

Acc

ount

Dat

a Cardholder Data

Primary Account Number (PAN)

YES YES

Cardholder Name YES NO

Service Code YES NO

Expiration Date YES NO

Sensitive Authentication

Data

Full Magnetic Stripe Data

NO CANNOT STORE

CAV2/CVC2/CVV2/CID NO CANNOT STORE

PIN/PIN Block NO CANNOT STORE

55

Must adopt and review annually administrative and technical procedures supporting compliance with the PCI-DSS, ensuring employees involved in the acceptance of cards are trained annually or when systems change

Must complete an annual self-assessment questionnaire and validation of compliance with PCI-DSS

56

Must receive training upon hire, annually and upon system or process change

Clear criminal background check

Must acknowledge annually they have read and understand the university’s policy for compliance with PCI-DSS and the department’s procedures for compliance

57

Employees with payment card responsibilities

Concerns should be reported to the University Payment Card Coordinator in the University Bursar Office

Suspected criminal activity should immediately be reported to the Virginia Tech Police Department and the Payment Card Coordinator

58

Reporting suspected exposure or theft

Acceptable methods for disposing of cardholder data Incinerating Pulping Cross-cut shredding

Cardholder data (i.e. the PAN) and sensitive authentication data should be destroyed immediately after card authorization

59

Properly Disposing of Cardholder data

Payment Card Industry Data Security Standards

University Policy 3610 – Accepting and Handling

Payment Card Transactions

60

61

University Policy 3610 supports compliance with PCI DSS

Procedures Approval Costs Documentation

Secure Payments Annual Validation Requirements Suspected Theft or Exposure

62

Must request and receive approval from the University Bursar Office to: Accept payment cards Store any cardholder data, and must be annually approved

thereafter To change the method of accepting or processing payment

cards, request must be made in writing to the the Office of the University Bursar

Requesting Approval

63

Merchants are responsible for all costs of compliance to accept payment cards

University Merchants may not adjust the prices of goods and services base upon the method of payment or directly pass along any fees associated with accepting payment cards to the customer

University merchants responsible for monetary sanctions and/or card acceptance restrictions imposed as a result of direct negligence or failure to adhere to university policies and PCI Standards

Costs

64

Each university merchant must have written procedures specific to its operations that are consistent with this policy and other university policies and procedures Information Technology Security

Funds Handling

Fiscal Responsibility

Segregation of Duties

Reconciliation of Procedures

Physical security and identification

of card processing area

Disposal and Storage

Separate Passwords

Firewall

Anti-virus software

Cash register procedures

Personnel screening

Deposits

Documentation

65

1. Preferred hosted payment solution: Commerce Manager

2. Dial Up Terminals

3. Approved Integrated Solutions

NOTE: Cards may never be accepted via email or phone mail, and departments may not provide computers for general public use and acceptance of payment cards via the internet

Approved Methods to Accept Payment Cards

66

Limit access to payment card data to those with a business need for the information

Prohibited from intentionally disclosing sensitive payment card information to unauthorized individuals and may be subject to criminal and civil penalties

Must not request, receive, or transmit any payment card information through unsecure mediums

Must not retain cardholder data without documented business needs (paper or electronic)

67

When an employee is no longer involved with

payment card operations, access to keys, access codes, and passwords must be revoked and/or changed immediately

Must segregate all duties related to data processing and storing of payment card information

Electronic Storage of Sensitive Authentication Data

and unencrypted cardholder data is prohibited 68

New Hire Prescreening Training before duties and access to cardholder data

Annually Complete Payment Card Training Annually Payment Security Agreement, which confirms

understanding and adherence to Policy 3610

University merchants (i.e. Departments) must keep a record or employee’s training

69

Must complete a criminal background check before receiving payment card responsibilities

Must have a unique login identification and

password to access payment card information This ensures individual accountability and segregation

of duties

Must not share password or log-in information

70

University merchants must complete an annual assessment to validate and document compliance with payment card requirements

The University Payment Card Coordinator with the assistance by the Information Technology Security Office will coordinate the completion of the annual assessment for all university merchants

71

University merchants are subject to review and audit of compliance by: Bursar Office Internal and External University Auditors Information Technology Security Office Merchant Acquirer Brands

Must resolve any vulnerability or areas of non-compliance identified promptly

Office of University Bursar reserves right to suspend or terminate a merchant’s authorization to accept payment cards for non-compliance

72

Suspected exposure must be reported immediately to University Payment Card Coordinator in the Bursar’s Office

Suspected criminal activity should immediately contact the Virginia Tech Police Activity and the Payment Card Coordinator

73

Receive additional cash handling details, contacts, and links to other

related sites:

http://www.bursar.vt.edu/faculty_staff/

Forms and templates: http://www.bursar.vt.edu/forms/ Payment Card Link: http://www.policies.vt.edu/3610.pdf

74

• Training presentation. • VT Cash Handling Policies & Procedures. • Office cash handling procedures. • Cash and change fund advances. • Deposits. • Credit cards. • University Policy 3610 • PCI DSS

CONTACT: Office of the University Bursar: 540-231-6277 or Bursar@vt.edu

75