payment and funds handling compliance - virginia tech › content › dam › cafm_vt_edu ›...
TRANSCRIPT
Payment and Funds Handling
Compliance
A Funds Handling Training Presentation Presented at the Business Practices Seminar
February 24, 2012
1
o The first step to receive approval to accept credit cards is to call Visa
2
o Criminal background checks are required before employees or volunteers
can handle funds o It is OK for employees to keep cash at their desk in a locked drawer o If funds are collected on a regular basis deposits should be prepared daily o Employees who collect and deposit cash can also complete the reconciliation o Employees must be trained when hired, annually, and after a system or process change
o Employees can receive payment card information through their email
o The university is responsible for any costs that merchants incur to comply with accepting payment cards regulations o Departments must complete an annual self-assessment questionnaire and validation of compliance with PCI-DSS
o Departments do not need to keep a record of employee’s training
Funds are handled by many departments on campus (including cash, checks, credit cards)
Internal and External Audits – cash handling is a common problem at the university, with recommendations regarding segregation of duties, safeguarding funds on hand, and timeliness of deposits.
Departments make important decisions regarding the available payment avenues. Risk can be reduced by strengthening internal controls in the cash handling process and implementing alternate cashless payment avenues.
3
……..the principles of good funds handling
4
Funds Include: • Coins • Currency • Checks/Traveler’s Checks • Money Orders • Credit Card Transactions • Gift Cards • Hokie Passport • Electronic Funds Transfers (Wires, ACH, and EFT)
5
……..the principles of good funds handling are basically the same.
Segregation of Duties
Security Documentation Reconciliation
Management Review
6
First, lets talk about risk and controls….
Who or what is at risk?
7
Cash is stolen Cash is lost Statement of Account doesn’t agree with departmental internal records
The following results when controls are inadequate-- No audit trail Finger pointing/Accusations Lost revenues
Exposure of non-public personal financial information Identity Theft Reputation Risk Fines and Penalties if no compliant with laws and regulations
8
Remember – In the funds handling process, YOU are just as important as the cash………..
The controls (rules) that we will discuss are designed to protect you, your employees, your customers, and the funds being handled.
9
Risk and Controls
10
Perform criminal background checks for individuals handling funds before hiring or assigning new responsibilities
Department Evaluates Business Needs:
11
Is there a registration process?
Is there electronic commerce?
Is there collection of cash? Checks?
Is the activity approved?
Department develops a plan:
12
Is a change fund needed? How are funds received? Mail or in person? Online? Who is going to collect funds? Record the funds? How are funds going to be secured? Who is going to prepare the deposit? How? Where to deposit? When? Frequency? Reconciliation? Management Review? Who needs training? Are procedures documented?
Is a change fund needed? If you are going to make change, then you need a change fund. DO NOT use coin & currency received to create a change fund Never make change from your personal cash! Send written request for change fund to the Bursar’s Office Keep amount as low as possible Keep the cash safe Periodically document surprise counts of the change fund Change fund money should NEVER be deposited with money (income) collected.
= 13
How is cash received? Mail or in person? Who is going to collect the cash? Record the cash?
• Payments are recorded in a cash register, mail log, or pre-numbered duplicate receipts book. A receipt should always be provided to the customer for in-person transactions.
• Checks should be made payable to the Treasurer of Virginia Tech whether received by mail or in person.
•Checks should be restrictively endorsed upon receipt.
•Post-dated or foreign checks and money orders should not be accepted.
How is cash received? Mail or in person? Who is going to collect the cash? Record the cash? • Funds are balanced to the documents and/or receipts.
• Balanced funds should be documented on a cashier log.
• Voided and/or corrected transactions should be documented and
have management approval at the time of the transaction.
15
How is cash received? Mail or in person? Who is going to collect the cash? Record the cash? For proper segregation of duties, the person collecting cash can not have any other responsibilities related to cash handling. Other cash handling duties that conflict with cash collection include:
• preparing and making deposits, • reconciling statements of account, and • recoding charges and payments to customer accounts.
If this is occurring due to lack of staffing, compensating controls such as management oversight and review should be established and used.
Everyday, all money collected must be balanced! Compare the total cash, checks, credit card receipts, and other forms of cash equivalents to the cash register total, cashier/mail log, or pre-numbered receipts. Sign and date. No short-cuts!!!
17
“Now that we have collected the $$$$$$, what do we do with it?”
Balance Deposit Secure Reconcile
Let’s go back to Our checklist......
18
Depositor should be someone who didn’t collect the cash. Duties are comprised of: Verifying the funds and documents to the Cashier and/or Mail Log.
Depositor prepares a University Deposit Ticket in its entirety, This includes the correct Banner fund number, account code and amount.
For those depositing directly with the University’s bank, a bank deposit slip must also be completed in its entirety. This amount should agree with the total of the university deposit ticket and the combined totals of the ‘Cashier’ and/or ‘Mail Logs.’
The depositor is responsible for having the funds and university deposit ticket transported to the Customer Service Area of the University Bursar’s Office for deposit.
For those departments utilizing direct deposit, the depositor is responsible for having the funds, university deposit ticket and bank deposit slip transported to the University’s bank by the Virginia Tech Police Courier.
19
20
• For departments collecting funds on a regular basis (3 or more times per week) deposits should be prepared daily.
• For those departments receiving funds less frequently, deposits must be made each Friday or as soon as cumulative funds reach $250.00. All accumulated cash receipts totaling $250.00 or more must be deposited within 24 hours from the time of reaching this limit.
• Departments electing not to deposit daily assume more risk and are required to have acceptable safeguards in place.
21
Funds and receipts must be kept in secure locations. To protect the funds, they should be kept in a lockable container, such as a cash box, and stored in an area that is not visible to unauthorized personnel. The container should not be left unattended during the working day. At night or outside of business hours, all funds must be kept in a secured (locked) storage area, such as a locking file cabinet or safe. Manual receipts and the ‘Cashier/Mail Log’ should be stored separately from the funds in order to maintain accountability for loss in the event of a theft.
22
Check deposits may be mailed to the Office of the University Bursar (Attention: Customer Service, 150 Student Services Building, Mail Code 0143) providing the deposit:
1. Does NOT contain cash 2. Includes no more than 10 check items 3. Totals no more than $250.00
If checks are mailed, the department is responsible for lost deposits and having the checks reissued. Deposits containing cash must not be mailed to the University Bursar’s Office.
23
Don’t ever overlook this step!! Reconciliation must be performed by a person with no cash handling responsibilities.
Reconcile the validated deposit ticket to the departmental copy after the deposit has been made. Deposit tickets must be reconciled to the revenue items on the Banner Finance Reports.
24
Reconcilers should: Investigate and resolve discrepancies within 60 days. Completed reconciliations must be dated and signed by
the preparer when reviewed, dated and signed by an approved Department Head, Director or Manager.
Reconciler should not collect or deposit money to
maintain proper segregation of duties.
25
Establish written procedures for processing cash receipts.
Require that staff handling cash be properly trained & follow all procedures of the University’s funds handling policy.
Review and approve reconciliations monthly and ensure discrepancies are resolved within 60 days.
Ensure that all documentation reviewed is initialed (or signed) & dated. No matter who is collecting, depositing, and reconciling. . . Management is ultimately accountable.
26
One of the most important controls in the cash collection process, and often, the most difficult to manage. A different person should be involved in each step: billing, cash collecting, cash depositing, reconciliation, and management review. Let’s talk about how to manage segregation of duties.......
27
Management Review
Reconciling
Depositing
Billing Receive Funds
28
Ideally, a different person doing each of the procedures! This is the best way to assure ourselves that the process works well.
What if you don’t have 3 or 4 people to bill, collect, deposit and reconcile?
Even in a small department, billing should be done by someone who is not responsible for the cash handling process.
TIP: If you have items that you currently charge students, check with the Bursar’s office to see if accounts receivable can process these bills for you.
29
If you don’t think you have enough people to segregate the collecting, depositing and reconciling functions, you will have to develop “compensating controls”. Maintain individual accountability. Limit access to the funds. Deposit all receipts intact. Frequent supervisor/management review, reconciliation and oversight.
30
If access to cash cannot be restricted to a single individual, then the department should deploy appropriate mitigating controls, such as: • Logging transactions by individuals • Reconciling the cash between individuals having access to the cash.
31
If you have responsibility for taking the money deposits to the Bursar’s Office, 150 Student Services, please use good common sense. • Don’t be conspicuous. . . use a backpack! • Don’t take the same route or go at exactly the same time every day – don’t be predictable! •Call Bursar’s office to arrange for a secure pickup if a large volume of cash
32
Department develops a plan: Is a change fund needed? How is cash received? Mail or in person? Who is going to collect the cash? Record the cash? How is the cash going to be secured? Who is going to prepare the deposit? How? Where to deposit? When? Frequency? Reconciliation? Management Review? Who needs training?
33
34
Levels of acceptable risks are different
Procedures and controls are different Miscellaneous reimbursements (i.e. telephone
reimbursement) Misdirected payments, checks Frequent, recurring activities generating receipts or
receivables Annual activity with many receipts
35
Cash Checks HokiePassport
AccountsReceivable
Hokie Mart CommerceManager
Risk Supplies / Equipment People
High
Low / Moderate
Moderate
Moderate
Low / Moderate Low
Low Low Low Low Low
Low Low Low
Low / Moderate
Low / Moderate
36
High High
These costs apply to stand alone solutions
Who is involved in the funds handling process
What we do to generate the need for funds handling, types of funds permitted
When we collect funds (i.e. pay as you go, after order, after delivery)
Where funds are collected
How funds are collected
37
NOTE: DOES NOT ELIMINATE THE NEED FOR RECONCILIATION OF FINANCIAL ACTIVITIES
Frequent and recurring customer sales or services . . . HOKIEMART FOR INTERDEPARTMENTAL ACCOUNTS RECEIVABLE INVOICE with OPTION TO PAY ONLINE DIRECT DEPOSIT/ACH TRANSFER COMMERCE MANAGER
38
NOTE: DOES NOT ELIMINATE THE NEED FOR RECONCILIATION OF FINANCIAL ACTIVITIES
Frequent and recurring sales or services to other university departments. . . HOKIEMART FOR INTERDEPARTMENTAL Establish department as a vendor in HokieMart Customer places order in HokieMart Examples include Facilities, Software Sales,
UOPD Courses, CPEAAA
39
NOTE: DOES NOT ELIMINATE THE NEED FOR RECONCILIATION OF FINANCIAL ACTIVITIES
Frequent and recurring customer sales or services to individuals or external companies. . . ACCOUNTS RECEIVABLE Department enters charge into Banner Bursar bills and receives payment Department reconciles A/R payments to Finance
records Examples: Service Centers, InterLibrary Loans,
Lost Books, Honor Band Fees in the Music Department, Schiffert Health Center
40
NOTE: DOES NOT ELIMINATE THE NEED FOR RECONCILIATION OF FINANCIAL ACTIVITIES
Frequent and recurring customer sales or services . . .
INVOICE with OPTION TO PAY ONLINE Department prepares invoice in Banner A/R and mails to
customer Customer pays online using e-check, debit or credit Facilitates payment from customers required to use p- cards Bursar bills monthly for any outstanding receivables and receives payments Department incurs transaction costs which could be significant for debit and credit activity Examples: VT Magazine
41
NOTE: DOES NOT ELIMINATE THE NEED FOR RECONCILIATION OF FINANCIAL ACTIVITIES
Frequent and recurring customer sales or services . . .
DIRECT DEPOSIT/ACH TRANSFER Limited application Payments from international students Payments from other international
organizations, corporations Wires may be simpler for international
transactions to facilitate currency conversion
42
NOTE: DOES NOT ELIMINATE THE NEED FOR RECONCILIATION OF FINANCIAL ACTIVITIES
Frequent and recurring customer sales or services . . . COMMERCE MANAGER Pay as you go (no receivable is established) Customer places order from your website Examples: RecSports classes, Career Fairs,
Parking Tickets
43
Frequent and recurring customer sales or services . . . COMMERCE MANAGER Customer pays online using e-check, debit or credit Department incurs transaction costs which could be significant for debit and credit activity
NOTE: DOES NOT ELIMINATE THE NEED FOR RECONCILIATION OF FINANCIAL ACTIVITIES 44
Payment Card Industry Data Security Standards
University Policy 3610 – Accepting and Handling
Payment Card Transactions
45
46
12 Requirements
Elements of a Payment card
Departmental Responsibility
47
Payment Card Industry Data Security Standards (PCI DSS) The 5 members of the payment card industry banded
together to develop security standards To protect cardholder data To reduce losses against fraud
48
Protect customers against fraud and identity theft Mandated by credit card companies – Compliance is
mandatory in order to maintain the ability to accept payment cards.
For the university’s protection to avoid potential financial liabilities, loss of reputation and customers, as well as litigation.
49
Install and maintain a firewall configuration to protect card holder data
Do not use vendor – supplied defaults for system passwords and other security parameters
Keep cardholder data storage to a minimum; Do not store full track data, card validation codes, PIN, expiration dates; Mask number down to last four digits
Encrypt transmission of cardholder data across open public networks
Use and regularly update anti-virus software or programs
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need to know
Assign a unique ID to each person with computer access
Restrict physical access to card holder data
Track and monitor all access to network resources and card holder data
Regularly test security systems and processes
Maintain a policy that addresses information security
50
Self Assessment PCI DSS Recommends SAQ’s
External Assessment
Validation requirement annually or upon change
51
SAQ Method of Acceptance Requirements Risk
D All other SAQ eligible service providers for all merchants not meeting the descriptions of SAQ A – C
289
C
Those who process cardholder data via payment applications connected to the internet but who do not store cardholder data on any computer system
64
C-VT Those who process cardholder data only via isolated virtual terminals on personal computers connected to the internet
51
B Those who process cardholder data only via imprint machines or via standalone, dial out terminals
29
A Third party hosted 13
52
Mos
t Ri
sk
Mod
erat
e Ri
sk
less
Ris
k
Cardholder data PAN (Primary Account Number) Expiration Date Cardholder Name
53
Sensitive Authentication Data CVC or CVV (Card Verification Code) – 3 or 4 digit code used
in card-not-present transactions Full Magnetic Stripe – data encoded in the magnetic stripe
for authorization during transactions when the card is swiped
54
CVC
Data Element Storage Permitted
Render Stored Account Data Unreadable
Acc
ount
Dat
a Cardholder Data
Primary Account Number (PAN)
YES YES
Cardholder Name YES NO
Service Code YES NO
Expiration Date YES NO
Sensitive Authentication
Data
Full Magnetic Stripe Data
NO CANNOT STORE
CAV2/CVC2/CVV2/CID NO CANNOT STORE
PIN/PIN Block NO CANNOT STORE
55
Must adopt and review annually administrative and technical procedures supporting compliance with the PCI-DSS, ensuring employees involved in the acceptance of cards are trained annually or when systems change
Must complete an annual self-assessment questionnaire and validation of compliance with PCI-DSS
56
Must receive training upon hire, annually and upon system or process change
Clear criminal background check
Must acknowledge annually they have read and understand the university’s policy for compliance with PCI-DSS and the department’s procedures for compliance
57
Employees with payment card responsibilities
Concerns should be reported to the University Payment Card Coordinator in the University Bursar Office
Suspected criminal activity should immediately be reported to the Virginia Tech Police Department and the Payment Card Coordinator
58
Reporting suspected exposure or theft
Acceptable methods for disposing of cardholder data Incinerating Pulping Cross-cut shredding
Cardholder data (i.e. the PAN) and sensitive authentication data should be destroyed immediately after card authorization
59
Properly Disposing of Cardholder data
Payment Card Industry Data Security Standards
University Policy 3610 – Accepting and Handling
Payment Card Transactions
60
61
University Policy 3610 supports compliance with PCI DSS
Procedures Approval Costs Documentation
Secure Payments Annual Validation Requirements Suspected Theft or Exposure
62
Must request and receive approval from the University Bursar Office to: Accept payment cards Store any cardholder data, and must be annually approved
thereafter To change the method of accepting or processing payment
cards, request must be made in writing to the the Office of the University Bursar
Requesting Approval
63
Merchants are responsible for all costs of compliance to accept payment cards
University Merchants may not adjust the prices of goods and services base upon the method of payment or directly pass along any fees associated with accepting payment cards to the customer
University merchants responsible for monetary sanctions and/or card acceptance restrictions imposed as a result of direct negligence or failure to adhere to university policies and PCI Standards
Costs
64
Each university merchant must have written procedures specific to its operations that are consistent with this policy and other university policies and procedures Information Technology Security
Funds Handling
Fiscal Responsibility
Segregation of Duties
Reconciliation of Procedures
Physical security and identification
of card processing area
Disposal and Storage
Separate Passwords
Firewall
Anti-virus software
Cash register procedures
Personnel screening
Deposits
Documentation
65
1. Preferred hosted payment solution: Commerce Manager
2. Dial Up Terminals
3. Approved Integrated Solutions
NOTE: Cards may never be accepted via email or phone mail, and departments may not provide computers for general public use and acceptance of payment cards via the internet
Approved Methods to Accept Payment Cards
66
Limit access to payment card data to those with a business need for the information
Prohibited from intentionally disclosing sensitive payment card information to unauthorized individuals and may be subject to criminal and civil penalties
Must not request, receive, or transmit any payment card information through unsecure mediums
Must not retain cardholder data without documented business needs (paper or electronic)
67
When an employee is no longer involved with
payment card operations, access to keys, access codes, and passwords must be revoked and/or changed immediately
Must segregate all duties related to data processing and storing of payment card information
Electronic Storage of Sensitive Authentication Data
and unencrypted cardholder data is prohibited 68
New Hire Prescreening Training before duties and access to cardholder data
Annually Complete Payment Card Training Annually Payment Security Agreement, which confirms
understanding and adherence to Policy 3610
University merchants (i.e. Departments) must keep a record or employee’s training
69
Must complete a criminal background check before receiving payment card responsibilities
Must have a unique login identification and
password to access payment card information This ensures individual accountability and segregation
of duties
Must not share password or log-in information
70
University merchants must complete an annual assessment to validate and document compliance with payment card requirements
The University Payment Card Coordinator with the assistance by the Information Technology Security Office will coordinate the completion of the annual assessment for all university merchants
71
University merchants are subject to review and audit of compliance by: Bursar Office Internal and External University Auditors Information Technology Security Office Merchant Acquirer Brands
Must resolve any vulnerability or areas of non-compliance identified promptly
Office of University Bursar reserves right to suspend or terminate a merchant’s authorization to accept payment cards for non-compliance
72
Suspected exposure must be reported immediately to University Payment Card Coordinator in the Bursar’s Office
Suspected criminal activity should immediately contact the Virginia Tech Police Activity and the Payment Card Coordinator
73
Receive additional cash handling details, contacts, and links to other
related sites:
http://www.bursar.vt.edu/faculty_staff/
Forms and templates: http://www.bursar.vt.edu/forms/ Payment Card Link: http://www.policies.vt.edu/3610.pdf
74
• Training presentation. • VT Cash Handling Policies & Procedures. • Office cash handling procedures. • Cash and change fund advances. • Deposits. • Credit cards. • University Policy 3610 • PCI DSS
CONTACT: Office of the University Bursar: 540-231-6277 or [email protected]
75