Precard Business Practices Checklist

Business practices that ought to be in place BEFORE a unit starts to accept card payments

YES NO ITEM
    (Overall) Is the department currently employing good business practices in handling non-credit card payments?
    Do cash / deposit handling procedures conform to the campus's cash control policies and procedures?
  • CU-Boulder (cash control chapter
  • UCCS
  • CU Denver

    Are all transactions and deposits processed daily?

    Are transaction, cash / deposit handling, and reconcilement duties performed with proper segregation of duties? If not, what supervisory controls are in place to ensure proper oversight?

    Are refund transactions properly controlled; that is:

    • Approved by a supervisor before funds are returned to the payee? (Dual controls on disbursements)
    • Are refund transactions properly documented and accounted for?

    Other payment-handling practices:

    (Overall) Is the department currently employing good business practices in accounting for all payment transactions?
   

Does staff understand the necessary accounting flows for transactions, and are they being properly posted?

 

   

Are daily detail financial reports, statements, and any other applicable reports reconciled timely? Does the unit have the resources to reconcile deposit transactions daily, if it is not already being done for non-credit card deposits?

   

Are the unit's speedtypes managed in a fiscally sound manner?

   

Are internal records well organized, and can past transactions be readily identified and source documents quickly retrieved from the filing system (up to three years later)? Are document retention times in accordance with established record retention policies, and are documents securely destroyed when their retention time is completed?

   

Does the unit have LOCKED file storage available for the retention of credit card payment detail? (Not just storage in a locked room.) Do they actually LOCK the file drawer or cabinet when not in use?

   

If paper records with cardholder information are going to be generated, is the unit's archival storage secure? (That is, if the unit sends its old records to campus storage, is that storage secure?)

   

Does the unit have paper shredding capability for record destruction for paper containing cardholder information? (Preferably cross-cut shredding or outsourced, secure data destruction services.)

   

Does the unit have sufficient resources (staff, expertise, funding, etc.) to take on any more functions such as accepting and processing credit cards and the additional reconciliations required?

   

Does the unit understand that they must pay for the additional costs of credit card acceptance out of their own budget, and connot charge more for payments by credit card than by other means?

    Other accounting / reconcilement practices:




Comments:

YES NO (Overall) Other necessary considerations, if applicable:
    How does the department intend to accept / process cardholder information? (Check all that apply)

____On paper (Via mail or in person)

____Via telephone (with information written on paper)

____Using a card swipe terminal

____Via fax

____Via email (strictly prohibited for security reasons)

____Paper forms brought to Bursar's office for processing

____Using software on a PC

____Via the unit's web site (must involve the campus IT department in the site setup)

____Other (obtain details)

    Does the unit have a secure fax machine available to which transmissions with cardholder information can be directed? (Not a fax server!)
    Does the unit understand that it is prohibited to store cardholder data in any electronic form whatsoever without first obtaining the approval of their campus security principal AND the Treasurer's Office?
    Does the department understand that they must respond to and report any and all incidents that might entail cardholder data, whether that data is on paper or in electronic form?
    Have they created an incident response plan that follows the Treasury's incident response plan template?
    Does the unit understand that they must understand, adopt, and IMPLEMENT a security policy for protecting cardholder data?
    Does the unit have a training program for new staff, or staff accepting new payment processing responsibilities?
    Are they aware of the security requirements for accepting payments online?
    Do they have the IT staff and security knowledge to create and maintain a secure web site?
    Has the unit consulted with the campus IT Security Principal regarding their security obligations for handling card payments?

Comments:

Current Merchant Business Practices Checklist

YES

NO

ITEM

    (Overall) Is the department currently employing good busiess practices in handling credit card payments?
    Have there been any recent incidents that would indicate problems in processing payments, including credit cards?
    Are all transactions and deposits processed and accounted for daily?
    Does there continue to be proper segregation of duities, or other compensating controls in place to ensure proper oversight?
   

Are refund transactions properly controlled; that is:

  • Approved by a supervisor before funds are returned to the payee? (Dual controls on disbursements)
  • Are refund transactions properly documented and accounted for?
  • Are refunds on credit cards credited only to the original card which was used for the purchase of goods or services?
   

Does the unit respond timely to chargeback / disputed items (within 14 days of notification of dispute)? Are faxed chargeback notices promptly processed or forwarded to the unit?

    Have there been significant changes in the unit's number or dollar volume of card payments? Are the reasons for such changes understandable?

Comments:

YES NO (Overall) Is the department currently employing good business practices in accounting for all payment transactions, including credit card payments?
    Have there been any recent problems that might indicate a need for review of proper accounting and / or reconciling procedures?
   

Are account reconcilements done properly and timely?

    Have there been recent personnel changes that might indicate a need for a review of good practices with the unit?

Comments:

Resources

Treasurer's Office

Joe Tinucci
303-837-2185
joe.tinucci@cu.edu

Payment Card Industry Data Security Standard (PCIDSS)

https://www.pcisecuritystandards.org

http://www.usa.visa.com/business/accepting_visa/ops_risk_management/cisp.htm1?it=12|/business/accepting_visa/ops_risk_management/index%2Ehtml|Cardholder%20Information%20Information%20Security%20Program

http://www.mastercard.com/us/sdp/

Campus Controller's Office

File Attachments