|
Cash and Credit Card Handling Policy
As a Harvard University Service Center involved in the sale of products and services to students, faculty, staff, affiliates and other individuals, UIS departments are responsible for collecting, depositing, recording, reconciling and safeguarding cash, checks, and credit card payments received from customers, who have purchased UIS products and services. The UIS businesses that accept cash, checks and credit cards for goods and services, and the UIS Accounting department are responsible for performing all of the associated duties necessary in accomplishing these objectives in accordance with the principles, practices and procedures described below.
The following principles must be followed by all UIS employees involved in the cash handling process (cash and personal checks) and all UIS managers who oversee businesses that provide product and services to customers on a cash basis:
- Only authorized personnel may handle cash and check payments from customers.
- There must be a separation of duties between those receiving and those depositing cash and checks.
- All checks must be strictly endorsed with “For Deposit Only – Harvard University” immediately upon receipt.
-
- All cash transactions must be processed using a UIS business system that has been reviewed and authorized by UIS Accounting.
- All cash drawers must remain locked at all times when not in use. Never leave an unlocked drawer unattended.
- Cash and checks must be housed in a secure area (i.e. locked safe) at each UIS location prior to deposit.
Below is a list of procedures that all UIS businesses must follow in managing their cash and check receipts:
Cash Receipts - UIS Business Functions
- At the end of each business day, a physical count of all cash and checks received must be completed and those amounts must be reconciled to the business system cash receipt journal.
- All cash receipt journals must be signed and dated by the individual designated to close out the cash drawer.
- All discrepancies must be reviewed and approved as evidenced by the business manager’s signature.
- Customer check payments must be stamped “For Deposit Only – Harvard University” prior to delivery to UIS Accounting.
- All cash funds must be stored in a locked safe at the end of each day. Access to the safe must be restricted.
- Cash and checks must be delivered at the designated daily time in a locked money bag to UIS Accounting at 1230 Soldiers Field Road using the UIS shuttle.
Please note: UIS Accounting will not accept any cash deposit that has not followed the proper procedures outline above.
Cash Reconciliations and Deposits - UIS Accounting Functions
- Daily cash is received by UIS Accounting from the various sites and is counted and verified to the billing invoice register and the businesses’ cash receipts journal.
- All cash discrepancies identified by UIS Accounting will be communicated back to the appropriate business manager for resolution.
- UIS Accounting maintains a database to track all cash receipts that are deposited to the general ledger. This database is used to breakdown the cash receipts by general ledger code and taxable vs. non-taxable transactions.
- UIS Accounting secures the cash receipts in a locked safe until they can be deposited at the bank (usually within 2-3 days of receipt).
- After depositing the cash, UIS Accounting delivers the bank deposit slip to Harvard Cash Management department along with the required supporting documentation.
Transaction Posting - Harvard Cash Receipts / Management Functions
- Harvard Cash Receipts department records all cash transactions to the general ledger system.
- Harvard Cash Management reconciles each cash receipt transaction to the bank statement.
- UIS Accounting verifies the posting of the cash transactions to the general ledger by cross checking against copies of the deposit slips.
- Any discrepancies found by UIS Accounting are communicated back to Harvard Cash Receipts department.
Occasionally, a UIS Business group will receive a miscellaneous receipt (cash or checks) that must to be sent to UIS Accounting for processing. Types of miscellaneous receipts include; vendor commissions, rebates and other reimbursements as well as employee reimbursements to the University.
Below is a list of procedures that all UIS businesses must follow when handling miscellaneous receipts:
- The UIS business indicates the proper 33 digit code to be used for the miscellaneous receipt and forwards the receipt to UIS Accounting.
- UIS Accounting prepares a credit voucher and sends all the documentation to Harvard Cash Management.
- Harvard Cash Management deposits the receipt and posts the transaction to the general ledger.
- UIS Accounting verifies the posting of the cash transaction to the general ledger by cross checking against copies of the deposit slips.
- Any discrepancies are communicated back to Harvard Cash Receipts department.
Below is a list of procedures that all UIS businesses must follow when handling customer refunds and returned checks:
Customer Refunds
- The UIS Business group creates a credit memo for product returned by customers.
- The credit memo request is forwarded to UIS Accounting who will process a check payment from Harvard Cash Management utilizing the Harvard Web Voucher system.
- The check is then mailed directly to the customer receiving the refund.
Returned Checks
- Harvard Cash Management notifies UIS Accounting of any return checks due to insufficient funds.
- UIS Accounting makes a reasonable effort to collect payment from the customer utilizing established procedures.
The following principles must be followed by all UIS employees and managers who oversee businesses that accept credit cards as a form of payment for products and services:
- Credit card decisions shall be independently made and shall conform to requirements of the law.
- Credit card processing (e.g. on-line, by phone, card swiping) should follow specific security rules outlined below and developed by the Payment Card Industry (PCI) Data Security Standards. Failure to follow the requirements below can result in severe penalties, including fines and prohibition from further acceptance of the credit cards.
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored data
- Encrypt transmission of cardholder data and sensitive information across public networks
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
- Credit card information should be housed in a secure area (locked safe) at each UIS location and also follow University standards on electronic data protection.
- There should be very few people that have access to credit card data after the transaction has been authorized. Other authorized users should either not see any data or see a masked number with only the last 4 digits visible.
- Ensure that any passwords that protect credit card data are different from other passwords you have and are hard to guess, not written down or otherwise left unsecured. PCI also requires that passwords be periodically changed
- For additional information on credit card best practices, please see the Harvard Risk Management policy on credit card transactions.
UIS business managers considering accepting credit card payments from customers must contact Dave Murphy at 5-1836 in UIS Accounting department who will assist in the set-up process.
For additional information on PCI Data Security Standards see the UIS PCI Credit Card Compliance Policy.
Below is a list of procedures all UIS businesses should follow in managing their credit card processing that incorporate the principles outlined above:
Credit Card Compliance Certification - UIS Business and Accounting Functions
- Departments that have applications which accept credit card data must be compliant with Payment Card Industry (PCI) / Data Security Standards and undergo a verification process through Harvard's credit card authorization server.
- The certification process requires completion of an annual questionnaire and quarterly remote vulnerability scans. All outward-facing IP addresses as well as URL's on network segments that have servers that accept, store, or transmit credit card numbers must be tested and certified.
- Any security incident or potential breach involving systems that accept, process, or store credit card information must be immediately reported to Harvard Cash Management, who will involve a credit card incident response team comprised of representatives of Harvard Cash Management, UIS Network Services, RMAS, & OGC. This team will work with your local business and technical people to investigate and remedy the situation. Local units will be responsible for any fines or penalties resulting from breaches of their data.
Credit Card Receipts - UIS Business Functions
- At the end of each business day, individual sales invoices are reconciled to the settlement statement or Cybersource daily batch summary, depending on the billing system used.
- The settlement statements or Cybersource reports must be signed and dated by the customer service representative that reconciles the documentation.
- All discrepancies must be reviewed and approved as evidenced by the business manager’s signature.
- Credit card transaction documentation is delivered at the designated daily time in a locked money bag to UIS Accounting at 1230 Soldiers Field Road using the UIS shuttle.
Please note: UIS Accounting will not accept any credit card deposit that has not followed the proper procedures outline above.
Credit Card Reconciliations - UIS Accounting Functions
- Daily credit card receipts are received by UIS Accounting from the various sites and are verified to the billing invoice register. Additionally, UIS Accounting verifies monthly credit card transactions to the merchant statements.
- All credit card transaction discrepancies identified by UIS Accounting will be communicated back to the appropriate business manager for resolution.
- The bank notifies UIS Accounting Manager when a card holder is questioning or disputing a charge. UIS Accounting compiles the relevant documentation and either contacts the cardholder or bank, depending on the individual circumstances.
- UIS Accounting prepares the credit card deposit report and delivers the information to Harvard Cash Receipts department.
- UIS Accounting maintains a database to track all credit card deposits that are posted to the general ledger. This database is used to breakdown the credit card transaction by general ledger code and taxable vs. non-taxable transactions.
- UIS Accounting secures all credit card documentation, including sales invoices and credit card batch reports in a locked safe or locked file drawer once reconciled.
Transaction Posting - Harvard Cash Receipts / Management Functions
- Harvard Cash Receipts department records all credit card transactions to the general ledger system and reconciles all the transactions to the bank statement.
- UIS Accounting verifies the posting of the credit card transactions to the general ledger by cross checking against copies of the deposit slips. Any discrepancies are communicated back to Harvard Cash Receipts department.
For additional information on PCI Data Security Standards see the UIS PCI Credit Card Compliance Policy.
All credit card documentation is shredded periodically.
Due to the increased threat of identity theft, fraudulent credit card activity and other instances where cardholder information has been compromised, the credit card associations (Visa, MasterCard, etc.) have mandated compliance to PCI data security standards for any merchant or service provider that “transmits, stores, or processes” cardholder information. This compliance requires that each merchant be certified to be in compliance with PCI in order to accept credit cards.
All UIS businesses that accept credit cards as payment for products and services must be compliant with all policies as outlined in the Harvard University Credit Card Merchant Handbook and will be required to pass an audit of their internal systems and processes.
For additional information on PCI Data Security Standards see the UIS PCI Credit Card Compliance Policy.
Each department should establish a local data retention policy that determines how long the department should retain credit card information. Cardholder information storage should be kept to a minimum. Departments should limit their storage amount and retention time to what is required for business, legal, and/or regulatory purposes, as documented in your data retention policy. Below are some guidelines:
- Electronic – Ideally, credit card numbers will not be stored locally in electronic form. If your business requires that you temporarily store credit card account numbers, they should be securely disposed of when they are no longer needed. It is permissible to retain the last four digits of the credit card number.
- Paper - Federal and credit card association require merchants to retain the original signed credit card merchant slip for 2 years. These should be kept locked on site for 2-3 months and then placed in archives for the remainder of the 2 years. They should be securely destroyed directly from archives.
The UIS Business group creates a credit memo for product returned by customers. The credit memo is used to process a credit against the original credit card charged when the product was originally purchased.
For additional information on the department-wide Cash Handling and Credit Card Policy and Procedures, please contact Dave Murphy at 617-495-1836.
|
