8.14 Merchant (Bank Card/Credit Card) Acceptance Policy and Procedures

Purpose:	This section outlines policies and procedures pertaining to the authorization granted to University units and affiliates to accept bank cards (credit and debit cards) as a form of payment for services performed or for merchandise sold. Merchants are subject to and must comply with this policy and the guidelines in the exhibits to this policy.
Policy Owner:	Bursar's Office
Reporting Misuses and Abuses:	Mark Barton, Bursar
Exhibit A - Definitions Exhibit B - New Department/Unit Bank Card Checklist Exhibit C - Campus Merchant Bank Cards (Credit) Acceptance Agreement Exhibit D - Payment Card Industry Standards PCI-DSS Questionnaires Exhibit E - Information Security Policy

Policies

1. Per Arizona Board of Regents (ABOR) 3-102, the responsibility for the collection of monies in connection with University activities is delegated to the Associate Vice President for Financial Services, who, in turn, delegates this responsibility to the Financial Services Office-Bursar’s Office (FSO-Bursar’s Office). The Bursar should be contacted regarding any deviations from policies and procedures stated herein.
   
   
2. Only the FSO- Bursar’s Office has the delegated authority to execute agreements on behalf of the University in connection with banking type services and regulate the use of bank card services.
   
   
3. Services for processing bank cards, depositing cash receipts and any specialized programs or services (e.g. shopping carts, electronic check payment) that link through an electronic bank card authorization system (gateway) will be contracted on a system-wide level through the FSO-Bursar’s Office. Merchants may use only services of vendors that have been approved by University Procurement and Contracting and FSO-Bursar’s Office that meet payment card and acquiring bank certifications, regulations and requirements.
   
   
4. Merchants must agree and adhere to all federal, bank card regulations, payment card industry and University policies and standards, including without limitation the Information Security Policy and the standards and procedures established under it, in the acceptance processing and storing of bank card transactions as outlined in Campus Merchant Bankcard “Campus Merchant Bank Cards Acceptance Agreement” and the PCI-DSS standards located online at https://www.pcisecuritystandards.org.
   
   
5. Merchants may not accept bank cards or authorize or complete settlement for transactions of other University units or affiliates without written authorization from the FSO-Bursar’s Office.
   
   
6. Bank cards may be accepted by a merchant for University gifts and donations. The Merchant Unit must contact The University of Arizona Foundation for the specific processes to report the donations and/or gifts.
   
   
7. A Merchant Unit that plans to receive revenue from external sales or services and provide taxable goods to customers outside the University should contact their Financial Services Office –Fund Accountant to discuss sales tax requirements. Merchant Units should also refer to and be familiar with Section 8.11-Sales Tax and Section 6.17 – Administrative Service Charge Policy of the Financial Policies and Procedures Departmental Manual.
   
   
8. Merchant Units that accept bank card and/or electronic payments for gifts, goods or services must designate a full time University Merchant Unit employee who will have primary unit authority and responsibility for eCommerce and bank card transaction processing. This individual will be referred to in the remainder of this policy statement as the Merchant Responsible Person or “MRP”. All MRPs will be responsible for the unit complying with all security measures established by payment card industry, the University Information Security Office, the “Campus Merchant Bank Cards Acceptance Agreement” and this policy.
   
   
9. Initially upon the unit’s request for merchant status and annually, Merchant Units must review and sign the “Campus Merchant Bank Cards Acceptance Agreement”. Upon signing this agreement, the Unit head and MRP demonstrate that they understand and agree with the terms and responsibilities outlined in the agreement.
   
   
10. No University employee, contractor or agent who obtains access to bank card or other personal payment information in the course of conducting University business may sell, purchase, provide, or exchange said information in any form including but not limited to imprinted sales slips, carbon copies of imprinted sales slips, mailing lists, tapes or other media obtained by reason of a card transaction to any third party other than to University’s acquiring bank, depository bank, Visa, MasterCard or other bank card company or pursuant to a government request. All requests to provide information to any party outside of the Merchant Unit must be coordinated with the FSO-Bursar’s Office and the Information Security Office.
    
    
11. Merchant Units must use the services of a University authorized vendor to process all eCommerce transactions or web based transmissions of transactions (software based). If a unit believes that it has a significant business case or processing requirement that cannot be achieved using the services of the authorized vendor and wishes to utilize an alternative, it must initiate a request to the FSO-Bursar’s Office for approval of use. The FSO-Bursar’s Office will review the request with the University Procurement and Contracting office and notify the Merchant Unit of approval or rejection of vendor use.
    
    
12. If the use of an alternative eCommerce gateway or software is necessary, the gateway and software must be included on the "Visa List of Validated Payment Applications" and be compliant with the University of Arizona Information Security policies. In addition, the alternative vendor must also be approved by the acquiring bank, FSO-Bursar's Office and the University Procurement and Contracting Office.
    
    
13. Upon request of the FSO-Bursar’s Office, the Merchant Unit will complete annual PCI-DSS Self Assessment Questionnaire and any other security scans or reviews deemed necessary by the University Information Security Office, FSO-Bursar’s Office or payment card industry. The Merchant Unit will be responsible for the costs of such service. The service will include assistance in understanding and completing the questionnaire for the Merchant Unit.
    
    
14. Merchant Unit’s ability to offer bank card payment is conditioned on compliance with the PCI-DSS. The Merchant Unit is responsible for complying and maintaining PCI-DSS standards. If the Merchant Unit fails compliance, the Merchant Unit is responsible for correcting deficiencies to bring the Merchant Unit into compliance as directed by the FSO-Bursar’s and University Information Security Office. Failure to comply with PCI-DSS standards will result in withdrawal of the Unit’s ability to accept bank cards.
     

Procedures for Establishment and Maintenance of Card Services:

15. Requests to accept cards by University Units and affiliates must be made by completing a supplied checklist and signed “Campus Merchant Bank Cards Acceptance Agreement” which is to be submitted to the FSO-Bursar’s Office The checklist contains the following information:
    
    1. Unit name
    2. Unit merchant name- This will be the name which appears on the customer’s bank card statement and receipt
    3. Unit head
    4. Merchant Responsible Person, business contact (if different) and IT contact
    5. Business contact’s e-mail address
    6. Unit’s physical delivery address
    7. Telephone number
    8. Fax number
    9. List of bank card companies that will be accepted (Visa, MasterCard, American Express, Discover)
    10. Statement regarding the purpose of accepting bank cards
    11. Unit’s account and object codes for revenue and expenses to which any debits and credits, charge-backs and discount fees will be charged
    12. Fund accountant name
        
        
16. Upon review of the request, the FSO-Bursar’s will prepare and submit all documentation to the acquiring bank and bank card companies to establish the merchant account, order the merchant terminal and notify the merchant of the assigned merchant number.
    
    
17. Fees and Billing:
    
    
    1. Discount fees, rental costs for equipment, and fees for banking network access fees are deducted monthly from the campus bank account. Cash Accounting allocates these costs to merchants based on the designated account number and object code, approved by the unit’s fund accountant. A merchant statement is provided monthly by the acquiring bank.
       
       
    2. As provided by the acquiring bank agreement, surcharges and convenience fees cannot be charged to the customer in order to absorb the cost of accepting bank cards.
       
       
18. Credit Chargebacks:
    
    
    1. FSO- Cash Accounting and the merchant will receive chargeback notifications by mail, fax or online merchant account access from the acquiring bank, American Express or Discover.
       
       
    2. Merchants must respond directly to the chargeback notifying entity within the “respond by” date provided in the chargeback notification. Merchants must provide the requested information or appropriate documentation to demonstrate the legitimacy and appropriate processing of the original transaction. The acquiring bank has sole authority to determine if the chargeback will be reversed and the cash receipts returned to the merchant.
       
       
    3. Upon receipt of a chargeback reversal notification and entry, Cash Accounting will perform appropriate accounting entries to reflect the chargeback reversal.

    Unit Responsibilities:

19. The FSO-Bursar’s Office is responsible for:
    
    
    1. Reviewing and initiating requests from campus units and affiliates to establish a merchant account and accept bank cards as a form of payment for services performed or for merchandise sold by such units and affiliates.
       
       
    2. Providing information and assistance to University units and affiliates that are analyzing the responsibilities and costs of accepting bank cards as a form of payment.
       
       
    3. Selecting and ordering terminals and other equipment and coordinating all compliance activities for the merchant units.
       
       
    4. Coordinating all Merchant Unit compliance activities that are required or directed by University policies, payment card industry, University Information Security Office, and acquiring bank standards.
       
       
20. FSO-Cash Accounting is responsible for:
    
    
    1. Reconciling the depository bank account to the general ledger cash account monthly.
       
       
    2. Maintaining procedures to ensure the appropriate and timely recording of deposits onto the general ledger.
       
       
    3. Administration and coordination of chargeback notification to the Merchant Units.
       
       
    4. Administration of the University’s centralized payment process.
       
       
21. All merchants are responsible to:
    
    
    1. Follow security measures established by payment card industry, Information Security Office and UA Financial Policies and Procedures.
       
       
    2. Perform all periodic compliance activities in a timely manner that are requested by the University Information Security Office in coordination with the FSO-Bursar's office.
       
       
    3. Record all card transactional activity on the general ledger within three (3) business days of settlement.
       
       
    4. Review monthly merchant statements for accuracy. Inaccurate charges must be reported to the FSO-Bursar’s office within 60 days of statement date.
       
       
    5. Notify the FSO-Bursar’s immediately when accounts are no longer needed and should be deactivated.
       
       
    6. Respond to chargeback notifications and bank card company inquires within chargeback notification letter deadlines.
       
       
    7. Insure that no cardholder information is stored electronically in any database, application or system.
       
       
    8. Follow the responsibilities and guidelines in the exhibits included within this policy.
       
       

    Security Breach Response

22. All suspected and/or confirmed security compromises must be reported immediately to the University Information Security Office and the FSO- Bursar’s Office via the link at the bottom of the Payment Card Industry Data Security Standard page of the Information Security Office website. Additionally, merchants must follow the Incident Handling Standard and Guidelines available on the Information Security Office website.
    
    
23. If a security breach is confirmed by the University Information Security Officer and the FSO-Bursar’s Office, the FSO-Bursar’s Office will be responsible for alerting the acquiring merchant bank, the payment card associations and other regulatory entities deemed necessary of the confirmed security breach.
    

References:

24. The University of Arizona Policy & Procedure Manual:
    
    1. Policy 8.10 Cash Receiving
    2. Policy 8.11 Sales Tax
       
       
25. University of Arizona Information Security Policies and supporting standards
    
    
26. Bank Card Merchant Security Requirements:
    
    1. Visa U.S.A. Cardholder Information Security Program (CISP)
    2. MasterCard International Site Data Protection (SDP) Program
       
    3. American Express Data Security Standards (DSS)
       
    4. Discover Information Security and Compliance (DISC) Program
       
    5. Payment Card Industry (PCI-DSS) Standards
       
    6. Payment Application Best Practices ( PABP)
       
    7. Arizona Revised Statute (A.R.S.) 44-7501 – Notification of Breach of Security System