Cash Handling and Management (Cash, Checks, Credit Cards)
Effective: | 02/02/09 | Approved By: Senior Associate Vice President for Financial Affairs and Chief Financial Officer | |
Revised: | 08/19/23 |
For Assistance Contact: Assistant Vice President of Financial Services & University Bursar
|
Purpose/Scope
In this guideline, cash is defined as currency, checks and credit cards unless otherwise specified.
The proper handling of cash is a necessary control function. Supervisory personnel must monitor constantly to detect any control weaknesses and should obtain explanations for fluctuations.
Authority
Authority is provided by the UTS166.
When a department receives authorization to accept cash payment for services, the department manager is responsible for adhering to this guideline and ensuring all employees are properly trained.
University Guidelines
Table of Contents
- Requesting Approval to Accept Payments on Behalf of UTSA
- UTSA-Designated Credit Card Processor
- Departmental Responsibilities
- Documentation File
- Identification (check and credit cards only)
- Records Retention
- Credit Card Payment Processing Methods
- Credit Card-Related Fees
- Payment Card Industry (PCI) Credit Card Compliance
A. Requesting Approval to Accept Payments on Behalf of UTSA
A department manager must request authorization to accept payments — in the form of currency, checks and/or credit cards — on behalf of UTSA by submitting the following forms to the Office of Financial Services and University Bursar:
Any employee authorized to handle or accept currency, checks or credit cards on behalf of UTSA must attend the Cash Handling 101 (AM 560) training class. See MyTraining for more information, including registration.
If the department manager or any authorized cash handlers change, updates must be promptly submitted to the Office of Financial Services and University Bursar. Changes to authorized cash handlers may be submitted via e-mail, but changes to the department manager must be evidenced by resubmission of the Department Cash Handling Request and Departmental Cash Handling Security Policy forms.
B. UTSA-Designated Credit Card Processor
Global Payments Inc. is the vendor under contract with UT System for processing all credit card transactions on behalf of UTSA, including authorization and settlement (settlement is the procedure in which a merchant requests that some or all authorized transactions be processed by a credit card processor. This processing includes charging the customer's credit card and transferring the money owed to the merchant).
A department manager must request approval from the Office of Financial Services and University Bursar before accepting credit card payments on behalf of UTSA. See Requesting Approval to Accept Payments on Behalf of UTSA for more information.
After review and approval, the required forms are forwarded to Accounting Services to obtain credit card merchant ID's for the requesting department, if applicable.
NOTE: It may take up to several weeks to establish a merchant account.
Departments must use a credit card processing system certified by UTSA's credit card processor.
Any exceptions to the use of Global Payments as credit card processor must be approved by the chief financial officer (CFO). A memo detailing the requirement to use another vendor and the benefit to UTSA must be submitted to the assistant vice president of Financial Services and University Bursar for consideration. Exceptions will not be considered unless a significant benefit to UTSA or contractual obligation to use another vendor is shown.
1. Establishing a new credit card merchant account
A merchant ID is required for departments requesting to process credit card transactions via dedicated credit card terminals or online with a third-party vendor or UTSA Marketplace. Requests must be submitted using the Departmental Cash Handling Request Form and the Departmental Cash Handling Security Policy.
NOTE: Departments electing to process credit card payments via Fiscal Services are not required to establish a merchant ID. However, this determination is based on recommendations of the Assistant Vice President of Financial Services and University Bursar.
Accounting Services coordinates Merchant ID setup and hardware purchases with UTSA's designated credit card processor.
C. Departmental Responsibilities
The department manager is responsible for ensuring that the following internal controls are in place prior to accepting cash, checks and/or credit cards:
Adequate segregation of duties: An employee may not be responsible for more than one of the following cash handling roles:
- Cash, check and/or credit card payment collection and recording
- Deposit preparation
- Maintaining accounting records
- Reconciliation
- Destruction of payment-related documents
Cash register tapes or logs must be completed and attached to deposits on a routine basis to ensure that all income is being deposited.
Departments must reconcile income as part of monthly reconciliation and reviews (for more information, see fmog.1.4.1.utsa).
Income trends must be analyzed to determine whether actual income matches expected income.
Departments must be ensure security of credit card numbers and expiration dates, as required for PCI compliance. This sensitive data should be destroyed after successful completion of the credit card transaction and should not be accessible to employees not directly involved in the processing of the transactions.
Departments must maintain an accurate list of all devices and update when devices are added, relocated, decommissioned, etc. The list should include:
- Terminal ID of device
- Make/model of device
- Location of device
- Device serial number or other method of unique identification
D. Documentation File
Once a department receives approval to accept payments on behalf of UTSA, a file must be created and maintained that includes:
- A copy of the Departmental Cash Handling Security Policy.
NOTE: The ICRS.utsa may review this document periodically. - Validation that relevant employees have read this guideline and have attended Cash Handling training.
E. Identification (checks and credit cards only)
One form of identification should be reviewed by departmental personnel when accepting a check or credit card payment in-person. Acceptable ID is as follows:
- UTSA ID card;
- Valid Texas State ID or driver's license that contains a photo of the check issuer or credit card holder; or
- Valid out-of-state issued ID or driver's license that contains a photo of the check issuer or credit card holder.
F. Records Retention
In accordance with the UTSA Records Retention Schedule, all paper and electronic records must be retained in a secure location for the current fiscal year and the prior three fiscal years. Department managers should shred or destroy records after the required retention period.
The Departmental Cash Handling Security Policy form addresses destruction of physical and electronic records; that form must be on file with the Office of Financial Services and University Bursar.
NOTE:
- Departments may photocopy checks for retention, however, the routing and account numbers (printed on the bottom of the check) must be removed as it creates a risk of unauthorized use of account information.
- Credit card numbers and expiration dates must not be kept on any retained documentation. Customer credit card numbers and expiration dates should only be kept until the transaction is successfully completed. Simply concealing the numbers with a marker or by other means is not sufficient and the department must ensure that they are destroyed or removed from any forms retained.
G. Credit Card Payment Processing Methods
Departments can select one of the following credit card payment processing methods depending on their anticipated transaction volume, credit card acceptance method, credit card type and related processing fees. All methods require authorization from the Office of Financial Services and University Bursar prior to setup.
NOTE: Departments may use the Credit Card Processing Methods — Quick Reference Chart to help determine the most appropriate credit card processing method.
1. Fiscal Services
Departments that process up to 50 credit card transactions per event/month may elect to process credit card payments using the Fiscal Services processing method, which involves providing credit card transaction information — using the Credit Card Payment Form — to be processed on Fiscal Services dedicated credit card terminals. Credit card information should only be kept until the transaction is successfully completed. No copies of this form should be retained by the department.
Departments may bill the credit card expense charge to the credit card holder (for tuition-related revenue) or to a departmental Cost Center or Project ID/Activity.
No merchant ID setup is required for this option, but departments remain responsible for destroying all records of the credit card number and expiration date.
2. Dedicated credit card terminal (Point-of-Sale/POS)
If a department elects to process credit card payments via a dedicated credit card/Point-of-Sale terminal, the department must purchase encrypted credit card terminal(s) from Global Payments by coordinating with Accounting Services. All related fees will be charged to a departmental Cost Center or Project ID/Activity.
The department manager is responsible for the physical and electronic security of credit card information, costs associated with credit card transactions and following established accounting and cash handling procedures when using this payment processing method.
The department must purchase a terminal and printer. The terminal requires a power source and a network connection. Connection to a telephone line is not permitted since only the network connection is encrypted.
The department manager is responsible for the security of their dedicated credit card terminals and must ensure they are operated and stored in a secure environment. Criminals are actively targeting vulnerable merchant terminals to steal credit card data for fraud purposes. At a minimum, departmental personnel must track and routinely inspect their dedicated credit card terminals for tampering or substitution by routinely checking serial numbers or other identifying characteristics, unexpected attachments or cables plugged into the device or external markings, and ensuring that unauthorized persons cannot access these machines — both during business hours and when the university is closed. If a dedicated credit card terminal is missing/stolen or if it is suspected of being tampered with, contact the assistant vice president of Financial Services and University Bursar immediately.
3. UTSA Marketplace
A department manager may request the UTSA Marketplace processing method, which allows departments to sell goods, services or events in an online storefront application or to link to the payment-processing engine from an existing internal website. More information on the UTSA Marketplace application may be found on the Fiscal Services website.
Using UTSA Marketplace allows departments to avoid credit card gateway processor fees since the payment engine is built into the software. Credit card expense fees, assessed by Global Payments, will continue to be assessed to the department collecting the revenue.
UTSA Marketplace transactions are posted to Banner, and feed automatically to PeopleSoft daily; departments therefore do not need to create Deposit Transmittals to have the income recorded by Fiscal Services. Departments will have access to UTSA Marketplace reports, which must be used for reconciliation to posted PeopleSoft revenue.
4. Online with third-party vendor
A department manager may request the third-party vendor processing method for accepting credit card payments online — for example, via a department website.
UTSA Marketplace is the preferred option for collecting payments online. Requests to collect payments outside of the Marketplace payment portal must show a valid business reason for not using the preferred Marketplace option. Under the Marketplace option, departments do not need to create purchase orders, and can avoid paying third-party gateway fees AND making physical deposits of that revenue at Fiscal Services.
Otherwise, the setup of a third-party vendor for the online payment acceptance method is subject to regular purchasing regulations. Departments are responsible for the physical and electronic security of credit card information, costs associated with credit card transactions and following established accounting and cash handling procedures when using this payment processing method.
All third-party internet gateway processors must be certified with Global Payments Inc. and remittances must be routed to Global Payments Inc., rather than directly to a UTSA bank account.
Any exceptions to the use of Global Payments as credit card processor must be approved by the chief financial officer (CFO). A memo detailing the requirement to use another vendor and the benefit to UTSA must be submitted to the assistant vice president of Financial Services and University Bursar for consideration. Exceptions will not be considered unless a significant benefit to UTSA or contractual obligation to use another vendor is shown.
NOTE: Typically, these vendors will charge a setup fee, monthly or transaction fees, a percentage of sales, or combinations of each.
Third-party vendors must also be certified as compliant with Payment Card Industry Data Security Standards (PCI DSS). Departments must ensure the contract includes language where the vendor acknowledges their responsibility for security of UTSA credit card information in compliance with PCI DSS. A copy of the PCI DSS Report of Compliance (RoC) must be obtained from the vendor prior to completing a contract. The contract must state that the vendor will provide a copy of the RoC upon request. Departments must annually request and review RoCs to ensure that their store is fully in scope of the third-party vendor’s compliance assessment.All websites set up for credit card processing must be scheduled for monthly ASV vulnerability scans (i.e., external vulnerability scans) as required by the Payment Card Industry Data Security Standards.
Department managers who allow other units within their divisional reporting structure to use their third-party vendor or website are responsible for ensuring that the using department and their cash handlers have attended the Cash Handling 101 (AM560) training class and are familiar with all credit card PCI Data Security Standards. The department manager who "owns" the merchant ID or website is responsible for adherence with all cash handling regulations, including submission of the deposit and settlement information to Fiscal Services.
H. Credit Card Related Fees
Department managers are responsible for all costs associated with credit card processing, including but not limited to, setup fees, monthly maintenance fees, bank fees, credit card expense charges, and per transaction fees. See Credit Card Expense Charge for more information and a list of current fees.
1. Credit card expense charge
A credit card expense charge is a percentage of total sales that a merchant pays to a credit card company (for example, MasterCard) each time the merchant accepts a credit card payment. Expense charges vary by credit card company (for example, MasterCard, Visa, American Express, Discover) and by classification of merchant department.
NOTE: Card-absent transactions — transactions where the credit card is not physically present — may be charged a slightly higher expense charge.
The credit card expense charge is billed monthly for each credit card type and is based on each department's selected payment processing method:
Dedicated credit card terminal, online with third-party vendor or UTSA Marketplace |
Credit card expense charges are automatically charged to the department’s Cost Center or Project ID/Activity (provided to Accounting Services via Departmental Cash Handling Request Form). |
Fiscal Services |
Appropriate department personnel determine whether to charge the expense charge to the cardholder or to their Cost Center or Project ID/Activity.
|
2. Dedicated credit card terminal fees
Dedicated encrypted credit card terminals must be purchased by departments that elect to process credit card payments via a dedicated credit card/Point-of-Sale terminal, see Dedicated credit card terminal (Point-of-Sale/POS) for more information.
I. Payment Card Industry (PCI) Credit Card Compliance
Departments must keep copies of all credit card information confidential and protected from misuse in compliance with the Data Security Standards (DSS). Annually, all departments who accept and process credit card payments must validate that their acceptance processes comply with PCI standards by completing applicable Self-Assessment Questionnaires (SAQ) in conjunction with the Office of Financial Services and University Bursar.
PCI Data Standards are the responsibility of each department that accepts credit card payments. Non-compliance that results in the compromise of UTSA's customers' credit card information could result in severe monetary penalties and costs and/or suspension of UTSA's authority to accept credit card payments.
The Office of Financial Services and University Bursar will periodically review departmental processes related to credit card security, acceptance and processing. Departments who are discovered to be out of compliance with PCI Data Standards may have their ability to accept credit cards removed and any applicable merchant IDs revoked. Revocation of authority to accept credit cards can result from failure to comply with the PCI Data Standards below, or failure to complete the annual Self-Assessment Questionnaire (SAQ).
- Build and Maintain a Secure Network and Systems
- Identify and authenticate access to system components
- Schedule monthly ASV scans and immediately resolve any vulnerabilities
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Remove or disable unnecessary default accounts and change defaults necessary before installing a system on the network.
- Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Delete or render unrecoverable sensitive authentication data
- Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Install CAPTCHA to help prevent and identify software bot activity
- Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Immediately remove or deactivate access for any terminated users
- Do not group share accounts, passwords, or other authentication methods
- Restrict physical access to cardholder data
- Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain an Information Security Policy
- Maintain a policy that addresses information security
Related Forms
- Check Register
- Credit Card Expense Charge
- Credit Card Payment Form
- Credit Card Processing Methods - Quick Reference Chart
- Departmental Cash Handling Request Form
- Departmental Cash Handling Security Policy
- Deposit Transmittal Form
Revision History
Date | Description |
---|---|
08/19/23 | Clarified departmental responsibilities (section C). Updated PCI requirements, edited credit card “discount” charge to credit card “expense” charge and updated/clarified processes throughout. |
09/16/19 | Specified preference for the use of UTSA Marketplace for collecting online payments and clarified encryption requirements for credit card terminals (section G). Specified that the credit card discount charge may apply to tuition-related revenue. Updated position titles and department names. Editorial updates throughout. |