.100 General

Prior to implementation and use, initial payment card activity at James Madison University must be approved by the Associate Vice President for Finance.

Once authorized to sell merchandise or rent university facilities by the Associate Vice President for Finance, departments are required to comply with Virginia Retail Sales and Use Tax Collection requirements.

  • Contact the Cash & Investments Office for specific procedures prior to initiating any sales/rentals.

Additional procedures for payment card activity for Local/Agency Fund accounts are included in Section 3045, "Local/Agency Funds".


.200 Control Responsibilities

  • All James Madison University departments, affiliates, and vendors must maintain compliance with the current version of the Purchase Card Industry – Data Security Standards (PCI-DSS).
  • Departments will request PCI-DSS Security Awareness Training through the University Business Office for all new employees (including students) who have been designated to handle any aspect of payment card processing.
    • Background checks must be completed for all employees who process payment cards, have payment card system logins, or in any way interact with cardholder data.
  • Only a minimum number of employees whose job responsibilities requires access to cardholder data should have such access.
  • Departments shall complete the appropriate Self-Assessment Questionnaire in coordination with the University Business Office on an annual basis.
  • Departments shall ensure appropriate security controls are in place related to payment card transactions:
    • Payment card refunds are required to be placed back on the same payment card as used in the original sale.  In cases where the original card has since closed, the department is required to contact the University Business Office at 8.4674 for further instruction in how to proceed with the refund process.
    • All employees with access to payment card information need to complete PSI DSS Security Awareness renewal training every twelve months.
    • Supervisors request background checks for student employees through Student Work Experience Center (SWEC).  For all Faculty and Staff, the background check is done automatically through Human Resources during the OnBoard process.
    • Once PCI-DSS Security Awareness Training has been completed Staff Terms of Agreement will be submitted to the University Business Office.
    • Departments are not permitted to store cardholder data.
      • All post-authorization payment card information is required to be destroyed in a PCI-compliant manner, such as cross-cut shredder or outsourced service.
      • Customer and merchant receipts will only show truncated card numbers - the first six and last four digits are allowed.
  • Departments currently accepting payment cards are required to maintain the following documentation.
    • Departmental Procedures- written documentation of department specific payment card policies.
    • PCI-DSS Security Awareness Roster- a list of all individuals within the department who can interact with cardholder data.
    • Quality Control Check List- used to document the inspection of payment card terminals.
  • Accepting and processing payment card transactions over VoIP (Voice over Internet Protocol)
    • Departments will request approval through the University Business Office to accept payment cards over the phone.
    • For departments approved to accept payment cards over the phone, encrypted desk phones are required.
    • The use of soft phones is prohibited. (a soft phone is software that allows the user to make telephone calls over the internet via a computer.)
    • Employees are required to be physically present on campus to accept payment card information over the phone.

Notes:

  • All payment-handling operations are subject to review and/or audit by the University Business Office as well as the university's internal and external auditors. The University Business Office surveys university departments regularly to identify all payment collection points. If the controls are inadequate, corrective action will be taken.
  • Prior to contracting with a new vendor or expanding services offered by a current vendor, the department will contact the University Business Office for a comprehensive PCI review.
  • James Madison University has committed to reducing PCI Scope; as such, any new or existing vendor’s application that would increase or change the university’s PCI scope is prohibited.

.210 University Business Office

  • The University Business Office will provide PCI-DSS Security Awareness Training to all university employees who interact with cardholder data upon hire, reoccurring annually thereafter.
  • The University Business Office will coordinate with JMU IT to provide and maintain a secure cardholder data environment that complies with the current PCI-DSS.
  • The University Business Office works with JMU’s Security Advisor to assign departmental Self-Assessment Questionnaires.
  • The University Business Office initiates annual completion of Self-Assessment Questionnaire.

.300 Processing Procedures

.310 Associate Vice President for Finance

  • Authorize departments to sell goods and services in accordance with Commonwealth regulations.
  • Approve exceptions to daily requirements as appropriate.

.320 University Business Office

  • Provide departments who currently accept payment cards the appropriate deposit transmittal forms and instructions.
  • Monitor and audit departmental payment card processing.
  • Update departmental staff on PCI-DSS compliance changes.
  • Provide departments with a sequence of numbers to be used for Deposit Certificate numbers.
  • Coordinate with Elavon to establish merchant identification numbers for departments who have been authorized to accept payment cards.
  • Assist departments in acquiring appropriate payment card processing equipment and/or implementing approved online payment sites.
  • Assist in resolving problems encountered in monthly reconciliation process of payment card transactions.
  • Payment card chargebacks (when the bank retrieves funds from the university's local bank account due to a customer disputed payment card charge)- the University Business Office will complete all paperwork associated with the chargeback and coordinate with the department and the customer in order to reimburse the chargeback.

.330 Departments

  • Once a department has been approved to process payment cards, the University Business Office will obtain a Merchant Identification Number (MID) for the department.
  • All payment card equipment and terminals will be obtained by the University Business Office for the department. Equipment costs are billed to the department the following month.
  • Departments are responsible for contacting the University Business Office in regards to any terminal problems or error messages that may appear on the terminal.  Departments are not permitted to order new equipment or replace existing payment card terminals. If the payment card processor recommends a replacement terminal, the equipment will be replaced at the department’s expense.
  • When applicable to job responsibilities, departments will request access to online transaction management sites through the University Business Office.
  • Departments will ensure proper separation of duties exists; payment handling, record keeping, and reconciliations should be assigned to different staff members.  If the size of the department makes proper separation of duties impossible, a second person needs to verify reconciliations of funds received and accounts maintained.
  • Departments prepare Deposit Transmittal Forms daily based on deposits of funds received the previous business day.
    • The departments obtain the payment card version for the Deposit Transmittal Form from the University Business Office. This payment card version is not available online.
    • The departments obtain a unique Deposit Certificate (DC) number from the department’s log for each payment card Deposit Transmittal Form.
    • The Deposit Transmittal Form (DTF) must be delivered to the University Business Office at MSC 3516 within three business days for keying into the university finance system. See section .400 for correct preparation instructions.
  • Processing payment card information received in an email, text message, or voicemail is strictly prohibited. For each occurrence notify the Compliance Specialist in the University Business. Respond to all emails that include payment card information by deleting the payment card information and including instructions for re-submission through an approved method.
  • Retain all necessary documentation- merchant copy receipts, batch reports, copy of deposit transmittal forms, monthly reconciliations.
  • Departments are required to reconcile departmental budgets monthly comparing the university finance system reports to departmental records.

.400 Forms Preparation and Submission

  • Deposit Transmittal Form (DTF):  This form is required to transmit deposit information and expenditure credit items for Treasurer of Virginia revenue items for input to the Financial Information System.
    • The payment card version of the Deposit Transmittal Form is only available from the University Business Office and is not available online.
    • The original payment card version of the Deposit Transmittal Form is sent to the Financial Reporting Office at MSC 5715. The department must keep a copy for departmental files.
    • When depositing payment card transactions, the Deposit Transmittal Form must be delivered to Financial Reporting within three business days, after the deposit date.
  • Following are instructions for preparation of the FIS Deposit Transmittal Form. Enter information in the following categories ONLY.
  DC #: Enter the Deposit Certificate number on the Deposit Transmittal Form using a sequence of numbers provided by the University Business Office.
  Prepared By: Name of the person completing the form.
  Dep. Date: Enter the date the deposit is being made.
  Date: Enter the date the form is prepared.
  Phone/E-Mail: Phone number and/or e-mail address of the preparer.
  Bank Code: Enter BOA for all deposits.
  MSC: Enter the MSC of the preparer.
  Bank Acct.: Enter BCLR for Treasurer of Virginia payment card deposits.  Enter BDEP for local payment card deposits.
  Amount: Enter and verify the total amount of the deposit, if completed electronically this total is automatically calculated.
  Line Count: This field will automatically populate.
  Explanation: Indicate any additional facts related to the origin and/or the nature of the deposit. The batch settlement confirmation number may be listed here.
  Payment Cards: Only option available on the payment card version of the Deposit Transmittal Form.
  Dept. ID #: Enter the six-digit department identification number. Refer to">Section 2010, "Department Numbers" Numerical Listing.
  Account #: Enter the six-digit revenue source code. Refer to Section 2020, "Revenue Account Codes and Definitions".
  Description of Deposit: Indicate the origin and/or nature of the deposit.
  Amount: Summarize the receipts by revenue account codes and Dept. ID#s and enter the amount for each code. For unidentified items, list each amount collected separately. Payment Card amounts must be recorded, by day, on a separate Deposit Transmittal form. These amounts should not be included with cash and check receipts.
  D/C: Enter a "C" if the deposit is a credit to Dept. ID # - enter a "D" if the deposit is a Debit to the Dept. ID.
  Total: Enter and verify the total amount of the deposit, if completed electronically this total is automatically calculated.
  Notes for payment card deposit preparation:
  1. Payment card terminal sales are batched once, daily for every payment card machine in the department.
  2. If the deposit you are making has refunds included in the total, list the sales on the deposit transmittal as a "C" credit and the refunds as a "D" debit to get a "net" total.
  3. The department is required to utilize Payment Insider to verify all deposits/transactions on a daily basis to retrieve actual payment dates and deposit totals. All departments have been given access to these sites for their respective merchant numbers. Procedures to access these sites can be obtained by contacting the Compliance Specialist in the University Business Office at 8-4674. By using these sites correctly, James Madison University ensures it complies with the Commonwealth of Virginia’s CAPPS manual that states:

    • "There MUST BE A ONE-TO-ONE MATCH between the deposit entry that posts to the Treasurer's bank account and the deposit total reported in Cardinal. The AMOUNTS MUST BE THE SAME regardless of the method of input to Cardinal. DEPOSITS MUST BE SEGREGATED BY TYPE so that different types of deposit activity are not commingled on a deposit form (i.e., cash deposits should be separated from credit card receipts). Each type of deposit activity noted below must be reported on a separate deposit form, using a separate DC number."

.410 Deposit Certificate Sequencing

Deposit Certificate numbers are obtained through the University Business Office. The department should maintain an Excel spreadsheet of these numbers to keep track of the DC numbers used, deposit date, and amount. The department will only use the numbers within their sequence and restart the sequence each July 1. If a department runs out of numbers within their designated sequence within the fiscal year, contact the University Business Office for another set of numbers—do not go past designated numbers or reuse DC numbers.


.500 Deposit Reconciliation

A monthly written reconciliation comparing revenue deposited- to university FIS reports is required. Auxiliary Enterprises accounts (Nos. 3xxxxx) are reconciled by comparing the department's internal records to university monthly FIS reports. Educational and General Accounts (Nos. 1xxxxx) are reconciled by comparing revenue transaction documents to University monthly FIS reports.


.520 Who Should Perform the Reconciliation:

Departments accepting payment cards are responsible for reconciling their FIS Monthly detail reports as described in Financial Procedures Manual Section 3035. The individual responsible for preparing the deposit should not be assigned this responsibility.

.530 Reconciliation Differences:

If differences other than timing differences are encountered, contact the University Business Office to determine the proper adjustment. For transaction research assistance, contact e–commerce@jmu.edu.

 

Back to Top