Policy
FIACCT 07-08_00 Revenue- Credit Cards
Effective: October 4, 1999
Revised: September 16, 2016
Purpose
This policy outlines the procedures for agencies to follow to accept credit cards for payment of fees, services, products, etc.
Definitions
Convenience Fees
A separately identified fee charged to customers who pay the State electronically.
Credit Card Fees
Processing fees (charged by the bank) and discount fees (charged by credit card companies) incurred by state agencies for credit card transactions.
Internet Transaction Fees
Fees charged to state agencies by the State’s e-government Internet provider on each Internet transaction.
Payment Card Industry Data Security Standard
The Payment Card Industry (PCI) Data Security Standard required by
credit card companies to ensure the safe handling of sensitive payment
information and safeguarding of cardholder data.
Policy
A.
Agencies currently accepting, or which wish to accept, credit cards for payments must do the following before accepting credit cards as a method of payment:
- Complete the State Division of Finance’s credit card implementation checklist for state agencies. Submit it to the State Division of Finance for review and approval. Division of Finance will ensure proper setup with the State’s approved credit card processor and a State approved Credit Card Company. Finance will work with the credit card processor and coordinate equipment purchases for the State.
- If an agency plans to make changes in its current credit card use as authorized by the Division of Finance or adds a new division that is accepting credit cards, they must notify the State Division of Finance and receive approval in writing prior to proceeding.
- Agencies accepting credit card payments over the Internet must use a PCI compliant e-commerce provider. The agency must ensure the provider is PCI compliant and receive authorization from the Division of Finance prior to completing a contract with the provider. The agency must still work through the Division of Finance and comply with policy statement #4 below.
- Agencies accepting credit card payments that store, process or transmit cardholder data from any acceptance channel (i.e., on-line, point-of-sale, etc.) will comply with the PCI Data Security Standard and comply with the Department of Technology Services’ (DTS) Payment Card Security policy.
- Agencies that accept credit cards on network connected devices must use end-to-end encryption beginning at the credit card’s point of interaction. Any exception must be approved in advance by the Division of Finance. The Division of Finance must review and approve any solution design.
- Agencies accepting credit card payments must work through the Division of Finance and DTS to establish PCI a compliant environment for credit card acceptance using PCI solutions provided by DTS.
- Agencies will use the applicable PCI self-assessment questionnaire coupled with DTS and State Finance policies to establish and maintain effective internal controls over credit cardholder data. These internal controls provide reasonable assurance that such data is secure and managed in compliance with laws, regulations, and provisions that could have a negative financial impact upon the State, its customers and its citizens.
B.
Credit card discounts and fees should be charged to Expenditure Object code 6147 and paid from an agency’s budget.
C.
If approved by both the Director of Finance and the Governor’s Office of Planning and Budget, agencies may charge customers a separate convenience fee for payments received by telephone or over the Internet. The rules for accessing a convenience fee are very complex and must be coordinated with the Division of Finance and Chase Bank. Convenience fees should be recorded using Revenue Source Code 2815, Credit Card Convenience Fees.
D.
Credit card payments are considered to be cash or deposits in transit for cash reporting at fiscal yearend and should not be considered as accounts receivable for fiscal yearend cutoff and reporting.
E.
Agencies are responsible to reconcile their own credit card accounts. This should be done on a monthly basis as part of the bank reconciliation.
F.
Agencies can view and download monthly charges for credit card fees through internet access. The monthly credit card fee will be automatically deducted from the agency’s depository account at the beginning of the following month.
G.
Agencies may decide which credit cards they will accept; they are not required to accept all credit cards. Once agencies decide which credit cards to accept, they may not restrict or set a preference on which card a customer uses.
H.
Agencies may be charged an Internet transaction fee by the state’s e-government provider for processing online transactions. These fees should be charged to Expenditure Object code 6158, Internet Transaction Charges, and will not be charged as a separate fee to the customer.
I.
The agency must immediately contact the Division of Finance PCI Compliance Coordinator in the event of a credit card related incident at the initiation of the agency’s incident response plan.
Background
Many agencies are now accepting credit cards for payments. Historically agencies negotiated credit card service agreements and discount rates on a department-by-department basis. Since 1999, the State entered into a statewide contract for credit card services. This provides a better rate for all state agencies.
The current statewide contracts for processing credit cards and equipment acquisition are with Chase Bank for MasterCard, Visa and Discover Card; a separate contract exists for American Express (AMEX). Paymentech, a division within Chase provides training to state agencies on processing credit card transactions. Equipment can be purchased or leased. Acquisition of equipment must be coordinated through the State Division of Finance.
Every month, agencies shall reconcile their credit card account between FINET and the bank. Agencies shall record the credit card transactions and fees in FINET at least monthly. Monthly statements for all credit card transactions are available from the credit card companies. Credit card payments should be recorded at the gross amount with any fees or charges separately recorded in the appropriate object code. Agencies will work with the State Division of Finance’s Payment Reconciliation Accountant to determine the types of management reports they need.
Compliance with the PCI Data Security Standard is required by credit card companies to establish a common set of industry tools and measurements to help ensure the safe handling of sensitive payment information and safeguarding of cardholder data. The PCI requires a minimum standard for security which covers areas such as building and maintaining secure networks and application systems; protecting and securing cardholder data when stored, processed and transmitted; implementing strong access control measures; monitoring and testing security systems and processes; and maintaining an information security policy. Due to the State’s low risk tolerance, State Finance and DTS may require an agency to implement security measures above and beyond PCI data security standards as deemed necessary.
Procedures
Responsibility
Action
Agency
- Complete and submit the State Division of Finance’s credit card implementation checklist to the State Division of Finance for review and approval. Click here to access the checklist.
- Ensure the agency has policies and procedures in place to meet PCI requirements.
- Complete and submit the agency’s Annual PCI Self-Assessment Questionnaire (SAQ) to the State Division of Finance for review and approval. Click here to access the questionnaire.
- Work with the agency’s assigned Department of Technology Services’ IT Director to complete the SAQ.
- Utilize the appropriate SAQ Review & Attestation Worksheet provided by the State Division of Finance to complete the SAQ. Submit the worksheet with the SAQ.
- Note that State Division of Finance will not allow agencies to begin accepting credit cards until compliant with the PCI Standard.
- Level 1 and Level 2 merchants as defined by the Payment Card Industry will submit an Attestation on Compliance (AOC) to State Finance after completing the agency Report on Compliance.
- If accepting payments over the Internet, contact the agency’s PCI compliant vendor to implement Internet transaction processing. If an agency desires to use a provider other than Utah Interactive, the agency must obtain written preapproval from the Division of Finance.
- Convenience fees may be charged for payments received by telephone or over the Internet, only if approved by the Division of Finance and the Governor’s Office of Planning and Budget. Convenience fees must be charged in accordance with the credit card company rules, which are included in the Credit Card Checklist issued by the Division of Finance. Record convenience fees in Revenue Source code 2815, Credit Card Convenience Fees.
- Contact the State Division of Finance to set up new credit card merchant numbers and arrange for the purchase or lease of equipment and training.
- Notify the Payment Reconciliation Accountant in the State Division of Finance of the bank account that will be used and what credit cards will be accepted. Work with the Payment Reconciliation Accountant to determine the best way to record credit card receipts for reconciling purposes.
- Follow credit card acceptance policy and procedures. Get staff trained on security measures and begin to accept credit cards.
- Reconcile credit card bank accounts on a monthly basis to the applicable FINET bank code. Resolve reconciling items in a timely manner.
- Charge credit card fees to current expense using Expenditure Object 6147, Credit Card Fees. Record these fees in FINET using a negative number on a Cash Receipt (CR) document. Do not charge these fees to the customer. These fees should be paid from an agency’s budget, or in some circumstances covered by charging a convenience fee.
- Record Internet transaction charges from the state’s e-government provider to Expenditure Object code 6158, Internet Transaction Charges. Do not charge these fees to the customer. These fees should be paid from an agency’s budget, or in some circumstances covered by charging a convenience fee.
- Annually complete and submit the following documents to the State Division of Finance:
- Appropriate SAQ or AOC
- SAQ Review & Attestation Worksheet
- Equipment inventory
- Policies and procedures relating to the credit card environment
- Other documents as requested by the State Division of Finance