Cash Receipts

Policy

13-5: Credit and debit card payments

Effective: September 16, 2016
Revised: July 2, 2026
References: Utah Code 63G-6a-2105(3), Utah Code 63G-6a-506(4), Utah Code 63J-1-504, CCPI Checklist, 13-1: Minimum requirements for cash receipts procedures, 13-2: Recording transactions in Vantage Financial, 13-4: Returned checks and debit card chargebacks, 6-8: Write-offs and allowances


Purpose

This policy outlines the requirements for credit and debit card payment systems and the procedures for handling and recording credit and debit card payments and chargebacks. 


Definitions

Agency — Any agency, board, bureau, commission, office, department, or other administrative subunit of the executive and legislative branches of state government.

Chargeback  A credit or debit card payment that is disputed by the cardholder, resulting in a debit (payment is reversed) to the agency’s bank account.

Convenience fees Fees charged by agencies to customers when they make credit card payments over the phone or on an agency’s website. 

Credit card fees — Processing fees charged by the issuing banks, card networks, and processors to cover their costs of handling credit card transactions. These fees are paid by agencies and generally include a flat fee and percentage (discount) of collections or sales.

Credit cardA financial transaction where a cardholder uses a line of credit issued by a financial institution to transfer funds to the state in exchange for goods or services.

DTS — The GovOps Division of Technology Services. 

Debit cardA financial transaction where a cardholder authorizes the immediate electronic transfer of existing funds from their bank account to the state to pay for goods or services.

GovOps — The Department of Government Operations. 

Internet transaction fees — Fees charged to agencies by the state’s e-government internet provider on each internet transaction.

Payment Card Industry Data Security Standard (PCI DSS) — The Payment Card Industry Data Security Standard required by credit card companies to ensure the safe handling of sensitive payment information and safeguarding of cardholder data.

PCI — Payment card industry.

PCI compliance team — The GovOps Division of Finance Payment Card Industry compliance team.

Security breach — An incident where unauthorized individuals gain access to sensitive payment information, such as card numbers, PINs, or CVV codes, usually by stealing data from businesses, hacking networks, or using physical scanners.

State finance — The GovOps Division of Finance.


Policy

A – Agencies must use the state-contracted payment processor

1 – Agencies must use the state-contracted payment processor to process credit and debit card payments. 

2 – Agencies must meet the requirements in section B before establishing a credit and debit card processing system.

B – Agencies must meet requirements to accept credit or debit card payments 

1 – Agencies must get the approval of the PCI compliance team before establishing new credit and debit card payment systems.

1a – To get approval, agencies must complete state finance’s Credit card payments implementation checklist (CCPI) and submit it to the PCI compliance team at [email protected].

2 – Agencies must use the PCI compliance team as their liaison with the contracted payment processor to establish the merchant IDs. 

3 – Agencies must accept all major credit card brands.

4 – Agencies must use PCI solutions approved by DTS and the GovOps Division of Purchasing and General Services.

5– Agencies that accept credit and debit cards on network connected devices must use end-to-end encryption beginning at the credit card’s point of interaction. Any exception must be approved in advance by DTS.

6 – Agencies must establish and maintain internal controls over credit and debit card processing and cardholder data. The internal controls must include the controls in the PCI self-assessment questionnaire applicable to the agency.

6a –  Internal controls are intended to provide reasonable assurance that data is secure and managed in compliance with laws, regulations, and provisions. Failure to secure cardholder data could have serious, negative financial impacts upon the state and its customers.

7 – Agencies are responsible to know merchant IDs, employees with system user IDs, and agency contacts so that state finance can verify the accuracy of its information annually.

8 – State finance and DTS may require an agency to implement security measures above and beyond PCI DSS.

C – Security breaches must be reported

1 – Agencies must immediately contact the DTS chief information security officer and the state finance PCI compliance coordinator if a credit card related incident involving a security breach occurs as the first step of their incident response plan.

D – Agencies must complete and submit self-assessment questionnaires (SAQs)

1 – Agencies must complete and submit PCI Self-Assessment Questionnaires (SAQ) to the PCI compliance team at [email protected] for review and approval annually. Agencies must work with their IT director to complete the SAQ. 

1a – State finance won’t allow agencies to begin accepting credit cards until they’re compliant with PCI DSS as demonstrated in the SAQ.

1b – Agencies who don’t demonstrate PCI DSS compliance may lose credit card processing privileges because noncompliance exposes the state to security risks.

2 – Level 1 and level 2 merchants, as defined by the Payment Card Industry, must submit an Attestation of Compliance (AOC) to the PCI compliance team at [email protected] as required by the SAQs.

E – PCI compliance team must approve changes to the credit card environment

1 – Agencies must notify the PCI compliance team at [email protected] and receive approval from them in writing before modifying  their credit card environment to ensure proper account management. The PCI compliance team is the sole liaison to the processor for all account changes and portal access.

F – Agencies must review fees 

1 – Agencies  must review credit/debit card fees charged by the processor to determine they were charged as specified in the state cooperative contract. These fees must not be charged to the customer.

2 – Agencies may be charged internet transaction fees by the state’s e-government provider for processing online transactions. These fees must not be charged to the customer.

3 – Agencies may only charge customers convenience fees for credit and debit card payments made over the phone or on the agencies’ websites as these are the only approved fees. 

4 – If agencies want to change the amount of a convenience fee or charge a new fee they must:

  • ensure the fee is allowed by the major credit card brands; and 
  • comply with Utah Code 63J-1-504.

4a – If a convenience fee is approved by the Legislature, agencies must coordinate with the PCI compliance team and the processor to charge the fees.

G – Agencies must record credit card payments and fees

1 – Agencies must follow state finance policies 13-1: Minimum requirements for cash receipts procedures and 13-2: Recording transactions in Vantage Financial unless specified otherwise in this policy. 

2 – Agencies must record credit and debit card payments, chargebacks, and fees in Vantage Financial at least monthly. 

3 – Agencies must record credit and debit card payments at the gross amount paid to the agency using a cash receipt (CR) transaction.

4– Agencies must record the amount received, net of convenience fees, with a credit offset in the CR as outlined in state finance policy 13-2-B.

5 – Convenience fees paid by the customers must be recorded in the CR transaction as revenue using revenue source code 2815.

6– Credit card fees, including discounts, must be recorded as an expense in object code 6147 in the CR transaction (a negative amount). These fees must be paid with the agency’s budget.

7– Internet transaction fees must be recorded as an expense in object code 6158 in the CR transaction (a negative amount). These fees must be paid with the agency’s budget.

H – Agencies must record and reconcile card payments and fees

1 – Agencies must reconcile their credit and debit card payments as reported in their cash receipts systems to their bank statements and Vantage Financial monthly.

2 – Agencies must reconcile all fees charged or collected to their bank statements and Vantage Financial monthly. 

3 – Processors must deposit the full customer payment amounts into the agency’s depository bank account and charge credit card fees through separate, clearly identifiable deductions from the agency’s depository bank account. 

3a – If agencies find that processors aren’t charging fees through separate, clearly identifiable transactions, they must contact the processor to get the credit card fees charged as separate transactions. The netting of fees against the deposits isn’t permitted.

4 – Agencies must record and reconcile chargebacks reported in their bank statements to Vantage Financial.

5 – Agencies must recognize credit and debit card payments accepted on or before June 30 as cash receipts collected in the old year regardless of when the deposits are received. They are treated as cash or deposits-in-transit and must not be considered as accounts receivable for fiscal year-end cutoff and reporting.

I – Agencies must record chargebacks

1 –  Agencies must record debit card chargebacks as outlined in state finance policy 13-4: Returned checks and debit card chargebacks section A1. Debit card chargebacks are considered returned checks.

2 –  Agencies must record credit card chargebacks in Vantage Financial at least monthly using a CR. 

2a –  If the original CR referenced an RE, agencies must modify the accounting line(s) in the original CR to reduce the dollar amount by the amount of the chargeback. This CR procedure will automatically reopen the RE.

2b – If the original CR didn’t reference an RE, agencies must modify the accounting line(s) in the original CR to reduce the dollar amount by the amount of the chargeback. They must record an RE for the amount of the chargeback unless the returned check was for goods or services that could be cancelled.

3 – If agencies receive funds back from chargebacks, agencies must record a CR referencing the RE created in 2a or 2b above to close out the RE.  

3a – If agencies don’t receive funds back from chargebacks, agencies must review associated receivables for collectibility following state finance policy 6-8: Write-offs and allowances. 

4 – Agencies that use an approved accounts receivable subsystem must manage chargebacks in their subsystems to achieve the same financial outcome of section H. See state finance policy 6-4: Accounts receivable subsystems.

J – Agencies may respond to chargebacks

1 – Agencies may decide that they won’t dispute chargebacks if they historically haven’t been successful in winning disputes with the processor. 

2 – If agencies choose to dispute chargebacks, they must respond by the processor’s deadline. If agencies miss the deadline, they automatically lose the dispute and the processor won’t reverse the chargebacks.

 3 – Agencies that dispute chargebacks must respond to the state’s credit card processor by submitting all available documentation evidencing that the payment was owed to the state and voluntarily made by the cardholder.