10. Revenue and Cash Receipts
Issue Date | Revised Date | ||
---|---|---|---|
03/01/1992 | 001 | 11/02/2012 | Revenue Accounting |
03/01/2000 | 002 | 11/01/2012 | Billing for Goods Sold or Services Rendered |
02/07/1991 | 004 | 03/11/2022 | Accepting and Depositing of Cash and Checks |
03/11/2022 | 005 | Check Deposit Procedures | |
03/11/2022 | 006 | Cash Receipts Security and Controls Procedure | |
09/10/2018 | 010 | ̾Ƶ Payment Card Data Security | |
03/01/1992 | 052 | 11/01/2012 | Restricted Gifts Accounts |
The official version of this information will only be maintained in an on-line web format. Any and all printed copies of this material are dated as of the print date. Please make certain to review the material on-line prior to placing reliance on a dated printed version.
10 - 001 Revenue Accounting
A. SUMMARY OF ADMINISTRATIVE PROCEDURE
This statement defines operating and non-operating revenues. It addresses commonly asked questions on interdepartmental sales, recording receipts as credits to expense, and sales of departmental equipment.
1. Definition of current operating revenue. Within ̾Ƶ current funds, revenue is defined as any transaction which results in an increase in the current financial resources (i.e., net assets) of ̾Ƶ as a whole. Operating revenue results from the sale of ̾Ƶ's primary products and services to a non-̾Ƶ entity or from carrying out other activities that support ̾Ƶ's missions of instruction, research and public service. Examples of operating revenue include all tuition and fees assessed against students, state of New Hampshire general appropriations, gifts, grants, contracts, investment and endowment income, departmental sales and services to external entities, miscellaneous college receipts, and auxiliary enterprise sales. Sources of ̾Ƶ operating revenues include students, governments, donors, and other public customers. Within auxiliary enterprise funds, sources of revenue are primarily students, faculty and staff; however, incidental sales to the general public and other ̾Ƶ departments may be included.
2. Designations of revenue:
a. Restricted current fund revenues. These are resources which are available for current operating purposes but whose expenditure is limited by an external source (e.g., donors, government, grantor, etc.) to specific purposes, programs, schools, departments, etc. Restricted revenues, although recorded when earned in accordance with Procedure 10-002, Billing for Goods Sold or Services Rendered are recognized as revenue in the ̾Ƶ financial statements only to the extent that such funds are expended, as required by generally accepted accounting principles (GAAP). To accomplish GAAP recognition, ̾Ƶ requires that all restricted current funds be recorded in Banner funds whose second character is numeric (See Procedure 02-023: ̾Ƶ Grant Fund Coding Conventions), that proper Banner account codes be used (see Procedure 02-039: Account Coding Conventions).
Funds with internal restrictions are not classified as restricted current funds because a restriction imposed by the governing board or administration can be removed at their discretion. These funds are properly classified as internally designated funds, a subdivision of unrestricted current funds.
b.Unrestricted current fund revenues. These are resources which are not restricted by external sources and which are expendable for operating purposes. Included are undesignated educational and general, auxiliary enterprise, and internally designated resources. The absence of an external restriction implies that the resource is available for current operations and, therefore, must be recorded in current unrestricted revenues.
c. Other revenues (non-operating) and fund additions. Resources which are restricted by outside persons, agencies (such as on loan funds), endowment and similar funds, or plant funds are accounted for as restricted revenues in the appropriate fund group to which the restriction applies. For example, a donor might state that their gift is to be used for the purchase of library books. The gift would be recorded as a current restricted gift in a restricted gift fund. If, however, the donor stated the gift was to be used for construction of a library, it would be recorded as a restricted gift in plant funds. To take it a step further, a gift received whereby only the income earned on the gift could be spent for purchase of library books would be recorded in endowment and similar funds; the income earned on the gift which is available to spend would be recorded in current restricted funds.
In accordance with GAAP, all gains and losses arising from the sale, collection, or other disposition of investments and other noncash assets are accounted for in the fund which owned such assets. Ordinary income derived from investments, receivables, and the like is accounted for in the fund owning such assets, except for income derived from investments in endowment and similar funds. Income derived from endowment and similar funds is accounted for in the fund to which it is restricted or, if unrestricted, as revenue in unrestricted current funds.
B. DETAILED OPERATING PROCEDURES
1. Offsetting revenue and expenses. Revenue is always recorded at the gross amount, not net of any discounts, etc. For example, tuition, fees and room and board charges are recorded at the gross amount according to Trustee approved rate schedules even though there is no intention of collection directly from the student. Institutional scholarships, staff tuition waivers, etc., are then recorded as expenditures. However, refunds to students as a result of courses dropped during the refund period are recorded as reductions to tuition revenue since these are viewed as corrections of amounts previously recorded as revenue that will not be earned.
2. Recurring interdepartmental sales. Self-supporting departments established primarily to provide goods or services to other ̾Ƶ departments are generally set up as internally designated or auxiliary funds (Banner funds whose second character is "A" or "D"). Examples include Mail Service, Central Stores and Central Copying. Interdepartmental sales for these operations don't result in an increase to overall net assets of ̾Ƶ. Accordingly the sales are recorded as reductions of expenses. In this way, all revenue and expense activity in these funds are eliminated from the ̾Ƶ financial statements and overall ̾Ƶ expenditures will not be double-counted.
Auxiliary enterprise funds are also used to account for revenues of operations established primarily to furnish goods or services to students, faculty or staff. Often, auxiliaries incidentally service the general public. These sales by auxiliary enterprises are recorded as revenues. The primary source of funding is the key factor. For example, departments may purchase goods from Dining Services, but those sales would be recorded as a reduction of expenses rather than revenue.
3. Recording receipts as credits to expense account codes. Revenue should never be recorded in an expense account code, except in the following instances:
a. Interdepartmental sales by an operating account or department with a Banner Fund in the unrestricted range (second character is "U", "D" or "A") should be recorded as a credit to an expense account code. This is because an interdepartmental sale does not add new dollars to ̾Ƶ's net assets; it merely increases the net assets of one ̾Ƶ unit and decreases the net assets of another. When interdepartmental sales are part of the normal operations of the department, the account should usually be established as described in Section B.2.above.
b. Vendor credits and other corrections of expenditure transactions resulting from the overpayment of an employee or a vendor invoice, return of goods, etc., should be recorded as a credit to the expense account code originally charged when the goods or services were bought.
c. Vendor payment discounts received from the timely payment of vendor invoices are properly credited to the expense account code originally used for the purchase.
4. Sales of departmental equipment. Occasionally, departments must sell surplus unused or obsolete equipment originally purchased with departmental funds. Departments should contact Purchasing first to determine the proper property disposition procedure (see Procedure 11-030: Disposal of Surplus Property) and then contact the appropriate campus Property Control contact to adjust the inventory as instructed in the disposal procedure noted above. If the sale is made to another ̾Ƶ department, the transaction should be recorded on a Banner JV document using PB* and IV* rule codes as needed and reported to the applicable campus Property Control contact via the ̾Ƶ 11-010F: Equipment Location Form. The department buying the equipment should debit an equipment account code (74*) and the selling department should credit an equipment account code (74*). If the sale is made to an outside party, the transaction will involve the receipt of cash and be recorded via a Banner JV document using a proper CR* rule code. The sale proceeds should normally be credited to the campus' miscellaneous college receipts account. If approved by the campus Chief Financial Officer (CFO), the sale proceeds may be credited directly to an equipment account code thereby utilizing the funds generated from the sale of surplus equipment in the current year budget.
10 - 002 Billing for Goods Sold or Services Rendered
a. SUMMARY OF ADMINISTRATIVE PROCEDURE
This statement defines who has authority to make sales on credit, what rules must be followed, and the responsibility for reconciliations and proper accounting in Banner. This statement DOES NOT apply to tuition billings generated each semester by the campus cashier/bursar.
Authority and responsibility for sales on credit. All sales of goods or services by ̾Ƶ departments are to be made only upon receipt of cash (i.e., no sales are allowed to be made on credit) unless written approval in advance is received from the campus Chief Financial Officer (CFO). Departments with CFO approval to make credit sales must follow the policies and procedures of the campus Credit and Collections department (unless specifically exempted in writing by the campus CFO) relative to extension of credit, invoice and statement generation and frequency, aging analysis, delinquent account follow-up, and write-off of noncollectable accounts. All accounts receivable resulting from amounts owed by students, governments, employees, contractees, grantees, and other customers must be reconciled to Banner by the responsible account manager on a monthly basis.
b. DETAILED OPERATING PROCEDURES
1. When is revenue recorded? Revenue should be recorded when an exchange has taken place and the earning process is complete. An exchange has taken place when ownership of the goods is transferred to the buyer or when services for the buyer have been fully performed. The earnings process is complete when (a.) all necessary costs to produce the revenue have been incurred and recorded and, (b.) collection of the sales price is reasonably assured by receipt of money or by a promise to pay money at some future date.
a. If all necessary costs to produce the revenue have not yet been incurred, the amount of the cash received is recorded as deferred revenue, in special balance sheet account 212* (deferred revenue and deposits).
b. The collection of the sales price is generally considered to be reasonably assured when an invoice is sent to a customer or when cash is received from a customer, whichever comes first. In accordance with the accrual basis of accounting, revenue is recorded when it is earned, without regard to the time of receipt. (The cash basis of accounting, which is not generally applicable to ̾Ƶ operations, calls for recording revenue only when cash is received.)
2. Accounting for credit sales transactions. Sales invoices are generally recorded in Banner via an approved campus form (the Charge Sale Invoice Form at UNH, Miscellaneous Charge Form at KSC, and Miscellaneous Deposit Form (MISP) at PSU) immediately upon forwarding the sales invoice to the customer, in accordance with the policies and procedures of the campus Credit and Collections department. The applicable Banner account code is credited (see Procedure 02-040 Banner Revenue Account Code Table, definitions and listings) using a suitable JE* rule code the applicable balance sheet receivable (in the 112* account code range) using an appropriate fund. When the cash is received from the customer, the 112* balance sheet account is credited using a proper CR* rule code.
3. Accounting for uncollectible accounts and billing errors. If accounts receivable must eventually be written off as uncollectible, this is an expense which must be recorded in an suitable expense account code, not as a reduction of revenue. Uncollectible accounts are always recorded as a charge to an expense account code. However, if an error was made billing the student or customer too much for which a subsequent corrected billing entry is made, then this is properly recorded as a reduction of revenue.
The official version of this information will only be maintained in an on-line web format. Any and all printed copies of this material are dated as of the print date. Please make certain to review the material on-line prior to placing reliance on a dated printed version.
10 - 004 Accepting and Depositing of Cash and Checks
A. BACKGROUND
As a public institution, the ̾Ƶ (̾Ƶ) is responsible for the stewardship of funds in its care and for maintaining strong internal controls. This policy provides guidelines and minimum standards for proper receipt and depositing of currency, checks, and other cash equivalents (collectively hereinafter referred to as "cash" or "cash items") to ensure that the assets of ̾Ƶ are protected, accurately processed, and properly reported.
B. SCOPE
The policy applies to all individuals or departments who receive, and deposit cash and cash equivalents and applies to all component institutions of ̾Ƶ.Unique campus needs may require minor deviations from this policy. Any substantive change must be documented and approved by the campus CFO and the ̾Ƶ Treasurer’s Office
1. Bank Accounts. The ̾Ƶ CFO/Treasurer or designee must pre-approve any banking or credit relationship established for the purpose of collecting or depositing ̾Ƶ funds, uses the ̾Ƶ name or the name of one of its component institutions, or uses the ̾Ƶ tax identification number. The ̾Ƶ Treasurer’s Office should be contacted to assist in developing a banking solution. The Vice Chancellor for Financial Affairs must be a signatory on the account.
2. Timeliness of cash deposits. In order to optimize investment earnings and reduce the possibility of theft and loss, all receipts of checks and currency are to be deposited in a timely manner and in a depository account under the Name and Tax ID of ̾Ƶ consistent with the detailed procedures in the following documents:Coin and Currency Deposit Procedure; Check Deposit Procedure; Procedure for Depositing Cash or Cash Equivalents via Armored Car Service or police escort (to be developed). Checks and currency totaling $1000 or more must be deposited within 48 hours (two business days) of receipt or once a week whichever comes first.Checks and cash should never be held by a department awaiting accounting information.
Gifts from donors should be promptly delivered to the campus advancement office so the gift can be recorded and acknowledged in a timely manner.
3.Responsibility for safeguarding the receipt of cash items. The Campus CFO or designee(s) is responsible for authorizing and notifying the ̾Ƶ Treasurer’s Office of any cash collection areas and implementing appropriate internal controls consistent with this policy and the accompanying detailed procedures. Such controls include:
a. Clearly define and document delegated responsibility for cash items from time of receipt to time of deposit. Responsibility for the billing, cash handling, record-keeping and reconciliation functions should be assigned to separate individuals, to the extent possible and will include the central Financial Operations Center (FOC) as appropriate.
b. Open and process mail on a timely basis and in the presence of coworkers, if possible. Maintain a log of all cash items received.A documented audit trail must exist at each point where the responsibility for the funds is transferred to another individual.
c. Endorse checks immediately upon receipt using an endorsement stamp approved by the ̾Ƶ Treasurer’s Office (if available).
Accepting 2 party checks for payment are allowed when:
1.2 party checks made payable to the University System, or a third party may be deposited (scholarship checks).
2.The University will only accept checks made payable to the University and a third party after the third party has endorsed the check. The University will not endorse a check prior to the other payee(s) without CFO approval.
Accepting third party checks for payments are allowed for when the original payee has re-endorsed the check payable to ̾Ƶ as provided for under UCC Article 3: and the
1. Check is issued by (Student Refund 3rd party) made payable to a ̾Ƶ student.
2. Check is a business check issued by an awarding scholarship organization made payable to a ̾Ƶ student.
3. Check is made payable to a third party with whom the University has merged or acquired or is a ̾Ƶ Campus or Department using a Doing Business As (DBA) name.
d. Provide security over cash items awaiting deposit through the use of locked safes, strong boxes, or file cabinets. Cash items should never be left in or on desks or unattended at any time.Dual controls over cash are strongly encouraged and preferred to protect both the ̾Ƶ and the employees handling cash.
e. Do not commingle cash receipts with any other personal or business cash funds and do not reduce cash receipts by amounts needed for petty cash transactions. Use standard campus deposit forms.
f. In general large cash receipts should be discouraged, and an alternative non-cash method of payment shouldberequested.However,ifreceived,cashtransactionsofmorethan$10,000fromoneindividual/entity (in one transaction or in two or more related transactions over a 12 month period)must be reported to the IRS by each campus and a statement furnished to the payer ().For purposes of this paragraph, cash is defined as coins and currency of the U.S. or any other country, cashier's checks, bank drafts, travelers checks or money orders. The individual campus SFS offices is responsible for developing procedures to identify, track and repot cash payments to comply with IRS requirements..
g.Checks deposited using remote deposit devices must be kept in a locked safe.After 45 days from the date of the deposit, checks must be destroyed using cross-cut shredding or an approved shredding/disposal service for paper documents. See 10-005 Check Deposit Procedures, C. Remote Scanning Procedures.
h. Cash receipts and deposits are subject to periodic surprise audits by ̾Ƶ management and internal and external auditors.
This policy provides minimum requirements for processing cash and cash equivalent deposits.An individual campus may institute additional or more stringent requirements.
Related Procedures, Forms and Resources:
10-005 Check Deposit Procedures
10-006 Cash Receipts Security and Controls Procedure
Contacts:
Accounts Receivable:foc.ns.billing@usnh.edu
̾Ƶ Treasury:usnh.treasury@usnh.edu
General Accounting:foc.accounting@usnh.edu
Policy Owner:̾Ƶ Treasurer's Office
The official version of this information will only be maintained in an on-line web format. Any and all printed copies of this material are dated as of the print date. Please make certain to review the material on-line prior to placing reliance on a dated printed version.
10 - 005 Check Deposit Procedures
A. ENDORSEMENT PROCEDURES
In general, checks must be endorsed the same as what is written on the Payee Line of the check(i.e. checks made payable to Keene State College, Plymouth State University, Granite State College, or University of New Hampshire must be endorsed as such).A check made out to any component institution may be deposited with a ̾Ƶ endorsement stamp.Similarly, a check made out to ̾Ƶ may be deposited by a component institution.
B. CHECK REQUIREMENTS
1.All checks must be endorsed and logged as soon as possible after receipt.Deposit stamp example (including checks deposited via Desktop Scanner):
FOR DEPOSIT ONLY
CITIZENS BANK
ABC XYZ CO
ACCT 123456789
2.Checks made payable to a 3rd party may only be signed over to ̾Ƶ if they were issued by ̾Ƶ (i.e. student refund checks).
3.Checks made payable to a 3rd party and ̾Ƶ must be endorsed by the 3rd party prior to ̾Ƶ endorsing and must be deposited in a ̾Ƶ bank account.
4.Checks missing the signature of the issuer can not be deposited.
5.Changes to the front of the check (i.e. amount, payee name, date, etc.may only be made by the issuer of the check using a single line to cross out any incorrect information and must be initialed by the issuer).
6.In the event of a discrepancy in amounts between the convenience box (###’s) and legal (written) amount the check must be deposited for the legal amount.
C. REMOTE SCANNING PROCEDURES
Approved Scanners: EC Series Scanners (RDM Corp); Epson CaptureOne (Epson Corp); VisionX Video and Documentation (Panini Corp); CheXpress CX30 or TellerScan TS240 (Digital Check Corp).
* ̾Ƶ does not allow checks to be scanned via a Mobile Option (i.e. Smartphone App).
In addition to limitations on depositing checks as indicated in the Check Requirementssection above items ineligible for remote deposit also include:
1.Checks Drawn on a foreign bank (includes Canadian checks).
2.Checks drawn on a domestic bank in a foreign currency.
3.Checks made payable to both ̾Ƶ and a 3rd party.
4.Checks more than 6 months old.
5.Travelers checks, money orders, and postal money orders.
6.Duplication of deposits is prohibited (either in its paper-based form or in a digital form within another Deposit File) unless Citizens has notified ̾Ƶ that an item has been rejected or returned.
* Items ineligible for desktop scanning must be deposited at a local bank branch.
D. CHECK STORAGE AND DESTRUCTION PROCEDURES
1.All checks must be stored in an access controlled secure fireproof location.
2.Remotely deposited checks should be stored according to policy guidelines.
3.When destroying Items, an appropriate method of destruction must be used that will result in the paper-based item being unable to be processed and all sensitive personal and financial information undecipherable. Acceptable destruction methods include: cross-cut shred, pulp, or incinerate.
Related Procedures, Forms and Resources
10-004 Accepting and Depositing of Cash and Checks
10-006 Cash Receipts Security and Control Procedure
Contacts
Accounts Receivable:foc.ns.billing@usnh.edu
̾Ƶ Treasury: usnh.treasury@usnh.edu
General Accounting:foc.accounting@usnh.edu
Policy Owner:̾Ƶ Director of Treasury
The official version of this information will only be maintained in an on-line web format. Any and all printed copies of this material are dated as of the print date. Please make certain to review the material on-line prior to placing reliance on a dated printed version.
10 - 006 Cash Receipts Security and Controls Procedure
A. INTRODUCTION 1
There are a limited number of departments (or locations) at ̾Ƶ that are authorized to accept cash and/or other items. Any cash and/or other item collection department (or location) must be approved in writing (i.e. an e-mail) by one of the following: Campus CFO or designee(s). Treasury will keep a record of these locations (Exhibit A Departments Authorized to Accept Cash/Coin/Check) and indicate if they are a Central Designated Location.
These departments (or locations) are required to safely store, properly record, and promptly deposit all cash items into an approved ̾Ƶ (UNH, ̾Ƶ, KSC, PSU or GSC) bank account(s) in accordance with applicable ̾Ƶ or campus policies and procedures.
Campus locations may, and are encouraged to, create more detailed procedures that meet their unique circumstance. However, these local procedures may not be any less restrictive than what is in this University System Cash Receipts Procedure.
Control Point:Campuses must provide list of areas accepting cash/coin/checks to Treasury to include in a database once a year and as changes are made. Campus CFOs should evaluate the maximum amount of cash at hand at any given point during events and activities.
B. ACCEPTING CASH
Locations that accept cash should have a secure area to receive and process funds. For high volume locations, cash registers with locking drawers and POS Systems should be used in lieu of cash boxes/change drawers when possible and should be in view of a camera. Locations accepting cash without these controls in place must obtain prior written approval from the campus CFO or their qualified financial designee. When these controls are not able to be in place two people should be present when possible, during use of cash drawer.
At all times when cash is counted, two people must confirm that the amount of cash as described below. Opening the Registers: Verify the starting balance of cash is that of standard practice of the location. This must be confirmed in the presence of a 2nd person and documented both with the names written and signatures/initials of each person.
1. Cash pickups during the day: Dependent on the volume of cash in the register, cash collections may be done during business hours to reduce register balances. Excess funds, as determined by the campus CFO, must be brought to a secure area within the facility. Cash counts must be done by both the teller and the person picking up the cash. A receipt (Exhibit B Chain of Custody Form) must be given to the teller at the time of transfer for use in day end reconciliation. A POS System may be able to record these pickups.
2. A three-part pre-numbered receipt or an approved point-of-sale/cashiering system must be generated and given to customers for all cash sales.
3.Change exchanged between cashier and safe must have dual control and both parties must complete change request form. (Exhibit C Cash Change Form)
4. Closing the Register or Cash Drawer: Indicate the amount of cash in the drawer at the time of closing. This amount must match the total of 1.) The opening balance plus; 2.) Sales during day from POS or other system record minus; 3.) Noncash sales: minus 4) Amount of any cash pickups completed during the day. Drawer amounts should then be brought back to the starting balance and the drawer secured in a safe or other secure location for use with the next cashier / next day. The starting cash should be counted the next morning and confirmed it is correct.
5. Funds to Deposit: Funds in excess of the starting balance must be brought to a secure central location (for example, the designated ‘Cash Room’). The funds must be counted and tied out to a printout/receipt from a System of Record (POS system, inventory record) when available in the presence of whoever was responsible for those funds. If funds placed in a drop box total $1000 or more, additional controls (camera and/or alarm) must be in place. Bringing Funds to a Central location for bank deposit: Once a final count of the cash has been completed, cash/coin must be placed in a clear disposable deposit bag and a deposit slip indicating the amount of the deposit included. The bag should then be sealed and secured for transport to the bank. The Chain of Custody document, with dual deposit signatures and includes FOAPALs to record the funds to the GL, must be attached to the Deposit Bag. Ordering the disposable deposit bags must be coordinated through the ̾Ƶ Treasurer’s Office.
6. Each deposit requires (1) a Chain of Custody Form, (2) a Deposit Form (Exhibit D-UNH, Exhibit D-PSU, Exhibit D-KSC), and (3) Tamper Evident Disposable Deposit Bag (Exhibit E) with a Unique Serial Number. Disposable bag adhesive strip to be attached to chain of custody.
Control Point: Chain of Custody Document - Except for funds deposited to a drop box and totaling less than $1000, funds must not be given to another employee without a signed Chain of Custody included with the funds and a copy of such document or receipt provided to the employee who surrendered control of the funds. The department surrendering control of the deposit to either the bank or Armored Carrier is responsible for keeping this documentation.
* If there are any discrepancies at time of a custody change or when comparing cash receipts to the System of Record, they must be immediately reported and investigated.
C.TRAINING
All employees accepting Cash/Coin/Checks must complete training including reading and acknowledgment of this procedure and any other required training including an annual refresher training thereafter. The manager and backup person must be provided to Treasury as part of Exhibit A and whenever there is a change in authorized personnel.
Control Point: The Manager of each business unit is responsible for ensuring these trainings take place and retaining appropriate documentation. The initial training and subsequent annual training should be documented and submitted to the head of the department or CFO (or CFO designee), whoever is responsible for making sure cash controls are followed.
D.STORAGE OF CASH/COIN
Cash, checks, and receipts are kept in a lockable container, such as a cash box/safe, and ideally stored in an area that is not visible to unauthorized personnel. Adequate security controls over the lock box/safe must be maintained at all times, including changing security controls at least annually, terminating access when an employee leaves or change positions, etc.However, in unique situations where cash, checks and receipts are stored in an open area that is visible, the cash box/safe is under continuous video surveillance. In either case, unsecured cash boxes and safes are not left unattended during the working day. At night, all funds and cash boxes are kept in a secured (locked) storage area, such as a lockable file cabinet, closet or safe.
E. CENTRAL DESIGNATED CASH COLLECTION LOCATIONS (CASH ROOMS)
CashRooms are secure areas not accessible to the general public and include 1 location at KSC; 1 location at PSU; 1 location atGSC;4locationsatUNH.These locations must be under continuous video surveillance and have panic alarms. The creation of any additional cash rooms must be approved by campus CFO and ̾Ƶ Treasurer’s Office.
F. TRANSPORTATION/BANK DEPOSITS
Deposit balances in excess of $1000 must be brought to an approved Central Designated Location every day. Deposit balances below this amount may be brought to a Central Designated Location once per week. Cash Rooms must make deposits in accordance with the policy or on preapproved police escorted schedule.In no case may these scheduled pickups be less than once per week.
All cash transfers in excess of $1000 that take place in a non-secure public area must have a public safety employee present for the transfer. This includes both transfers to other buildings on campus or to the bank.
If a deposit bag is destroyed for any reason, the reason for destruction must be noted in the same documentation of deposits.
Exhibit A List of authorized departments to accept cash (under development)
Exhibit B Chain of Custody Form
Exhibit D Deposit Form-UNH |Deposit Form-PSU | Deposit Form-KSC
Exhibit E Tamper Evident Disposable Deposit Bag
Related Procedures, Forms and Resources
10-004 Accepting and Depositing of Cash and Checks
10-005 Check Deposit Procedures
Contacts
Accounts Receivable:foc.ns.billing@usnh.edu
̾Ƶ Treasury: usnh.treasury@usnh.edu
General Accounting:foc.accounting@usnh.edu
Policy Owner:̾Ƶ Director of Treasury
1 This procedure excludes Petty Cash Funds.Please refer to 04-001 Petty Cash Funds Policy
The official version of this information will only be maintained in an on-line web format. Any and all printed copies of this material are dated as of the print date. Please make certain to review the material on-line prior to placing reliance on a dated printed version.
10 - 010 ̾Ƶ Payment Card Data Security
A. SUMMARY ADMINISTRATIVE PROCEDURE
1. Purpose. The purpose is to establish procedures that will minimize risk and provide the greatest value, security, and service to each component institution of the ̾Ƶ (̾Ƶ) within the rules, regulations and guidelines established by the Payment Card Industry Data Security Standard (PCI DSS). This procedure addresses the standards that are contractually imposed by the major payment card brands on merchants that accept these cards as forms of payment. The policy covers the following specific areas contained in the PCI standards related to cardholder data (CHD[1]): processing, transmitting, storing, and disposing of CHD.
2. Scope. These procedures apply to any person using ̾Ƶ’s systems and networks involved with payment card handling. This includes processing, transmitting, storing and disposing of CHD at ̾Ƶ, and use of any third party system that could impact the security of CHD at ̾Ƶ. In addition, institutions must comply with ̾Ƶ Information Technology Security Policy USY VI.F.5
3. Authority. The PCI DSS is a set of requirements created and agreed upon by the five major payment card brands: American Express, Discover, the Japanese Credit Bureau (JCB), MasterCard and VISA. These security requirements apply to all transactions surrounding the payment card industry. Electronic and paper transactions are covered by this standard. The requirements apply to any organization involved with handling CHD. The card brands apply terms in the merchant agreement to enforce these standards. ̾Ƶ requires that all campus organizations and departments handling payment card data:
a. Adhere to all applicable PCI DSS administrative, technical, and reporting requirements;
b. Have pertinent local practices, procedures and documentation in place to ensure compliance with PCI standards; and
c. Provide training for the employees and others that handle CHD.
4. Revision. These procedures may be updated at any time by USNH Financial Services and should be reviewed annually by campus Merchants Departments for changes, in accordance with PCI DSS.
5. Definitions
a. Attestation of Compliance (AOC) - A document that is completed along with an Self-Assessment Questionnaire (SAQ), as a declaration of the merchant’s compliance status with the Payment Card Industry Data Security Standard (PCI DSS). This summary document may be safely shared outside of ̾Ƶ with third parties with a legitimate business reason to know.
b. Campus Finance/Administration Office – Responsible for approving all requests for acceptance of payment cards.
i. For UNH this is the Vice President for Financial Affairs Office (VPFA)
ii. For PSU this is the Financial Services Office
iii. For KSC this is the Finance & Planning Office
iv. For GSC this is Student Accounts Department
c. Cardholder Data (CHD) – Those elements of payment card information that are required to be protected. These elements are:
i. the Primary Account Number (PAN), or
ii. the PAN in conjunction with:
- Cardholder name
- Expiration Date
- Service code
d. Merchant Department – Any department or unit which has been approved by the Campus Finance/Administration Office to accept payment cards (Visa, Master Card, American Express, Discover) and has been assigned a Merchant Identification number (MID).
e. Merchant Department Responsible Person (MDRP) – An individual within the department who has primary authority and responsibility for payment card transactions and ensuring compliance with PCI DSS.
f. Payment Card Industry Data Security Standards (PCI DSS) - The security requirements defined by the Payment Card Industry Security Standards Council and the 5 major Payment Card Brands.
g. Self-Assessment Questionnaire (SAQ) - reporting tool used to document self-assessment results from an entity’s PCI DSS assessment.
h. Service Code – The three-digit or four-digit value in the magnetic-stripe that follows the expiration date of the payment card on the track data. This data is used for various things such as defining service attributes, differentiating between international and national interchange, or identifying usage restrictions.
i. Service Provider - A business entity other than a payment brand directly involved in the processing, storage, or transmission of CHD on behalf of another entity. This includes companies that provide services that control or could impact the security of cardholder data.
B. DETAILED OPERATING PROCEDURES
1. Payment Card Acceptance and Handling
a. In the course of doing business at any ̾Ƶ institution, it may be deemed advantageous for a department or other unit to accept payment cards for purchases of ̾Ƶ goods and/or services. These transactions may include receipt of donations, payment for credit and non-credit courses, conference fees, ticket sales and other approved institutional products and services. Approval of a new merchant account for the purpose of accepting payment cards is done on a case-by-case basis. Each Campus Finance/Administration Office determines where to charge any fees associated with the acceptance of payment cards by its units.
b. Departments or units that want to begin accepting payment cards as payment for sales of goods or services rendered should contact their respective Campus Finance/Administration Office to begin this approval process. Steps include:
i. Completion of an Application to Accept Payment Card
ii. Completion of PCI-DSS and Best Practices Guide training, and
iii. Submitting the completed application to the Campus Finance/Administration Office for approval.
c. The Campus Finance/Administration Office submits the approved application to ̾Ƶ Treasuryat usnh.pci@usnh.edu toinitiate setup of the MID with the ̾Ƶ Merchant Bank and obtain an AMEX ID if applicable.
d. Any department accepting payment cards on behalf of a ̾Ƶ institution or affiliated organization must designate an individual within the department who will have primary authority and responsibility for payment card transactions. This individual is referred to as the Merchant Department Responsible Person or MDRP. The department must also specify a back-up, or person of secondary responsibility, should matters arise when the MDRP is unavailable.
e. Once the MID is obtained from the bank, the ̾Ƶ merchant bank relationship manager will guide the MDRP through the process until the location is up and running. Please allow five to seven business days for a new setup.
f. Requests to obtain or replace point of sale terminals for existing locations must be made to your Campus Finance/Administration Office. Once approved, the equipment can be purchased and the ̾Ƶ’s merchant bank relationship manager can be contacted.
g. Each MDRP may directly contact the ̾Ƶ merchant bank relationship manager for questions related to maintenance of existing terminals and terminal settings. Current contact information can be obtained from Campus Finance/Administration Office or ̾Ƶ Accounting Services.
h. Specific details regarding transaction handling and required reconciliation for each merchant location will depend upon the method of payment card acceptance and type of merchant account used. Detailed instructions will be provided by the merchant bank when any new account is established.
i. Merchant Departments accepting payment cards over the internet must post a copy of the “̾Ƶ Privacy Policy” and a refund policy on their web site. A Technical contact is required for all online card collection sites.
j. When purchasing new services or equipment handle payment card transactions, the MRDP must obtain proof of PCI compliance from the service provider or the equipment vendor. New web applications that accept credit card payments on ̾Ƶ’s behalf must be approved by Campus IT Security Officer. The vendor must:
i. be PCI compliant,
ii. provide an AOC,
iii. be approved before the contract can be signed, and the contract must include specific PCI language
k. When renewing existing agreements, the MDRP should make every effort to negotiate the PCI compliance requirements in B.1.j. above if not already in place. If already in place MDRP must maintain that same level of PCI compliance.
l. Any new or renewal of service agreement must comply defined by with .
m. Each merchant location should record their payment card revenue in the USNH Financial System on a daily basis, unless other arrangements are made with ̾Ƶ Accounting Services. Payment card merchants should contact ̾Ƶ Accounting Services with any questions in this regard.
2. Payment Card Data Security Procedures.
All procedures for processing payment card transactions and handling of related data must be documented by authorized departments and be available for periodic review. Departments must have the following components in their procedures and ensure that these components are maintained on an ongoing basis.
a. Access to CHD must be restricted to only those users who need the data to perform their jobs. Each such user is subject to a background check as described in policy and related campus specific procedures, prior to being given access to CHD. Each merchant department must maintain a current list of all users (employees, volunteers, contractors, etc.) with access to CHD and review the list quarterly to ensure that the list reflects the most current access needed and granted. For system requiring login, this list must be a system generated listing of users.
b. CHD, whether collected on paper or electronically, must be protected against unauthorized access at all times.
c. All equipment used to collect CHD must be secured against unauthorized use or tampering in accordance with the PCI DSS.
d. Physical security controls must be in place to prevent unauthorized individuals from gaining access to the buildings, rooms, or file cabinets that store the equipment, documents or electronic files containing CHD.
i. A process for regular inspections of devices must be documented at the merchant level. A PCI DSS Compliance log must be maintained and validation entered for the specific device. Each inspection should include:
- Verifying the serial number
- Inspecting the device to ensure that all anti-tampering labels are intact
- Inspecting the device to ensure that no obvious modifications have been made to the device.
ii. Employees are not permitted to change or switch out any transmission wiring without approval from the MDRP or designated IT Support personnel. The only parties who may modify or move wiring are paid vendors with written permission, or a campus employee with written permission from his/her campus IT or Finance/Administration management. Each card acceptance location should ensure that their employees:
- Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
- Do not install, replace, or return devices without verification.
- Are aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).
- Report suspicious behavior and indications of device tampering or substitution to MDRP and Department management.
- Do not use any devices where suspicion exists that substitution or tampering has occurred
e. Unencrypted electronic communication methods such as email, instant messaging, chat, SMS, etc. must not be used to transmit CHD or personal payment information, or be accepted as a method to supply such information. Each merchant department must include the proper method to handle and respond to emails or other unsecure communications sent by customers and containing CHD in their departmental PCI DSS procedure. In the event this does occur, handling the received CHD as outlined in section B.2.J below is critical. Also see item 6.) in the Best Practices Guide for additional information in this regard.
f. It is best not to use fax machines to transmit payment card information to a merchant department. If a fax must be used, MDRP must ensure the device is a stand-alone machine using plain paper type and located in a secure location to prevent unauthorized access. Never use Multi-function/multi user devices to transmit or receive payment card information.
g. No database, electronic files, other electronic repositories of information, or paper forms may store the card-validation code (aka CVV or CVC) after authorization regardless of the success or failure of the payment.
h. The full contents of any track from the magnetic stripe on the back of a payment card must never be stored.
i. Portable electronic media devices or shared file repositories should not be used to store cardholder data. These devices include, but are not limited to, the following: laptops, compact disks, floppy disks, USB flash drives, personal digital assistants and portable external hard drives.
j. CHD should not be retained any longer than required to authorize the transaction, and must be immediately deleted or destroyed following authorization. Access to cardholder data is restricted to those with a business “need to know”, and each person with access cardholder data must have a unique ID and password.
i. A regular schedule of deleting or destroying data should be established in the merchant department to ensure that no CHD is kept after authorization. Any access of CHD must be logged with the date and time, along with the identity of the employee accessing the secured data and customer contact information in the case of loss (to notify the customer).
ii. CHD must be disposed of in a manner that renders all data un- recoverable. This includes paper documents and any electronic media including computers, hard drives, magnetic tapes, and USB storage devices (Before disposal or repurposing, computer drives should be sanitized in accordance with applicable institutional electronic data disposal policies).
iii. Approved disposal methods per the PCI DSS v3.2 are:
- Cross-Cut shredding, incineration, pulping, or using an approved shredding/disposal service for paper documents
- Wiping and/or physical destruction of electronic media in a manner that renders it unrecoverable.
k. All work computers of employees authorized to handle CHD and shared workstations related to merchant operations must be scanned with the ̾Ƶ authorized scanning tool on a regular basis to ensure no CHD is stored on those computers, in case of accident, negligence, or other reasons.
l. All CHD security lapses must be logged and resolved by the MDRP. CHD security lapses are defined as cases where employees did not follow ̾Ƶ procedures, but which did not result in a security breach. CHD security lapse may be grounds for disciplinary action including termination.
m. ̾Ƶ Purchasing Card data and bank accounts information should be protected the same way payment card data is protected. Related procedures should be documented by each department and include the above components, particularly as it relates to storage and disposal of CHD.
3. Service Provider Relationships
Merchants and their service providers must have a documented and consistent level of understanding about their applicable PCI DSS responsibilities.
a. ̾Ƶ Merchants that utilize a service provider for payment processing, transmission or storage must obtain a written agreement from such provider stating that the named provider is responsible for the protection and security of any CHD that the provider possesses, stores, processes, or transmits on behalf of ̾Ƶ, or any CHD that they could impact the security of. This should be done for all new contracts and to the extent negotiable with any contract renewals.
b. The written agreement must specify the PCI DSS requirements for which the service provider is responsible and those for which the ̾Ƶ Merchant is responsible. This documentation should be obtained for all new contracts and any contract renewals.
c. MDRP must communicate the PCI requirements for which the merchant department is responsible to all persons (staff, contractors, temporary employees, volunteers, etc.) that will be involved with payment handling in any way.
d. Proof of a Service Provider’s PCI DSS compliance must be provided to ̾Ƶ Accounting Services on an annual basis. Acceptable types of proof are limited to the following (in order of preference):
i. A signed Attestation of Compliance (AOC) that has been properly completed and is less than twelve months old.
ii. Alternatively, ̾Ƶ may accept their status as it appears on the Visa Global Service Provider Listing ().
iii. Service Providers who are eligible to self-assess should provide an AOC signed by an executive of the vendor, dated within the last twelve months, and based on the results of a completed Self-Assessment Questionnaire (. This SAQ should ideally be supported by a Qualified Security Assessor (QSA as defined in the PCI DSS) signature, but this is not specifically required.
iv. ̾Ƶ may also accept documents deemed appropriate by legal counsel in limited instances.
4. Failure to Meet the Requirements of ̾Ƶ Policy and Procedures.
Departments and merchants have a responsibility to follow all applicable ̾Ƶ Policies and Procedures.
a. Failure to meet the requirements outlined in this procedure will result in suspension of the physical and, if appropriate, electronic payment capability for affected units. Additionally, if appropriate, any fines and penalties which may be imposed by the affected payment card brand(s) will be the responsibility of the impacted unit.
b. Individuals who fail to meet the requirements outlined in this procedure will be subject to disciplinary action including termination under policy and related campus specific procedures.
5. Responding to a Security Breach.
In the event of a breach or suspected breach of security, the department or unit must immediately execute each of the relevant steps outlined below in addition to following applicable local institutional or departmental incident management procedures:
a. Contact the ̾Ƶ IT Security Office and the institutional IT or Information Security office for proper direction related to preservation of electronic data. The steps should include:
i. Disconnecting the impacted device(s) from all networks. To disconnect a device from the network, simply unplug the Ethernet (network) cable. If the device uses a wireless connection, simply disconnect it from the wireless network. For devices connected via an analog telephone line, simply unplug the phone line.
ii. DO NOT turn the device off or reboot. Leave the device powered on and disconnected from the network.
iii. Prevent any further access to or alteration of the compromised system(s) (i.e., do not log on to the machine and/or change passwords; do not run a virus scan). In short, leave the system(s) alone, disconnected from the network, and wait to hear from the IT security office.
b. Document every action taken from the point of suspected breach forward, preserving any logs or electronic evidence available. Include the following in the documentation:
i. Date and time
ii. Action taken
iii. Location
iv. Person performing action
v. Person performing documentation
vi. All personnel involved
c. Notify the department’s MDRP, the Dean, Director or Department Head of the unit experiencing the breach, the campus Finance/Administration office of the breach circumstances.
d. The Campus Finance/Administration Office must relay all such communications to the ̾Ƶ Treasurer, ̾Ƶ General Counsel and ̾Ƶ Internal Audit.
e. Once a full determination of the scope of a breach is made, the Campus IT Security Officer and ̾Ƶ Treasurer will be responsible for notifying ̾Ƶ executive management, banking representatives, and any other parties as appropriate.
f. A suspected breach may also be reported to ̾Ƶ by the processing bank or an outside party. In that case, ̾Ƶ will notify the campus merchant involved in the suspected breach and the relevant steps outlined above should be executed.
g. A detailed incident response plan will be completed and maintained by ̾Ƶ IT Security Officer. This incident response plan shall be in accordance with the parameters set forth by the card brands.
6. PCI DSS Information Technology (IT) Policy. Each ̾Ƶ Institution must document its PCI DSS Information Technology policies and procedures. This may be accomplished by using templates provided by ̾Ƶ’s merchant bank and/or consulting partners if desired.
7. User Change(s) at Merchant Location(s). Merchants must notify their MDRP of any changes of personnel involved in payment card processing. This includes any new hires, personnel who have been assigned new duties that include payment card handling and/or settlement duties, as well as changes in volunteers and contractors with access to CHD. This also includes employees, volunteers or contractors that have left their position and are no longer involved in payment card handling. Each Campus Finance/Administration Office should determine the manner of which these notifications will occur. The User Change Form is provided as a model to use in reporting these changes to the MDRP.
8. User Statement of Understanding. Persons (i.e. employees, volunteers, and contractors) who handle CHD as part of their employment or other activity at ̾Ƶ must fill out and sign the related User Statement of Understanding Form or a similar acknowledgement as defined by their Campus Finance/Administration Office. The MDRP must ensure completeness of these filings at all times.
9. PCI DSS Annual Merchant Questionnaire. At least annually, each payment card merchant must (1) complete a current PCI DSS (SAQ), (2) participate in periodic vulnerability scans if required by the SAQ, and (3) take necessary action to be able to attest compliance to the current PCI DSS. After review by the QSA, the Campus Finance/Administration Office is responsible for uploading these documents to the ̾Ƶ merchant bank portal upon completion.
10. Any merchant location which is not PCI DSS compliant could be assessed a $25 fee by the current ̾Ƶ merchant bank every month they are non-compliant. A different fee may also be assessed for non-compliance for locations approved to use providers other than the main ̾Ƶ merchant bank. Campus senior leadership must be notified of any non-compliance status and resulting fees.
11. In coordination with the MDRP, any merchant that remains non-compliant for six consecutive months may be required to stop collecting payments via payment card by ̾Ƶ or ̾Ƶ’s merchant bank. ̾Ƶ Accounting Services will notify Campus Finance/Administrator office when a merchant is suspended from collecting payments due to non-compliance.
12. Best Practices. The ̾Ƶ QSA provides regular guidance on best practices for ̾Ƶ institutions to incorporate into merchant procedures to better understand and comply with the requirements of the standards. All ̾Ƶ organizations that are subject to PCI DSS are expected to follow these best practices.
[1] See section A.5.cfor a description of items included in cardholder data.
10 - 052 Restricted Gift Accounts
A. SUMMARY OF ADMINISTRATIVE PROCEDURE
This statement establishes minimum amounts for creating separate accounts upon receipt of restricted endowment gifts and restricted current-use gifts.
1. Gifts to endowed funds. ̾Ƶ requires a minimum of $25,000 to establish a new endowed fund under normal circumstances. (Campuses may be more restrictive by requiring a higher minimum.) Exceptions to this rule may be made only by the Campus President with the ̾Ƶ Treasurer based on such factors as the promise of future additions to the fund or other subjective considerations. Once an endowed fund has been established, gifts of any size may be added to it at any time.
2. Restricted current-use gifts of $500 or more for which a Bannerfund does not presently exist. ̾Ƶ requires a minimum of $500 to establish a new restricted current-use giftfund in Banner under normal circumstances. Exceptions to this rule may be made only by the ̾Ƶ Controller based on such factors as the promise of future gifts with the same restriction, the nature of the restriction, and other subjective considerations. Each specific restriction for which gifts have been accepted is set up in Banner as a separate fund.Therestriction termsshould be delineated in the document text field of the fund creation requesttoallow forappropriate stewardship over the restricted resources.
3. Restricted current-use gifts of less than $500 for which a Bannerfund does not presently exist. Restricted current gifts of less than $500 for which aseparate fund has not yet been established in Banner will be recorded in "generic" restricted current fundsin the Banner system established for each major department/division/college. Campus management will be responsible for fulfilling ̾Ƶ fiduciary stewardship responsibilities through use of manual subsidiary records maintained and reconciled by Campus Business Office or UNH Business Service Center staff to faithfully fulfill ̾Ƶ's responsibility to donors to spend the restricted gift proceeds in accordance with the terms accepted by ̾Ƶ.
4. Restricted current-use gifts for which a Banner account already exists. Once a restricted current-use giftfund has been established gifts of any size may be added to it, as LONG AS THE PURPOSE DEFINED BY THE DONOR IS IDENTICAL TO THE RESTRICTED PURPOSE SPECIFIED BY THE INITIALFUND CREATION REQUEST. Investment earnings will not be credited to unused balances of restricted current gifts under normal circumstances. Rare exceptions to this rule may be made only by the ̾Ƶ Treasurer.
The official version of this information will only be maintained in an on-line web format. Any and all printed copies of this material are dated as of the print date. Please make certain to review the material on-line prior to placing reliance on a dated printed version.