OREGON MILITARY DEPARTMENT / NUMBER: AGC 248.015
FINANCIAL ADMINISTRATION DIVISION / EFFECTIVE DATE: 1 April 2014
SUBJECT: Credit Card Acceptance for Payment

1.  APPLICABILITY: This policy applies to all Oregon Military Department (OMD) personnel accountable for acceptance of credit card payments.

2.  AUTHORITY/REFERENCE: OAM 10.35.00 (Credit Card Acceptance for Payment);

OST Cash management Policy 02 18 13.PO (Data Security);

ORS 646A.200 – 646A.214

3. ATTACHMENTS: Attachment A: Incident Response Form

4.  PURPOSE: Internal Control

5. POLICY/PROCEDURES:

1.  The AGC Director of Financial Administration is responsible for establishment of internal controls and safeguards to:

a)  Provide reasonable assurance that all credit card transactions are properly authorized, timely settled and accurately and completely recorded;

b)  Reduce the risk of unauthorized access and to monitor for errors, both unintentional and intentional errors, including fraud;

c)  Protect the security, confidentiality and integrity of cardholder information;

d)  Comply with notification requirements in the event of a security breach.

2.  Supervisors of employees involved in accepting and processing credit card payments are responsible for:

a)  Requirements set forth in this policy are understood and followed by their employees;

b)  Cardholder information is not used, disclosed or disseminated except for the purpose of processing the associated financial transactions.

c)  Provide AGC Controller a roster of authorized personnel (operators) to accept credit card payments. Roster shall include operator’s full name, rank (if applicable), job duty title, telephone number and email address.

3.  Divisions within OMD with a business need for point of sale (POS) terminals must first request permission from the AGC Director of Financial Administration. AGC is responsible for establishment of POS terminals.

4.  Procedures:

Personnel authorized to accept credit card payments shall follow these basic security standards:

·  Do not process, transmit or store credit card data on the agency network.

·  Use only Office of the State Treasurer (OST) approved payment processing services and equipment.

·  Electronic or hardcopy paper files containing full credit card numbers (database, spreadsheet, word processor, image, etc.) are prohibited.

·  Access to POS terminals must be limited to employees required by job function and included in personnel roster (paragraph 2).

·  POS terminals must be programmed to truncate card numbers on both merchant and customer copies of transaction receipts.

·  Do not send complete credit card numbers using email or fax.

Personnel authorized to accept credit card payments shall follow these control requirements for POS transactions:

·  Before swiping the customer’s credit card through the POS terminal, verify that the card expiration date has not passed. Expired credit cards must not be accepted for payment.

·  Ensure that the dollar amount charged to the card is fixed by the transaction. No cash refund or credit may be issued in conjunction with the purchase transaction.

·  If the authorization network approves the transaction, ask the customer to sign the sales receipt and then compare the customer’s signature with the signature on the back panel of the credit card. Unsigned cards must not be accepted.

·  Compare the name and account number on the credit card with the name and last four digits of the account number on the printed receipt.

·  If the credit card’s magnetic stripe cannot be read and a manual transaction is generated with the cardholder’s information key-entered.

 Make a physical imprint of the card using a manual imprinter;

 Identification of the Transaction type (sale, credit/refund, etc.);

 Transaction Date;

 Total Transaction Amount;

 Obtain the cardholder’s signature on the imprinted transaction receipt and compare it to the signature on the back panel of the card. (Unsigned cards must not be accepted);

 Black-out all but the last four digits of the credit card number on the cardholder’s copy of the receipt.

·  If a “declined” or “no match” response is received from the authorization network, the credit card cannot be accepted. Operators shall offer to process a different, valid credit card or another acceptable form of payment, such as a personal check or cash.

·  No cash refund shall be processed as the result of a credit card transaction.

·  The amount charged to the card must be fixed by the amount of the transaction.

·  Credits (refunds) must be issued to the same credit card used to process the original purchase transaction. If the original credit card has been cancelled or has expired, a warrant or check refund may be issued upon receipt of a copy of the credit card reject document.

·  The agency’s credit (refund) policy must be clearly displayed or otherwise communicated at the time of the initial transaction.

·  Adequate segregation of duties increases the likelihood that unintentional and intentional errors, including fraud, will be prevented or detected on a timely basis. Typical credit card functions performed by separate individuals, whenever possible, include the following:

 Processing the payment/authorization;

 Processing credits and refunds;

Ø  Identifying Credits

Ø  Approving Credits

Ø  Issuing Credits

 Settlement

 Handling billing and Settlement errors

 Reconciling

·  Any media (paper, electronic, or other) containing confidential cardholder information must be protected from unauthorized access and/or disclosure at all times. Backup media must likewise be securely stored. Paper documents containing confidential information must be stored in secure areas and/or in locking cabinets. Procedures to ensure the security of keys or other locking mechanisms are also required.

·  point-of-sale terminals, used to store, process or transmit confidential credit card information collected from customers must be kept secure.

5.  In the event of a breach in card data security, POS operators shall take the following steps:

·  Provide AGC a situation report containing account information at risk, source and timeframe of the data security breach.

·  DO NOT turn off the compromised machine.

·  AGC will alert all necessary parties as soon as practical.

·  If the incident occurs during normal business hours (8:00AM to 5:00PM), AGC will notify the Office of the State Treasurer (OST) by using the number listed below. OST will then notify U.S. Bank, and coordinate all subsequent communication. If the incident occurs outside normal business hours, contact U.S Bank directly using the number below.

·  Financial Administration Division (AGC) (503)-584-3911. Point of Contact is the Controller.

·  Office of the State Treasurer (OST); (503) 378-4000. Notify the receptionist that you have experienced a merchant card breach, and ask to speak with the Merchant Bank Liaison on the Banking Team or a member of the Relationship Management Services team.

·  U.S. Bank; 1(800) 725-1243. Identify that you are a “National Account” with the State of Oregon, and provide them with your Merchant ID (MID) #. Notify the U.S. Bank customer service representative that you have experienced a merchant card breach, and ask that the incident be reported to the Risk Department.

Complete Attachment A for this policy (Incident Report) as soon as possible. This must be completed within three business days, and provide to AGC. AGC will forward it to OST and U.S. Bank/NOVA. U.S. Bank/NOVA will then determine what investigatory steps should be taken.

//s//

KARL D. JORGENSON

Director of Financial Administration

Oregon Military Department

1