Subject Area: Cash Management
Responsible Office: Comptroller's Office
Approval: V.P. for Administration and Chief Financial Officer
Originally Issued: November, 2006
Revised: N/A
Refer Questions To: John R. Kroll, 773-702-1941

PURPOSE: To assign authority and responsibility for the process to accept credit card and other electronic payments to the University.

POLICY:

1. Under the By-Laws of the University, the Comptroller shall devise proper methods of accounting and internal financial controls for all units of the University.
2. The Comptroller will establish, formulate, publish, maintain, and interpret policy and procedure for the control and the acceptance of credit cards as payments to the University. Credit card processing includes acceptance via terminal, computer systems, websites, or other electronic means whether by the University or by an outside party acting as the University’s service provider.
3. Units within the University may not negotiate their own contracts with credit card companies, processors, or external services that accept credit card payments on the University’s behalf.
4. All units that wish to accept electronic credit card payments are required to request and obtain approval from the Bursar’s Office (ref: Bursar’s Agreement form PF 11.801) and from Networking Services and Information Technologies (NSIT) before initiating such credit card transactions, and to establish the valid business purpose of the proposed arrangements.  This Policy applies to existing, new and changed services.
5. Only the Bursar’s Office is authorized to issue University bank merchant ID account numbers, which are required for University acceptance of credit card payments and to enable deposits through the Bursar’ Office.
6. The University has established contracts, incorporating the necessary security provisions, for many system and service components needed for the acceptance and processing of electronic credit card transactions. Where such contracts exist, all units processing electronic credit card payments, e.g., through the World Wide Web, are required to utilize them.  If a required service is not already covered by a University contract, the unit must work through the Bursar’s Office to identify and contract for approved necessary services and ensure the security of those services.
7. Any University computer, Web site, software application, or other device connected to the campus network that is involved in any way in the processing of credit card payments must undergo a security review by and receive approval from NSIT before credit card processing can begin. Any computer system used in any way in credit card payment processing must be registered with NSIT by the unit as a regulated computer and maintained in accordance with University policy for regulated computers. (ref: https://security.uchicago.edu/policies/regulated-computers/)
8. Credit card numbers shall not be transmitted via e-mail or stored in a persistent manner on any University computer, storage device, or other electronic medium. Any associated paper or other records or reports containing credit card customer information shall be stored in locked cabinets and access shall be limited to only those employees who need this information to accomplish their work.
9. The University is charged fees on all credit card transactions. At month end, these fees will be charged to the unit based on their activity.

See Agreement and Procedures form PF 11.801 for instructions and submit to the University Bursar’s Office.