The objectives of this policy include the following:

• Exercise operational authority over the acceptance and deposit of all payments received by Indiana University including those received at the individual department level.
• Deliver consistency in payment types across similar revenue processes. Similar revenue generating activities should have similar revenue processes whenever possible.
• Enable operational efficiency with an optimal cost structure
• Capitalize on the core competency of the Office of the Treasurer relative to banking services, working capital management, credit card processing, electronic payment options and developing technology
• Maintain the highest level of available operational controls to reduce the possibility of fraud, loss of assets and/or loss of sensitive university data
• Educate all areas that accept payments as to their need to comply with Indiana University’s data security policies and the Payment Card Industry Data Security (PCI DSS) requirements.

Each review will begin with an assessment as to whether the revenue processing activity is in compliance with Policy I-450 (Establishing and Generating Revenue Producing Activity). Activities found to be in non-compliance will be given time (a maximum of 30 business days) to comply with I-450 before the start of the RPA. If not compliant within that time frame, notification will be made to Campus Administration and Financial Management Services (FMS), the owner of Policy I-450.

Upon completion of each RPA review, Treasury, in consultation with the department and Campus Administration, will recommend the approved payment method(s) based on substantiated business needs. Business needs for exceptions will be approved by Treasury, in consultation with Campus Administration on a case by case basis.

Treasury will also review Revenue Processing Activity Questionnaires (RPAQs) that are submitted in connection with Policy I-450. These questionnaires typically are requests for a one-time or infrequent revenue processing activity (i.e. a conference or workshop). Treasury will review the request and issue a written set of recommendations for how the activity’s revenue should be processed.

All recommendations will be made in writing with copies going to the department head, Campus Administration, relevant Fiscal Officer and Indiana University Internal Audit. The department head, relevant fiscal officer and Campus Administration are responsible for compliance with implementing the recommendations contained in the review.

Recommendations resulting from the RPA and RPAQ reviews will be in accordance with Best Practices in regards to the effective, efficient and secure processing of payments and any associated data, some of which are as follows:

• Electronic processing is the preferred method for handling payments received by Indiana University.
• Departments will be encouraged to minimize and eliminate, if possible, accepting payments at their department. Departments will be asked to replace these face-to-face transactions by using web-based and/or lockbox processed transactions.
• Payment options will be linked directly into the university’s Financial Information System (FIS), whenever possible, to ensure the timely recording of transactions and expedite the prompt reconcilement of general ledger and bank accounts.
• Although cash will be an accepted form of payment, its use will be discouraged. The University goal is to limit cash due to its inherent internal control risks and to reduce the high administrative costs associated with handling and transporting cash.
• All checks accepted must be payable to an approved Payee and be Endorsed immediately upon receipt. Once endorsed, funds must be recorded in the Financial Information System (FIS) and deposited or put in Transit for Deposit via a method approved by Treasury within one day of receipt.
• All revenues must be deposited into a University approved bank account per Policy VI-52.
• All revenue processing will be characterized by separation of duties. No one person will have complete control over a revenue processing transaction from initialization to completion.
• Only Indiana University employees, its agents or individuals specifically approved by Treasury may process revenue and make deposits.
• All checks deposited by University employees will be processed using Remote Image Capture (foreign checks will be an exception).
• All full time employees involved in revenue processing must attend a face to face revenue processing training session. Part time and student hourly employees can meet the training requirement by attending a face to face revenue processing training session or take the revenue processing tutorial available on the Office of the Treasurer website. All training should be completed prior to assuming payment processing responsibilities.
• Departments will be encouraged to have background checks on file for all employees involved in revenue processing prior to the employee assuming payment processing responsibilities. Departments are to work with the campus Human Resources office to ensure that all such checks are performed within the requirements of the University’s Background Check policy
• All revenue processing activities must be conducted in accordance with all University policies and State and Federal regulations regarding Data Security.
• All revenue processing activities must be conducted in compliance with all Payment Card Industry Data Security Standards (PCI DSS).
• No copies of checks (paper or electronic) or listings of complete bank account/credit/debit card account numbers are to be maintained in any university databases or files without written approval of Treasury. The storage of truncated numbers, in approved formats, is permissible.

II. TRAINING:

Treasury will hold a minimum of one training session per year on each campus. Two sessions each year will be conducted on the Bloomington and Indianapolis campuses. A schedule of upcoming sessions is continually posted on the Treasury website (www.indiana.edu/~iutreas). Additionally, Treasury will work with any campus or campus unit to schedule Revenue Processing training sessions to accommodate any special circumstances they may have.

All employees processing revenue must attend or receive training. Training should occur prior to the inception of Revenue Processing activities.

Full-time employees: Attendance at a face to face training session is mandatory for full time staff. If they are unable to attend a face to face training session, they must take the Revenue Processing tutorial offered on the Treasury website (www.indiana.edu/~iutreas), they will then need to take the face to face the next time it is offered on their campus.

Part-time and Student hourly employees: They are encouraged to attend a face to face Revenue Processing training session, but may meet the training requirement by taking and passing the Revenue Processing Tutorial offered on the Treasury website (www.indiana.edu/~iutreas).

III. GENERAL:

Departments should consult the Treasury website (www.indiana.edu/~iutreas) for standard operating procedures and guidelines that address:

• Electronic payment receipt
• Approved Payees for checks to be deposited
• Proper safekeeping of funds prior to deposit
• Endorsement of checks
• Check handling for checks not payable to Indiana University
• Check handling for checks payable to the Indiana University Foundation
• Transportation of funds for deposit (e.g. couriers, Accountable Mail-BL only)
• Data security
• PCI DSS compliance
• Fraud prevention

IV. REVENUE PROCESSING OPTIONS INCLUDE, BUT ARE NOT LIMITED TO THE FOLLOWING:

A. Treasury Administered Processes

• Accounts Receivable Conversion (ARC)
• Remote Image Capture
• Lockboxes
• Web payments (ACH and credit card)
• IU Pay Plus

B. Treasury Approved Processes

• FMS Accounts Receivable lockboxes
• Bursar External Upload (BEX)
• Indiana University Conference Bureau
• Ticketmaster

V. DEFINITIONS:

• Accounts Receivable Conversion (ARC) – converts consumer checks received via a drop box or mailed in to an Automated Clearing House (ACH) debit.
• ACH - stands for Automated Clearing House. This is an electronic alternative to checks. Direct deposit of pay is an example of an ACH payment.
• Bursar External Upload (BEX) – provides interface to Indiana University’s Bursar system for billing student accounts.
• Campus Administration - Vice Chancellor for Administration and Finance (for IUB campus, the Associate Vice Provost for Finance) or their delegate.
• Centralized Credit/Debit Card System - the university’s system-wide credit/debit card system administered by Treasury that processes VISA, MasterCard, Discover and American Express.
• Data Security - this is a top priority at Indiana University and it covered by several policies and procedures along with numerous Federal and State laws and contractual requirements (i.e. PCI DSS).
• Endorsed - the stamping of deposit information on the back of a check using an endorsement stamp approved by Treasury. All endorsements stamps must be approved by Treasury.
• IU Pay Plus – similar to WEB Pay but does not interface with departmental Web pages; does not interface with shopping carts or registration systems
• Lockbox – a lockbox is a collection and processing service provided by financial institution, typically a bank
• Payment Card Industry Data Security Standards (PCI DSS) -an industry standard that sets technical and compliance standards for protecting cardholder data. PCI DSS is supported by VISA, MasterCard, Discover and American Express and applies to everyone that stores, processes or transmits cardholder data
• Payee - a person to whom money is being paid or is due, especially in a transaction such as the payment of a check or money order. Some examples of approved payees for Indiana University are:

  (a) Trustees of Indiana University

  (b) Indiana University

  (c) Indiana University, (insert campus, departments, school, etc.)

  (d) IU

  Examples of payees that would not be approved are:

  School of X, Indiana University

  Department of X

• Remote Check Capture – electronically transmits check images and deposits to a bank for processing and clearing.
• Revenue Producing Activities – a revenue producing activity is established when revenue is generated from the sale of products and/or services by Indiana University or its employees
• Revenue Processing Reviews - (future web link to be added)
• Revenue Processing Questionnaires - (future web link to be added)
• Transit for Deposit - (future web link to be added)
• WEB Pay – allows a departmental Web page to interface with the university payment page to accept a credit card transaction via NelNET, QuickPay, IPASPF/VeriSign or Apply Yourself; allows for shopping carts, registrations, etc.

VI-110, Accepting Electronic Payments

I-440, Depositing of University Funds

I-450, Establishing and Generating Revenue Producing Activity

Various UITS policies/guidelines on security

Payment Card Industry Data Security (PCI DSS) standards as set by the PCI Council