The objectives of this policy include the following:

• Exercise operational authority over the acceptance and deposit of all payments received by Indiana University including those received at the individual department level
• Deliver consistency in payment types across similar revenue processes
• Enable operational efficiency with an optimal cost structure
• Capitalize on the core competency of the Office of the Treasurer relative to banking services, working capital management, credit card processing, electronic payment options and developing technology
• Maintain the highest level of available operational controls to reduce the possibility of fraud, loss of assets and/or loss of sensitive university data

Treasury, in consultation with Campus Administration, will recommend and approve the payment method(s) based on business need. Similar revenue generating activities should have similar revenue processes whenever possible. Business needs for exceptions will be approved by Treasury, in consultation with Campus Administration.

• Electronic transmittal

­ - Accounts Receivable Conversion (ARC)

­ - Remote Check Capture

­ - WEB Payments (ACH and Credit Card)

­ - IU Pay

­ - Bursar External Upload (BEX)

- Credit/debit cards

• Lockboxes

(Note: Electronic transmittal and lockboxes are characterized by a lower risk of diversion and inherent separation of incompatible duties.)

• Centralized credit/debit card system

(Note: There is a risk of release of sensitive information with credit/debit card processing. Compliance requirements include the secure storage of hard copy and electronic records and scheduled destruction and disposal of customer credit card information.)

• Drop box

TRAINING:

Treasury will hold one training session per month. These training sessions will alternate across campuses. Attendance at a training session is mandatory for revenue processors prior to the inception of revenue processing. Treasury should be contacted as revenue processing discussions begin to appropriately plan for training.

COMPLIANCE:

The revenue producing activity fiscal officer and/ or department head will sign a policy compliance document. Compliance documents will be tailored to revenue processing options. All electronic processing options must comply with university guidelines for data security. Credit/ debt card transactions must comply with the requirements of the Payment Card Industry Data Security Standards (PCI DSS) rules.

PRINCIPLES:

Key treasury principles will be included in detailed revenue processing and depositing guidelines, some of which are as follows:

• Electronic processing is the preferred method for handling payments received by Indiana University.
• Payment options will be linked directly into the university’s Financial Information System (FIS), whenever possible, to ensure the timely recording of transactions and expedite the prompt reconcilement of general ledger and bank accounts.
• Although cash will be an accepted form of payment, its use will be discouraged. Notable exceptions include bookstores and food vendors. The University goal is to limit cash due to its inherent internal control risks.
• All revenue processing will be characterized by separation of duties. No one person will have complete control over a revenue processing transaction from initialization to completion
• Only Indiana University employees or external agents designated by Treasury may process revenue and make deposits.
• All employees involved in revenue processing must complete the mandatory training sessions and pass background and credit checks prior to assuming payment processing responsibilities
• No copies of checks (paper or electronic) or listings of complete bank account/credit/ debit card account numbers are to be maintained in any university databases or files without written approval of Treasury. The storage of truncated numbers, in approved formats, is permissible.

GENERAL:

Departments should consult the Treasury website (www.indiana.edu/~iutreas) for standard operating procedures and guidelines that address:

• Electronic payment receipt
• Approved Payees for checks to be deposited
• Proper safekeeping of funds prior to deposit
• Endorsement of checks
• Check handling for checks not payable to Indiana University
• Check handling for checks payable to the Indiana University Foundation
• Transportation of funds for deposit (e.g. couriers, Accountable Mail-BL only)
• Data security
• Fraud prevention

Bank accounts supporting payment options will be maintained by Treasury Services (i.e. check imaging, debit blocks, etc.) to capitalize on efficiency and fraud prevention.

DEFINITIONS:

• Accounts Receivable Conversion (ARC) – converts consumer checks received via a drop box or mailed in to an Automated Clearing House (ACH) debit
• ACH - stands for Automated Clearing House. This is an electronic alternative to checks. Direct deposit of pay is an example of an ACH payment
• Bursar External Upload (BEX) – provides interface to Indiana University’s Bursar system for billing student accounts
• Campus Administration - Vice Chancellor for Finance and Administration or their delegate
• Centralized Credit/Debit Card System - the university’s system-wide credit/debit card system administered by Treasury that processes VISA, MasterCard, Discover and American Express
• Drop Box - a drop box is similar to a bank night depository box. Items placed in the drop box will be retrieved by the department and then be mailed to a designated Indiana University lockbox operation or accounts receivable processing location
• IU Pay – similar to WEB Pay but does not interface with departmental Web pages; does not interface with shopping carts or registration systems
• Lockbox – a lockbox is a collection and processing service provided by financial institution, typically a bank
• Payment Card Industry Data Security Standards (PCI DSS) -an industry standard that sets technical and compliance standards for protecting cardholder data. PCI DSS is supported by VISA, MasterCard, Discover and American Express and applies to everyone that stores, processes or transmits cardholder data
• Payees - a person to whom money is being paid or is due, especially in a transaction such as the payment of a check or money order
• Point of Purchase (POP) – converts consumer checks presented in person to electronic funds transaction
• Remote Check Capture – electronically transmits check images and deposits to a bank for processing and clearing
• Revenue Producing Activities – a revenue producing activity is established when revenue is generated from the sale of products and/or services by Indiana University or its employees
• WEB Pay – allows a departmental Web page to interface with the university payment page to accept a credit card transaction via infiNET, QuickPay, IPASPF/VeriSign or Apply Yourself; allows for shopping carts, registrations, etc.

VI-110, Accepting Electronic Payments

I-450, Establishing and Generating Revenue Producing Activity

Various UITS policies/guidelines on security