University System of New Hampshire

10. Revenue and Cash Receipts

 

Issue Date   Revised Date  
03/01/1992 001 11/02/2012 Revenue Accounting
03/01/2000 002 11/01/2012  Billing for Goods Sold or Services Rendered
02/07/1991 004 10/01/2012 Receipt and Deposit of Cash Items
09/10/2018 010   USNH Payment Card Data Security
03/01/1992 052 11/01/2012  Restricted Gifts Accounts

The official version of this information will only be maintained in an on-line web format. Any and all printed copies of this material are dated as of the print date. Please make certain to review the material on-line prior to placing reliance on a dated printed version. 

10 - 001 Revenue Accounting

A. SUMMARY OF ADMINISTRATIVE PROCEDURE

This statement defines operating and non-operating revenues. It addresses commonly asked questions on interdepartmental sales, recording receipts as credits to expense, and sales of departmental equipment.

1. Definition of current operating revenue. Within USNH current funds, revenue is defined as any transaction which results in an increase in the current financial resources (i.e., net assets) of USNH as a whole. Operating revenue results from the sale of USNH's primary products and services to a non-USNH entity or from carrying out other activities that support USNH's missions of instruction, research and public service. Examples of operating revenue include all tuition and fees assessed against students, state of New Hampshire general appropriations, gifts, grants, contracts, investment and endowment income, departmental sales and services to external entities, miscellaneous college receipts, and auxiliary enterprise sales. Sources of USNH operating revenues include students, governments, donors, and other public customers. Within auxiliary enterprise funds, sources of revenue are primarily students, faculty and staff; however, incidental sales to the general public and other USNH departments may be included.

2. Designations of revenue:

a. Restricted current fund revenues. These are resources which are available for current operating purposes but whose expenditure is limited by an external source (e.g., donors, government, grantor, etc.) to specific purposes, programs, schools, departments, etc. Restricted revenues, although recorded when earned in accordance with Procedure 10-002, Billing for Goods Sold or Services Rendered are recognized as revenue in the USNH financial statements only to the extent that such funds are expended, as required by generally accepted accounting principles (GAAP). To accomplish GAAP recognition, USNH requires that all restricted current funds be recorded in Banner funds whose second character is numeric (See Procedure 02-023: USNH Grant Fund Coding Conventions), that proper Banner account codes be used (see Procedure 02-039: Account Coding Conventions).

Funds with internal restrictions are not classified as restricted current funds because a restriction imposed by the governing board or administration can be removed at their discretion. These funds are properly classified as internally designated funds, a subdivision of unrestricted current funds.

b. Unrestricted current fund revenues. These are resources which are not restricted by external sources and which are expendable for operating purposes. Included are undesignated educational and general, auxiliary enterprise, and internally designated resources. The absence of an external restriction implies that the resource is available for current operations and, therefore, must be recorded in current unrestricted revenues.

c. Other revenues (non-operating) and fund additions. Resources which are restricted by outside persons, agencies (such as on loan funds), endowment and similar funds, or plant funds are accounted for as restricted revenues in the appropriate fund group to which the restriction applies. For example, a donor might state that their gift is to be used for the purchase of library books. The gift would be recorded as a current restricted gift in a restricted gift fund. If, however, the donor stated the gift was to be used for construction of a library, it would be recorded as a restricted gift in plant funds. To take it a step further, a gift received whereby only the income earned on the gift could be spent for purchase of library books would be recorded in endowment and similar funds; the income earned on the gift which is available to spend would be recorded in current restricted funds.

In accordance with GAAP, all gains and losses arising from the sale, collection, or other disposition of investments and other noncash assets are accounted for in the fund which owned such assets. Ordinary income derived from investments, receivables, and the like is accounted for in the fund owning such assets, except for income derived from investments in endowment and similar funds. Income derived from endowment and similar funds is accounted for in the fund to which it is restricted or, if unrestricted, as revenue in unrestricted current funds.

B. DETAILED OPERATING PROCEDURES

1. Offsetting revenue and expenses. Revenue is always recorded at the gross amount, not net of any discounts, etc. For example, tuition, fees and room and board charges are recorded at the gross amount according to Trustee approved rate schedules even though there is no intention of collection directly from the student. Institutional scholarships, staff tuition waivers, etc., are then recorded as expenditures. However, refunds to students as a result of courses dropped during the refund period are recorded as reductions to tuition revenue since these are viewed as corrections of amounts previously recorded as revenue that will not be earned.

2. Recurring interdepartmental sales. Self-supporting departments established primarily to provide goods or services to other USNH departments are generally set up as internally designated or auxiliary funds (Banner funds whose second character is "A" or "D"). Examples include Mail Service, Central Stores and Central Copying. Interdepartmental sales for these operations don't result in an increase to overall net assets of USNH. Accordingly the sales are recorded as reductions of expenses.  In this way, all revenue and expense activity in these funds are eliminated from the USNH financial statements and overall USNH expenditures will not be double-counted.

Auxiliary enterprise funds are also used to account for revenues of operations established primarily to furnish goods or services to students, faculty or staff. Often, auxiliaries incidentally service the general public. These sales by auxiliary enterprises are recorded as revenues. The primary source of funding is the key factor. For example, departments may purchase goods from Dining Services, but those sales would be recorded as a reduction of expenses rather than revenue.

3. Recording receipts as credits to expense account codes. Revenue should never be recorded in an expense account code, except in the following instances:

a. Interdepartmental sales by an operating account or department with a Banner Fund in the unrestricted range (second character is "U", "D" or "A") should be recorded as a credit to an expense account code. This is because an interdepartmental sale does not add new dollars to USNH's net assets; it merely increases the net assets of one USNH unit and decreases the net assets of another. When interdepartmental sales are part of the normal operations of the department, the account should usually be established as described in Section B.2. above.

b. Vendor credits and other corrections of expenditure transactions resulting from the overpayment of an employee or a vendor invoice, return of goods, etc., should be recorded as a credit to the expense account code originally charged when the goods or services were bought.

c. Vendor payment discounts received from the timely payment of vendor invoices are properly credited to the expense account code originally used for the purchase.

4. Sales of departmental equipment. Occasionally, departments must sell surplus unused or obsolete equipment originally purchased with departmental funds. Departments should contact Purchasing first to determine the proper property disposition procedure (see Procedure 11-030: Disposal of Surplus Property) and then contact the appropriate campus Property Control contact to adjust the inventory as instructed in the disposal procedure noted above. If the sale is made to another USNH department, the transaction should be recorded on a Banner JV document using PB* and IV* rule codes as needed and reported to the applicable campus Property Control contact via the USNH 11-010F: Equipment Location Form. The department buying the equipment should debit an equipment account code (74*) and the selling department should credit an equipment account code (74*). If the sale is made to an outside party, the transaction will involve the receipt of cash and be recorded via a Banner JV document using a proper CR* rule code. The sale proceeds should normally be credited to the campus' miscellaneous college receipts account. If approved by the campus Chief Financial Officer (CFO), the sale proceeds may be credited directly to an equipment account code thereby utilizing the funds generated from the sale of surplus equipment in the current year budget.

10 - 002 Billing for Goods Sold or Services Rendered

a. SUMMARY OF ADMINISTRATIVE PROCEDURE

This statement defines who has authority to make sales on credit, what rules must be followed, and the responsibility for reconciliations and proper accounting in Banner. This statement DOES NOT apply to tuition billings generated each semester by the campus cashier/bursar.

Authority and responsibility for sales on credit. All sales of goods or services by USNH departments are to be made only upon receipt of cash (i.e., no sales are allowed to be made on credit) unless written approval in advance is received from the campus Chief Financial Officer (CFO). Departments with CFO approval to make credit sales must follow the policies and procedures of the campus Credit and Collections department (unless specifically exempted in writing by the campus CFO) relative to extension of credit, invoice and statement generation and frequency, aging analysis, delinquent account follow-up, and write-off of noncollectable accounts. All accounts receivable resulting from amounts owed by students, governments, employees, contractees, grantees, and other customers must be reconciled to Banner by the responsible account manager on a monthly basis.

b. DETAILED OPERATING PROCEDURES

1. When is revenue recorded? Revenue should be recorded when an exchange has taken place and the earning process is complete. An exchange has taken place when ownership of the goods is transferred to the buyer or when services for the buyer have been fully performed. The earnings process is complete when (a.) all necessary costs to produce the revenue have been incurred and recorded and, (b.) collection of the sales price is reasonably assured by receipt of money or by a promise to pay money at some future date.

a. If all necessary costs to produce the revenue have not yet been incurred, the amount of the cash received is recorded as deferred revenue, in special balance sheet account 212* (deferred revenue and deposits).

b. The collection of the sales price is generally considered to be reasonably assured when an invoice is sent to a customer or when cash is received from a customer, whichever comes first.  In accordance with the accrual basis of accounting, revenue is recorded when it is earned, without regard to the time of receipt. (The cash basis of accounting, which is not generally applicable to USNH operations, calls for recording revenue only when cash is received.)

2. Accounting for credit sales transactions. Sales invoices are generally recorded in Banner via an approved campus form (the Charge Sale Invoice Form at UNH, Miscellaneous Charge Form at KSC, and Miscellaneous Deposit Form (MISP) at PSU) immediately upon forwarding the sales invoice to the customer, in accordance with the policies and procedures of the campus Credit and Collections department. The applicable Banner account code is credited (see Procedure 02-040 Banner Revenue Account Code Table, definitions and listings) using a suitable JE* rule code the applicable balance sheet receivable (in the 112* account code range) using an appropriate fund. When the cash is received from the customer, the 112* balance sheet account is credited using a proper CR* rule code.

3. Accounting for uncollectible accounts and billing errors. If accounts receivable must eventually be written off as uncollectible, this is an expense which must be recorded in an suitable expense account code, not as a reduction of revenue. Uncollectible accounts are always recorded as a charge to an expense account code. However, if an error was made billing the student or customer too much for which a subsequent corrected billing entry is made, then this is properly recorded as a reduction of revenue.


The official version of this information will only be maintained in an on-line web format. Any and all printed copies of this material are dated as of the print date. Please make certain to review the material on-line prior to placing reliance on a dated printed version. 

10 - 004 Receipt and Deposit of Cash Items

a. SUMMARY OF ADMINISTRATIVE PROCEDURE

This statement outlines procedures for proper receipt and depositing of currency, checks, bank card charge slips and other cash equivalents (collectively hereinafter referred to as "cash" or "cash items").

1. Timeliness of cash deposits. In order to optimize investment earnings and reduce the possibility of theft and loss, all receipts of checks and currency are to be deposited in tact to the campus Cashier or local depository bank no less than once per week.

Checks and currency totaling $800 or more must be deposited within 48 hours of receipt. Checks and cash should never be held by a department awaiting accounting information. Credit card charge slips are to be deposited directly to the appropriate bank within 72 hours of receipt by the department.

2. Responsibility for safeguarding the receipt of cash items. At the departmental cash collection locations, the dean, director or department head is responsible for safeguarding cash items by employing appropriate internal controls. Such controls include:

a. Clearly define and document delegated responsibility for cash items from time of receipt to time of deposit. Responsibility for the billing, cash handling, record-keeping and reconciliation functions should be assigned to separate individuals, to the extent possible.

b. Open and process mail on a timely basis and in the presence of coworkers, if possible. Maintain a log of all cash items received. Restrictively endorse checks immediately upon receipt using an endorsement stamp approved by the USNH Controller. 

c. Provide security over cash items awaiting deposit at all times through the use of locked, fireproof safes, strong boxes or file cabinets. Never leave cash items in or on desks or unattended at any time.

d. All cash receipts are to be deposited intact. Do not commingle cash receipts with any other personal or business cash funds and do not reduce cash receipts by amounts needed for petty cash transactions. Use standard campus deposit forms. Reconcile all cash deposits to Banner on a regular, timely basis.

e. Cash Receipts of more than $10,000 must be reported to the IRS by each campus.  This requires solicitation and proper storage of personal identification information including remitter's social security number. For purposes of this paragraph, cash is defined as coins and currency of the U.S. or any other country, cashier's checks, bank drafts, travelers checks or money orders.

f.  Checks deposited using remote deposit devices must be kept in a locked, fireproof safe. After 45 days from the date of the deposit, checks must be destroyed using  cross-cut shredding or an approved shredding/disposal service for paper documents.

g. Cash receipts and deposits are subject to periodic surprise audits by USNH internal and external auditors.

b. DETAILED OPERATING PROCEDURES

Detailed USNH cash receipt and deposit operating procedures are the responsibility of each campus administration.


The official version of this information will only be maintained in an on-line web format. Any and all printed copies of this material are dated as of the print date. Please make certain to review the material on-line prior to placing reliance on a dated printed version. 

10 - 010 USNH Payment Card Data Security

A. SUMMARY ADMINISTRATIVE PROCEDURE

1. Purpose. The purpose is to establish procedures that will minimize risk and provide the greatest value, security, and service to each component institution of the University System of New Hampshire (USNH) within the rules, regulations and guidelines established by the Payment Card Industry Data Security Standard (PCI DSS). This procedure addresses the standards that are contractually imposed by the major payment card brands on merchants that accept these cards as forms of payment. The policy covers the following specific areas contained in the PCI standards related to cardholder data (CHD[1]): processing, transmitting, storing, and disposing of CHD.

2. Scope. These procedures apply to any person using USNH’s systems and networks involved with payment card handling. This includes processing, transmitting, storing and disposing of CHD at USNH, and use of any third party system that could impact the security of CHD at USNH. In addition, institutions must comply with USNH Information Technology Security Policy USY VI.F.5

3. Authority.  The PCI DSS is a set of requirements created and agreed upon by the five major payment card brands: American Express, Discover, the Japanese Credit Bureau (JCB), MasterCard and VISA. These security requirements apply to all transactions surrounding the payment card industry. Electronic and paper transactions are covered by this standard. The requirements apply to any organization involved with handling CHD. The card brands apply terms in the merchant agreement to enforce these standards. USNH requires that all campus organizations and departments handling payment card data:

a. Adhere to all applicable  PCI DSS administrative, technical, and reporting requirements;
b. Have pertinent local practices, procedures and documentation in place to ensure compliance with PCI standards; and
c. Provide training for the employees and others that handle CHD.

4. Revision. These procedures may be updated at any time by USNH Financial Services and should be reviewed annually by campus Merchants Departments for changes, in accordance with PCI DSS.

5. Definitions

a. Attestation of Compliance (AOC) - A document that is completed along with an Self-Assessment Questionnaire (SAQ), as a declaration of the merchant’s compliance status with the Payment Card Industry Data Security Standard (PCI DSS). This summary document may be safely shared outside of USNH with third parties with a legitimate business reason to know.

b. Campus Finance/Administration Office – Responsible for approving all requests for acceptance of payment cards.

i. For UNH this is the Vice President for Financial Affairs Office (VPFA)
ii. For PSU this is the Financial Services Office
iii. For KSC this is the Finance & Planning Office
iv. For GSC this is Student Accounts Department

c. Cardholder Data (CHD) – Those elements of payment card information that are required to be protected. These elements are:

i. the Primary Account Number (PAN), or
ii. the PAN in conjunction with:

  • Cardholder name
  • Expiration Date
  • Service code

d. Merchant Department – Any department or unit which has been approved by the Campus Finance/Administration Office to accept payment cards (Visa, Master Card, American Express, Discover) and has been assigned a Merchant Identification number (MID).

e. Merchant Department Responsible Person (MDRP) – An individual within the department who has primary authority and responsibility for payment card transactions and ensuring compliance with PCI DSS.

f. Payment Card Industry Data Security Standards (PCI DSS) - The security requirements defined by the Payment Card Industry Security Standards Council and the 5 major Payment Card Brands.

g. Self-Assessment Questionnaire (SAQ) - reporting tool used to document self-assessment results from an entity’s PCI DSS assessment.

h. Service Code – The three-digit or four-digit value in the magnetic-stripe that follows the expiration date of the payment card on the track data. This data is used for various things such as defining service attributes, differentiating between international and national interchange, or identifying usage restrictions.

i. Service Provider - A business entity other than a payment brand directly involved in the processing, storage, or transmission of CHD on behalf of another entity. This includes companies that provide services that control or could impact the security of cardholder data.

B. DETAILED OPERATING PROCEDURES

1. Payment Card Acceptance and Handling

a. In the course of doing business at any USNH institution, it may be deemed advantageous for a department or other unit to accept payment cards for purchases of USNH goods and/or services. These transactions may include receipt of donations, payment for credit and non-credit courses, conference fees, ticket sales and other approved institutional products and services. Approval of a new merchant account for the purpose of accepting payment cards is done on a case-by-case basis. Each Campus Finance/Administration Office determines where to charge any fees associated with the acceptance of payment cards by its units. 

b. Departments or units that want to begin accepting payment cards as payment for sales of goods or services rendered should contact their respective Campus Finance/Administration Office to begin this approval process. Steps include:

i. Completion of an Application to Accept Payment Card
ii. Completion of PCI-DSS and Best Practices Guide training, and
iii. Submitting the completed application to the Campus Finance/Administration Office for approval.

c. The Campus Finance/Administration Office submits the approved application to USNH Accounting Services at accounting.operations@usnh.edu to initiate setup of the MID with the USNH Merchant Bank and obtain an AMEX ID if applicable.

d. Any department accepting payment cards on behalf of a USNH institution or affiliated organization must designate an individual within the department who will have primary authority and responsibility for payment card transactions. This individual is referred to as the Merchant Department Responsible Person or MDRP. The department must also specify a back-up, or person of secondary responsibility, should matters arise when the MDRP is unavailable.

e. Once the MID is obtained from the bank, the USNH merchant bank relationship manager will guide the MDRP through the process until the location is up and running. Please allow five to seven business days for a new setup.

f. Requests to obtain or replace point of sale terminals for existing locations must be made to your Campus Finance/Administration Office. Once approved, the equipment can be purchased and the USNH’s merchant bank relationship manager can be contacted.

g. Each MDRP may directly contact the USNH merchant bank relationship manager for questions related to maintenance of existing terminals and terminal settings. Current contact information can be obtained from Campus Finance/Administration Office or USNH Accounting Services.

h. Specific details regarding transaction handling and required reconciliation for each merchant location will depend upon the method of payment card acceptance and type of merchant account used. Detailed instructions will be provided by the merchant bank when any new account is established.

i. Merchant Departments accepting payment cards over the internet must post a copy of the “USNH Privacy Policy” and a refund policy on their web site. A Technical contact is required for all online card collection sites.

j. When purchasing new services or equipment handle payment card transactions, the MRDP must obtain proof of PCI compliance from the service provider or the equipment vendor. New web applications that accept credit card payments on USNH’s behalf must be approved by Campus IT Security Officer. The vendor must:

i. be PCI compliant,
ii. provide an AOC,
iii. be approved before the contract can be signed, and the contract must include specific PCI language

k. When renewing existing agreements, the MDRP should make every effort to negotiate the PCI compliance requirements in B.1.j. above if not already in place.  If already in place MDRP must maintain that same level of PCI compliance.

l. Any new or renewal of service agreement must comply defined by with USNH Procurement Policy.

m. Each merchant location should record their payment card revenue in the USNH Financial System on a daily basis, unless other arrangements are made with USNH Accounting Services. Payment card merchants should contact USNH Accounting Services with any questions in this regard.

2. Payment Card Data Security Procedures.

All procedures for processing payment card transactions and handling of related data must be documented by authorized departments and be available for periodic review. Departments must have the following components in their procedures and ensure that these components are maintained on an ongoing basis.

a. Access to CHD must be restricted to only those users who need the data to perform their jobs. Each such user is subject to a background check as described in policy USY V.C and related campus specific procedures, prior to being given access to CHD. Each merchant department must maintain a current list of all users (employees, volunteers, contractors, etc.) with access to CHD and review the list quarterly to ensure that the list reflects the most current access needed and granted. For system requiring login, this list must be a system generated listing of users.

b. CHD, whether collected on paper or electronically, must be protected against unauthorized access at all times.

c. All equipment used to collect CHD must be secured against unauthorized use or tampering in accordance with the PCI DSS.

d. Physical security controls must be in place to prevent unauthorized individuals from gaining access to the buildings, rooms, or file cabinets that store the equipment, documents or electronic files containing CHD.

i. A process for regular inspections of devices must be documented at the merchant level. A PCI DSS Compliance log must be maintained and validation entered for the specific device. Each inspection should include:

  • Verifying the serial number
  • Inspecting the device to ensure that all anti-tampering labels are intact
  • Inspecting the device to ensure that no obvious modifications have been made to the device.

ii. Employees are not permitted to change or switch out any transmission wiring without approval from the MDRP or designated IT Support personnel.  The only parties who may modify or move wiring are paid vendors with written permission, or a campus employee with written permission from his/her campus IT or Finance/Administration management. Each card acceptance location should ensure that their employees:

  • Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
  • Do not install, replace, or return devices without verification.
  • Are aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).
  • Report suspicious behavior and indications of device tampering or substitution to MDRP and Department management.
  • Do not use any devices where suspicion exists that substitution or tampering has occurred

e. Unencrypted electronic communication methods such as email, instant messaging, chat, SMS, etc. must not be used to transmit CHD or personal payment information, or be accepted as a method to supply such information. Each merchant department must include the proper method to handle and respond to emails or other unsecure communications sent by customers and containing CHD in their departmental PCI DSS procedure. In the event this does occur, handling the received CHD as outlined in section B.2.J below is critical. Also see item 6.) in the Best Practices Guide for additional information in this regard.

f. It is best not to use fax machines to transmit payment card information to a merchant department. If a fax must be used, MDRP must ensure the device is a stand-alone machine using plain paper type and located in a secure location to prevent unauthorized access. Never use Multi-function/multi user devices to transmit or receive payment card information.

g. No database, electronic files, other electronic repositories of information, or paper forms may store the card-validation code (aka CVV or CVC) after authorization regardless of the success or failure of the payment.

h. The full contents of any track from the magnetic stripe on the back of a payment card must never be stored.

i. Portable electronic media devices or shared file repositories should not be used to store cardholder data. These devices include, but are not limited to, the following: laptops, compact disks, floppy disks, USB flash drives, personal digital assistants and portable external hard drives.

j. CHD should not be retained any longer than required to authorize the transaction, and must be immediately deleted or destroyed following authorization. Access to cardholder data is restricted to those with a business “need to know”, and each person with access cardholder data must have a unique ID and password.

i. A regular schedule of deleting or destroying data should be established in the merchant department to ensure that no CHD is kept after authorization.  Any access of CHD must be logged with the date and time, along with the identity of the employee accessing the secured data and customer contact information in the case of loss (to notify the customer).

ii. CHD must be disposed of in a manner that renders all data un- recoverable. This includes paper documents and any electronic media including computers, hard drives, magnetic tapes, and USB storage devices (Before disposal or repurposing, computer drives should be sanitized in accordance with applicable institutional electronic data disposal policies).

iii. Approved disposal methods per the PCI DSS v3.2 are:

  • Cross-Cut shredding, incineration, pulping, or using an approved shredding/disposal service for paper documents
  • Wiping and/or physical destruction of electronic media in a manner that renders it unrecoverable.

k. All work computers of employees authorized to handle CHD and shared workstations related to merchant operations must be scanned with the USNH authorized scanning tool on a regular basis to ensure no CHD is stored on those computers, in case of accident, negligence, or other reasons.

l. All CHD security lapses must be logged and resolved by the MDRP.  CHD security lapses are defined as cases where employees did not follow USNH procedures, but which did not result in a security breach.  CHD security lapse may be grounds for disciplinary action including termination.

m. USNH Purchasing Card data and bank accounts information should be protected the same way payment card data is protected. Related procedures should be documented by each department and include the above components, particularly as it relates to storage and disposal of CHD.

3. Service Provider Relationships

Merchants and their service providers must have a documented and consistent level of understanding about their applicable PCI DSS responsibilities.

a. USNH Merchants that utilize a service provider for payment processing, transmission or storage must obtain a written agreement from such provider stating that the named provider is responsible for the protection and security of any CHD that the provider possesses, stores, processes, or transmits on behalf of USNH, or any CHD that they could impact the security of. This should be done for all new contracts and to the extent negotiable with any contract renewals.

b. The written agreement must specify the PCI DSS requirements for which the service provider is responsible and those for which the USNH Merchant is responsible. This documentation should be obtained for all new contracts and any contract renewals.

c. MDRP must communicate the PCI requirements for which the merchant department is responsible to all persons (staff, contractors, temporary employees, volunteers, etc.)  that will be involved with payment handling in any way.

d. Proof of a Service Provider’s PCI DSS compliance must be provided to USNH Accounting Services on an annual basis.  Acceptable types of proof are limited to the following (in order of preference):

i. A signed Attestation of Compliance (AOC) that has been properly completed and is less than twelve months old.

ii. Alternatively, USNH may accept their status as it appears on the Visa Global Service Provider Listing (http://visa.com/splisting).

iii. Service Providers who are eligible to self-assess should provide an AOC signed by an executive of the vendor, dated within the last twelve months, and based on the results of a completed Self-Assessment Questionnaire (SAQ) D for Service Providers. This SAQ should ideally be supported by a Qualified Security Assessor (QSA as defined in the PCI DSS) signature, but this is not specifically required.

iv. USNH may also accept documents deemed appropriate by legal counsel in limited instances.

4. Failure to Meet the Requirements of USNH Policy and Procedures. 

Departments and merchants have a responsibility to follow all applicable USNH Policies and Procedures.

a. Failure to meet the requirements outlined in this procedure will result in suspension of the physical and, if appropriate, electronic payment capability for affected units.  Additionally, if appropriate, any fines and penalties which may be imposed by the affected payment card brand(s) will be the responsibility of the impacted unit.

b. Individuals who fail to meet the requirements outlined in this procedure will be subject to disciplinary action including termination under policy USY V.C.9 and related campus specific procedures.

5. Responding to a Security Breach.

In the event of a breach or suspected breach of security, the department or unit must immediately execute each of the relevant steps outlined below in addition to following applicable local institutional or departmental incident management procedures:

a. Contact the USNH IT Security Office and the institutional IT or Information Security office for proper direction related to preservation of electronic data. The steps should include:

i. Disconnecting the impacted device(s) from all networks. To disconnect a device from the network, simply unplug the Ethernet (network) cable. If the device uses a wireless connection, simply disconnect it from the wireless network. For devices connected via an analog telephone line, simply unplug the phone line.

ii. DO NOT turn the device off or reboot. Leave the device powered on and disconnected from the network.

iii. Prevent any further access to or alteration of the compromised system(s) (i.e., do not log on to the machine and/or change passwords; do not run a virus scan). In short, leave the system(s) alone, disconnected from the network, and wait to hear from the IT security office.

b. Document every action taken from the point of suspected breach forward, preserving any logs or electronic evidence available. Include the following in the documentation:

i. Date and time
ii. Action taken
iii. Location
iv. Person performing action
v. Person performing documentation
vi. All personnel involved

c. Notify the department’s MDRP, the Dean, Director or Department Head of the unit experiencing the breach, the campus Finance/Administration office of the breach circumstances.

d. The Campus Finance/Administration Office must relay all such communications to the USNH Treasurer, USNH General Counsel and USNH Internal Audit.

e. Once a full determination of the scope of a breach is made, the Campus IT Security Officer and USNH Treasurer will be responsible for notifying USNH executive management, banking representatives, and any other parties as appropriate.

f. A suspected breach may also be reported to USNH by the processing bank or an outside party. In that case, USNH will notify the campus merchant involved in the suspected breach and the relevant steps outlined above should be executed.

g. A detailed incident response plan will be completed and maintained by USNH IT Security Officer. This incident response plan shall be in accordance with the parameters set forth by the card brands.

6. PCI DSS Information Technology (IT) Policy. Each USNH Institution must document its PCI DSS Information Technology policies and procedures. This may be accomplished by using templates provided by USNH’s merchant bank and/or consulting partners if desired.

7. User Change(s) at Merchant Location(s). Merchants must notify their MDRP of any changes of personnel involved in payment card processing. This includes any new hires, personnel who have been assigned new duties that include payment card handling and/or settlement duties, as well as changes in volunteers and contractors with access to CHD. This also includes employees, volunteers or contractors that have left their position and are no longer involved in payment card handling. Each Campus Finance/Administration Office should determine the manner of which these notifications will occur. The User Change Form is provided as a model to use in reporting these changes to the MDRP.

8. User Statement of Understanding. Persons (i.e. employees, volunteers, and contractors) who handle CHD as part of their employment or other activity at USNH must fill out and sign the related User Statement of Understanding Form or a similar acknowledgement as defined by their Campus Finance/Administration Office.  The MDRP must ensure completeness of these filings at all times.

9. PCI DSS Annual Merchant Questionnaire. At least annually, each payment card merchant must (1) complete a current PCI DSS (SAQ), (2) participate in periodic vulnerability scans if required by the SAQ, and (3) take necessary action to be able to attest compliance to the current PCI DSS. After review by the QSA, the Campus Finance/Administration Office is responsible for uploading these documents to the USNH merchant bank portal upon completion.

10. Any merchant location which is not PCI DSS compliant could be assessed a $25 fee by the current USNH merchant bank every month they are non-compliant. A different fee may also be assessed for non-compliance for locations approved to use providers other than the main USNH merchant bank.  Campus senior leadership must be notified of any non-compliance status and resulting fees.

11. In coordination with the MDRP, any merchant that remains non-compliant for six consecutive months may be required to stop collecting payments via payment card by USNH or USNH’s merchant bank. USNH Accounting Services will notify Campus Finance/Administrator office when a merchant is suspended from collecting payments due to non-compliance.

12. Best Practices. The USNH QSA provides regular guidance on best practices for USNH institutions to incorporate into merchant procedures to better understand and comply with the requirements of the standards. All USNH organizations that are subject to PCI DSS are expected to follow these best practices.

 


[1] See section A.5.c for a description of items included in cardholder data.

10 - 052 Restricted Gift Accounts

A. SUMMARY OF ADMINISTRATIVE PROCEDURE

This statement establishes minimum amounts for creating separate accounts upon receipt of restricted endowment gifts and restricted current-use gifts.

1. Gifts to endowed funds. USNH requires a minimum of $25,000 to establish a new endowed fund under normal circumstances. (Campuses may be more restrictive by requiring a higher minimum.) Exceptions to this rule may be made only by the Campus President with the USNH Treasurer based on such factors as the promise of future additions to the fund or other subjective considerations. Once an endowed fund has been established, gifts of any size may be added to it at any time.

2. Restricted current-use gifts of $500 or more for which a Banner fund does not presently exist. USNH requires a minimum of $500 to establish a new restricted current-use gift fund in Banner under normal circumstances. Exceptions to this rule may be made only by the USNH Controller based on such factors as the promise of future gifts with the same restriction, the nature of the restriction, and other subjective considerations. Each specific restriction for which gifts have been accepted is set up in Banner as a separate fund.  The restriction terms should be delineated in the document text field of the fund creation request to allow for appropriate stewardship over the restricted resources.

3. Restricted current-use gifts of less than $500 for which a Banner fund does not presently exist. Restricted current gifts of less than $500 for which a separate fund has not yet been established in Banner will be recorded in "generic" restricted current funds in the Banner system established for each major department/division/college. Campus management will be responsible for fulfilling USNH fiduciary stewardship responsibilities through use of manual subsidiary records maintained and reconciled by Campus Business Office or UNH Business Service Center staff to faithfully fulfill USNH's responsibility to donors to spend the restricted gift proceeds in accordance with the terms accepted by USNH.

4. Restricted current-use gifts for which a Banner account already exists. Once a restricted current-use gift fund has been established gifts of any size may be added to it, as LONG AS THE PURPOSE DEFINED BY THE DONOR IS IDENTICAL TO THE RESTRICTED PURPOSE SPECIFIED BY THE INITIAL FUND CREATION REQUEST. Investment earnings will not be credited to unused balances of restricted current gifts under normal circumstances. Rare exceptions to this rule may be made only by the USNH Treasurer.


The official version of this information will only be maintained in an on-line web format. Any and all printed copies of this material are dated as of the print date. Please make certain to review the material on-line prior to placing reliance on a dated printed version.