Establishing and Accounting for Payment Card Accounts

Financial Affairs, Office of the Controller   |   Approved February 10, 2021

Purpose

Establish a payment card account (“merchant account”) to receive funds from external sources.

Applicability

UMB Operational Units (schools, departments, divisions) that accept credit card payments for transactions involving UMB Funds.

Instructions

In the course of business at UMB, Operational Units may choose to accept payment (e.g. credit, debit) cards for goods and services. In accordance with the State of Maryland General Accounting Division, UMB Funds received through payment card transactions must be processed via a merchant account authorized by the State Treasurer’s Office (STO).   

Establishing a Merchant Account:

1. There are two methods for processing payment cards:
   1. Online – The Operational Unit is responsible for selecting and implementing the payment gateway (software application that authorizes payments for merchants). TouchNet is the UMB provided gateway.
   2. Payment Card Terminal – Payment card terminals are purchased by the department through the merchant bank contracted by the State of Maryland for merchant services. Additional information on payment card equipment is available in the Procedure on Payment Card Industry (PCI) Data Security Standards (DSS) Compliance and Payment Card Transactions.  Contact DL-CITSPCICompliance@umaryland.edu for further information and equipment costs.
2. Complete the Merchant Account Request Form (see Financial Services Forms)
   1. The Merchant Account Request Form is used to request a merchant account ID number (“MID”) and to ensure compliance with Payment Card Industry (PCI) standards.
   2. Submit the completed form to DL-CITSPCICompliance@umaryland.edu.
   3. After submitting the completed form, a PCI Committee member will contact the Operational Unit.
   4. Any changes in personnel listed on a previously submitted Merchant Account Request Form should be emailed to the DL-CITSPCICompliance@umaryland.edu. 
3. Upon approval, the merchant bank (BB&T/Truist) representative and a PCI Committee member will meet with the Operational Unit. A BB&T/Truist Relationship Manager works with the Operational Unit to activate the merchant account and will provide information on account management, account fees, and any other assistance needed.
4. BB&T/Truist will assign a merchant account number and will assist with setting up equipment or establishing a gateway connection.

General Information:

1. Prior to processing transactions individuals with duties related to payment cards, including, but not limited to, accepting, processing, reviewing, approving, and reconciling transactions must complete the tasks listed in this section. The Operational Unit PCI Coordinator must also complete these tasks.
   1. Review UMB Policy VIII-99.08(A) Payment Card Policy: Payment Card Industry Data Security Standards and accompanying Procedure on Payment Card Industry (PCI) Data Security Standards (DSS) Compliance and Payment Card Transactions.
   2. Complete PCI training.
2. Operational Units must use approved PCI Bank Equipment (see Procedure on Payment Card Industry (PCI) Data Security Standards (DSS) Compliance and Payment Card Transactions) at all times, including events held in locations other than the site listed on the Merchant Account Request Form. Examples include off-campus events and on-campus registration tables. Contact DL- CITSPCICompliance@umaryland.edu for assistance in obtaining additional equipment.
3. Revenue will be credited daily directly to the funding source indicated on the Merchant Account Request Form.  

   Note:  As of February 12, 2021 some units have been set up for crediting the revenue daily directly to the funding source.  This is referred to as “automatic revenue mapping.”  Student Financial Services is in the process of coordinating automatic revenue mapping with all operational units. Units that have not yet been converted need to continue to use their established method to claim revenue until their automatic revenue mapping is completed. Questions?  Contact  Jordan Nixon jnixon@umaryland.edu.

4. Bank fees will be charged to the funding source indicated on the Merchant Account Request Form via a journal entry at least twice a year. Operational Units should not pay fees directly to BB&T/Truist.
5. Operational Units are prohibited from establishing merchant accounts that have not been authorized by the STO.
6. Operational Units are prohibited from accepting payments via PayPal, Venmo, or other similar methods. Payments must be processed through a merchant account authorized by the STO.
7. Monthly reconciliations are required. Instructions for reconciling payment card activities are available in the Procedure on Payment Card Industry (PCI) Data Security Standards (DSS) Compliance and Payment Card Transactions.

Questions about this Procedure?  Contact the Assistant Controller-Bursar at 410-706-2929.

Questions about PCI compliance? Contact DL-CITSPCICompliance@umaryland.edu.

Responsibilities:

1. Operational Units
   1. Complete and submit Merchant Account Request Forms.
   2. Provide accounting information for recording revenue and service charges.
   3. Reconcile activity.
   4. Ensure personnel and transactions comply with UMB Policy VIII-99.08(A) Payment Card Policy: Payment Card Industry Data Security Standards and Procedure on Payment Card Industry (PCI) Data Security Standards (DSS) Compliance and Payment Card Transactions.
2. Office of the Controller – Student Financial Services
   1. Assist Operational Units in establishing merchant accounts.
   2. Charge Operational Units for bank fees.
3. Center for Information Technology Services (CITS) – PCI Compliance Committee
   1. Assist Operational Units with PCI Compliance.
   2. Develop and manage PCI training materials.

Violation of Procedure:

Employees who do not comply with this Procedure may be subject to disciplinary action and/or criminal action.  An Authorized Affiliate Employee who does not comply with this Procedure may be subject to disciplinary action, lose the privilege of being an Authorized Affiliate Employee, and will have UMB fiscal authority terminated.

Definitions and Terms:

Authorized Affiliate Employee - Person employed by an entity that has a relationship with UMB authorized by the Board of Regents or by law, e.g., faculty practice plan organizations, University of Maryland Baltimore Foundation (UMBF) and other affiliated foundations, recognized incorporated alumni associations, recognized affiliated business entities, University of Maryland Medical System/University of Maryland Medical Center, and other University System of Maryland institutions.  An Authorized Affiliate Employee is responsible for the administration and reporting of UMB resources.

PCI Compliance Committee (PCC) – A team of UMB employees from Administration and Finance and CITS that oversees PCI compliance for UMB.  Contact:  DL-CITSPCICompliance@umaryland.edu

UMB Funds- All funds administered by UMB, regardless of fund source.  UMB funds include State appropriated general funds, tuition, fees, and other income, as well as auxiliary funds, revolving/discretionary funds, Designated Research Initiative Funds, gifts, contract or grant revenues, and other restricted funds.