Departments with cash handling responsibilities must ensure that no single individual is responsible for the collection, handling, depositing, and accounting of cash, cash equivalents, and checks received by the unit. Accordingly, the following departmental duties should be performed by separate individuals:
- Mail - Opens mail and distributes checks and cash equivalents to department cash handler.
- Cash Handler - Collects cash, cash equivalents, and checks; completes Departmental Deposit Record (DDR) for submission to the University Cashier.
- Ledger Reviewer - Reconciles departmental record of cash receipts to the general ledger on a monthly basis.
To the extent possible, a separate employee should be assigned to backup each of the individuals identified above when he or she is unavailable. In order to maintain adequate segregation of duties, the same employee should not be designated as the backup for more than one of these functions.
Cash (i.e., currency and coins) is the most liquid form of payment and the most easily misappropriated. Cash handlers, therefore, must immediately establish a record of cash acceptance in accordance with the security standards set forth in this Policy. In addition, cash must be protected against loss upon receipt and at all points thereafter. To this end, departments with cash handling responsibilities must implement security procedures in accordance with the standards contained in Appendix B.
Departments shall not accept non-U.S. currency as payment.
All cash equivalents and checks presented for payment should be made payable to the “University of San Francisco.” Departments should instruct their payers to use this name and not a variation of the University’s name (e.g., USF). Checks should never be made payable to an individual employed by the University. Invoices and other notices used to request payment should instruct payers that checks should be made out to the University of San Francisco. Checks should not be accepted if:
- The check date is 90 days or more prior to the date of receipt.
- The check has a future date, unless arrangements have been made with the payer to hold the check.
- The payment amount is illegible or the numerical dollar amount does not match the amount written on the check.
- The check is signed by someone other than the holder of the account.
In addition, departments are not allowed to cash personal checks.
Checks received that are drawn on a foreign bank account may require special handling procedures. The University Cashier should be contacted to determine the correct procedures.
Preparation of Receipts
Departments must prepare a receipt for each collection of cash, cash equivalents, and checks in accordance with the following procedures:
- Receipts must be pre-numbered and used sequentially.
- A copy of the receipt should be provided to each payer making an in-person payment.
- Receipt forms must be validated by the cash handling employee's initials or signature, or by a validation stamp identifying the employee recording the transaction.
- All voided receipts must be retained (i.e., not given to the customer) and have signed approval by a supervisor.
- A receipt should be produced for a check payment received through the mail only when the payer has requested a receipt.
Receipts for donor contributions are prepared by the Development Office in accordance with the Internal Revenue Service’s (IRS) written acknowledgement procedures set forth in the Gift Acceptance Policy.
Electronic cash registers, micro terminals, and other point-of-sale (POS) equipment used by department cash handlers must meet the following security and operational standards:
- All cash registers and point-of-sale equipment must produce a University cash receipt for each customer.
- The cash-recording equipment must be controlled by unique consecutive numbers generated automatically and recorded with each transaction, as well as imprinted on the customer receipt.
- The numbering mechanism providing consecutive transaction number control must be accessible only to the manufacturer's service representative or appropriate University personnel who are independent of the cashiering function.
- Each cash handler must be assigned a unique identifier that is not shared by or accessible to other individuals.
The purchase of electronic cash registers, micro terminals, and other Point-of- Sale (POS) equipment used for departmental cash-handling operations must be approved in advance by the Vice President for Business and Finance and the Vice President for Information Technology Services (ITS), or their designees.
All credit and debit card must be processed in accordance with the Payment Card Industry Data Security Standards (PCI DSS) adopted by the University. See PCI Compliance
. In accordance with those standards, credit and debit card payments may be processed for both “cardholder present” and “cardholder not present” transactions, as follows:Cardholder Present
Under these circumstances, the cardholder is physically on site to present his or her credit/debit card for “swiping” through the POS terminal. The transaction is completed when the authorization code is received and the cardholder has signed the card transaction receipt. The employee processing the transaction must verify the authenticity of the signature by comparing the signature on the receipt to the signature on the back of the credit/debit card. If the card has not been signed, the processor should ask to see the cardholder’s driver’s license. Cardholder Not Present
When the cardholder is not physically on-site, the cardholder’s data (i.e., name, card number, expiration date, billing address, etc.) would typically be collected by mail, telephone, or via a University website. This transaction is completed when the cash handler enters the cardholder’s information into the Commerce Manager or iModules POS terminal and obtains either an authorization code or rejection message from the system.
Mailed and telephone requests to charge a customer’s credit or debit card must be processed as follows:
- The authorization form must be correctly signed by the cardholder (mailed requests only).
- The credit or debit card account number and three-digit security code must be provided along with the card expiration date.
- The correct billing address for the credit and/or debit card must be provided.
- Prior to processing, all authorization forms must be stored in a safe or locked cabinet or drawer, accessible only by authorized persons, in order to protect cardholder information.
- When processing a debit card transaction, the PIN number should never be gathered or entered for the customer. PIN debit transactions are only allowed in a cardholder present environment where the customer enters the PIN directly into an approved keypad.
- After a transaction has been authorized by the system, only the last four digits of the account number and the authorization code may be retained. All other card information must be redacted or destroyed once a transaction has been authorized. Redacting stamps may be obtained from Accounting and Business Services.
- Departments should only store cardholder data for processing recurring payments. If cardholder data is stored electronically, it must be encrypted with access restricted to authorized persons with user ID and password protection. Hard copies of cardholder data must be stored in a safe or locked cabinet at all times.
For data security reasons, credit or debit card information should never be requested or transmitted via e-mail. Departments may accept credit or debit card payments via fax transmission only if the fax machine is housed in a secure location with restricted access.
All donor contributions made by credit or debit card are processed by the Development Office, which will send the donor a written acknowledgement confirming the receipt of his or her gift to the University. See Gift Acceptance Policy
Note: Departments should not accept payments from another University department using the University Purchasing Card. The Purchasing Card is intended only for purchasing goods or services from third-party vendors.
Point-of-Sale Equipment–Credit and Debit Card Processing
All POS terminals and systems should be configured to prevent retention of cardholder data after a transaction has been authorized. If any cardholder data is retained, it must be encrypted and protected in accordance with the standards outlined in the PCI DSS. See PCI Compliance
Procedures for the safeguarding and sale of admission or event tickets must meet the same standards and security requirements as those set forth in this Policy.
Each ticket is considered both a product and a receipt. Tickets shall have the price of admission indicated thereon and shall be consecutively pre-numbered. When tickets are produced by electronic means, the numbering system must not be accessible to the ticket seller. All ticket sales must be balanced to recorded revenue on a daily basis by the department selling the tickets. The department must also develop adequate controls to safeguard the tickets and ensure that the number of tickets sold corresponds to the expected revenue from such sales.
A full accounting of all tickets sold or issued and payments received must be retained by the department for seven (7) years for audit purposes.
Departments must use the following procedures when preparing the DDR to transfer collections of cash, cash equivalents, and checks to the University Cashier for deposit:
- Deposits must be transferred to the University Cashier on a weekly basis or sooner. If cash collections exceed $100, the funds should be transferred by the next business day, subject to the Cashier's hours of operation, or deposited in the drop box.
- The deposit must be validated and prepared under dual custody in a safe and secure area not visible outside of the cash-handling area.
- A DDR, signed by the preparer, must accompany each deposit delivered to the University Cashier.
- A report of any cash collections that are over or short must be sent to the University Cashier with the DDR, accompanied by supporting documentation (including cash register audit tapes, as applicable).
- The department should obtain a written receipt from the Cashier at the time the DDR is submitted for deposit.
When the proper FOAPAL to which a check should be credited cannot be readily determined, the DDR should be annotated by the department as follows: "Cash Received Undistributed." Under no circumstances should a check be routed to a department in another division for processing. Accounting and Business Services will follow up with the appropriate department to obtain recording information.
Appendix B contains additional information concerning the physical transfer of deposits from departments to the University Cashier. Departments, however, should not accept deposits from students for paying tuition, fees, room and board. Students should be directed to the One Stop Services Office, which has established several payment options to assist students in making such payments.
The IRS requires tax-exempt organizations and other entities to report cash transactions of more than $10,000 received in the course of a trade or business on Form 8300. The reporting requirement applies only to actual cash transactions consisting of U.S. or foreign currency and coins received in one transaction or two or more related transactions. Funds received by cashier’s check, money order, bank drafts, or traveler’s checks are not subject to reporting, except for certain designated transactions generally not applicable to colleges and universities.
The University must file a Form 8300 with the IRS by the 15th day after the date of the cash transaction, or two or more related business transactions that occur within a 15-day period. For multiple related transactions, a Form 8300 must be filed within 15 days after an installment payment causes the total cash received within one year of the initial payment to exceed $10,000. Each person named on the Form 8300 must be provided with a copy of the form or a written statement by January 31, indicating that the information has been reported to the IRS. See Forms.
The Form 8300 is filed by the Director of Internal Audit and Tax Compliance when the University Cashier receives a reportable transaction(s).
A violation of any portion of this Policy may result in disciplinary action, up to and including termination of employment and/or legal action. In addition, an employee may be personally liable for any financial loss incurred by the University as a result of the employee’s failure to comply with the requirements set forth in the Policy.