- Last Updated: 23 January 2018 23 January 2018
|Policies and Regulations||NEPN Code: DGD-R
Access to Data
- Only authorized personnel who process credit and debit card transactions as part of their position with the District shall have access to cardholder information and other documentation related to processing of card data.
- All Employees who process or handle credit or debit card or electronic payment information are required to attend security training upon new employment and annually, thereafter
- All employees shall have a unique identifier login to payment systems. Group accounts or shared accounts are not allowed.
- The District prohibits any payment information to be sent through school mail.
- All transmission of cardholder data must be secure and protected with best-practices cryptography and encryption techniques.
- The use of email, fax transmissions (sending and receiving), instant messaging or chat programs to transmit cardholder data is prohibited.
Processing of Card Data
- Transactions are to be processed immediately.
- The three digit validation code or pin number of a card should never be stored. Only the last four digits of a card number will be displayed, if at all.
- Documents containing cardholder or electronic payment information must be shredded.
- Downloading credit/debit card or electronic payment information to portable devices is prohibited. Examples of these types of devices include laptop computers, personal digital assistants, cell phones, USB flash drives, compact discs.
- Electronic receipts documents or correspondence of any kind, may not include cardholder data. If information is needed to reference a transaction only the last four digits of the card may be used.
Storage of Cardholder Data
- The District requires all payment documentation to be stored in a secured, locked location for the minimum duration required by operational, legal and regulatory purposes.
- All documents and media that contain cardholder data must be secured against unauthorized removal, tampering and viewing.
- Employees are to hold information securely while working on items. This means securing the computer and not leaving items unattended. Information should not be accessible to employees who job functions do not require it or visitors who may be in the building.
- Documents and media containing stored sensitive information are required to be inventoried and disposed of according to policy. Movement of data and documents from a secured location must be approved by the Business Manager, and secured and tracked to assure all items are accounted for and destroyed properly.
- Cardholder data and documentation must be cross-cut shredded or destroyed upon disposal.
Mitigating the Effect of Unauthorized Disclosures:
School District Personnel will utilize the following process to mitigate the effect of an unauthorized release of card holder information by the District or by a contractor/business associate:
- Any unauthorized release of protected cardholder information will be immediately reported to the Business Manager upon discovery of the release.
- The Business Manager or designee shall investigate such unauthorized disclosure, notify the response team, and take such action as is reasonable and practical, under the application of facts and circumstances, to mitigate any harmful effect that has resulted, or might reasonably be foreseen to result, from such unauthorized disclosure.
- The Business Manager or designee shall document the nature and substance of such unauthorized disclosure, the results of the investigation, and the actions taken to mitigate any harmful effect of such disclosure.
Credit Cards (i.e. purchasing cards) are used to improve processing efficiency and provide revenue share on School District purchases. Any revenue share paid by the bank to the District shall be deposited in the General Fund.
A signed and approved Credit Card Enrollment Form and Cardholder Agreement for employees’ authorized use of a credit card are required. The Enrollment Form and Cardholder Agreement are to be filed with the Purchasing Supervisor in the Purchasing Department. Cardholders are also required to follow the Credit Card Program Guide and Policies located on the District website.
Each card issued has specific card controls and limits established, including single transaction dollar limits, monthly limits, yearly limits, and merchant category exclusions. Principals/Supervisors will review those limits with their staff.
Authorized use of the credit card is limited to the person in whose name the card is issued and may not be loaned to another person.
The credit card is for business-related purposes only. It may not be used for personal purchases. The credit card is District property and should be used only for qualified District purchases. The items listed below are examples of qualified and unqualified purchases.
Maintenance/repair/operations, facilities maintenance expenses, office supplies, stationery, forms, printing, books, periodicals, subscriptions, DVD’S, CD’s, computer supplies and maintenance, safety equipment or supplies, catering or small dining services, medical supplies, screen printing, repetitive/consistent purchases, lodging, car rentals (lodging and car rentals must be pre-approved by the Travel Specialist)
A product or service not considered an appropriate use of District funds, capital equipment, entertainment (bars, liquor stores, movie theaters, etc.), contract services, personal purchases, cash advances, money orders, fines, purchases in excess of transaction limits, meals for personal consumption, any items required to be inventoried, registration fees, airline tickets.
The Board authorizes the Travel Specialist to use the credit card for the sole purpose of covering expenses related to travel by District employees and/or consultants retained by the District as speakers, presenters, etc., including registration fees and airline tickets. The Purchasing Supervisor or designee may use a District credit card to purchase items online that cannot be reasonably purchased elsewhere or when purchasing or paying for items online results in significant savings. The Purchasing Supervisor or designee may also use the credit card for prepayment of items/services when required by a vendor or in instances of savings to the District.
Cardholders, with the exception of the Purchasing Supervisor or designee and the Travel Specialist, will not be allowed to use the credit card for purchases of items greater than $1000 each.
Employees authorized to use a credit card are responsible for obtaining a receipt for each purchase transaction, maintaining a Purchasing Log Sheet (if required to by the employee’s supervisor) and reconciling their bi-weekly bank statements. Bank statements must be reviewed and signed by the principal/supervisor or designee on a regular basis. The receipts together with the log sheet (if required) and bank statements are to be filed in a secure place in the office for a period of three years. The Business Manager or designee shall periodically audit the credit card receipts and the bank statement reconciliation. Employees shall reimburse the District for any charges that are disallowed by principal/supervisor, the Business Manager or designee.
Upon request by an authorized representative of the District or upon termination of employment, each employee must return the credit card to the program administrator in the Purchasing Department.
The Finance Office shall make Telepay payments to the bank for purchases charged on bi-weekly bank statements.