Administrative Procedures Handbook

Business Services

Phone: 309/298-1811 Fax: 309/298-2811

The Business Services Office is responsible for the financial analysis of all University accounts, cost analysis projects, financial monitoring activities, and establishing and terminating University accounts.

Account Signature Sheet

An Account Signature Sheet (PDF) is used to establish a new account, change an account name, or change account fiscal agent or alternate signatures.

Establishing a New Account:

Individuals wishing to establish a new account should complete the Account Signature Sheet in its entirety. Detailed information should be provided as to the purpose/function of the account, major source of funds, and expenditures. The information provided will be used to begin the process of establishing an account. (Depending upon the information provided and the type of account, additional information/paperwork may be required before the account can be established.)

Changing an Account Name:

Individuals wishing to change an account name should complete the top portion and the comments section of the Account Signature Sheet. All signatures of those persons authorized to sign on the account should be obtained before the sheet is submitted to the Business Services Office. The comments section should indicate the reason for the name change (i.e., department name has changed).

Changing a Fiscal Agent or an Alternate:

A department wishing to change a fiscal agent or an alternate should complete the top portion of the Account Signature Sheet. All signatures of those persons authorized to sign on an account should be obtained before the sheet is submitted to the Business Services Office. When changing the fiscal agent, the previous fiscal agent's signature is required. Note: Fiscal Agents or alternates must be University employees.

Petty Cash or Change Fund

A petty cash fund is defined as cash maintained on hand under the responsibility of a designated person for the purpose of purchasing inexpensive items on short notice. Expense receipts are collected and periodically submitted to Business Services for reimbursement. Cash on hand, plus receipts for expenditures, should always equal the official established amount of the petty cash fund. All requests for reimbursement should be made payable to (Custodian's name), Custodian, Petty Cash Fund.

A change fund is defined as cash maintained on hand under the responsibility of a designated person for the purpose of making change for University-related activities. No payments for expenses may be made from change funds.

Approval by an Assistant Comptroller in Business Services is required for the establishment of petty cash and change funds and adjustments in amounts. Assistant Comptrollers are also responsible for the ongoing evaluation of petty cash and change fund amounts.

It is the responsibility of the department to maintain adequate security measures for the safekeeping of these funds and to prevent the unauthorized use of the funds. Examples of unauthorized use include but are not limited to cashing personal checks and making loans. In addition, petty cash funds are not to be commingled with other cash. Both petty cash and change funds are subject to audit (internal and external) on an unannounced basis.

Credit Card Handling & Compliance Procedures

The following procedures are intended to support the university’s Payment Card Industry (PCI) Data Security Standard (DSS) compliance efforts and should be reviewed annually and updated as appropriate:

  • An annual risk assessment of all areas (and corresponding vendors) taking credit cards as payment or supporting the credit card payment environment will be coordinated through Business Services and University Technology. Policies, procedures and training will be updated as appropriate.
  • Vendors processing, transmitting or storing cardholder data on behalf of the university must provide annual evidence of their compliance with PCI DSS. Business Services will annually review compliance for the University approved vendors.
  • Information security contract language must be added to all contracts that provide access to university systems, data, sensitive areas (such as data centers, wiring closets, etc.) or provide custom development on behalf of the university. The agreement should include an acknowledgement that the service provider is responsible for the security of cardholder data the provider possesses.
  • Non-encrypted cardholder data may not be taken outside the university and may not be provided to non-approved outside entities (such as 3rd party vendors providing processing, analysis, etc.). University merchants can work with Business Services to get a vendor approved. University approved vendors are: Paypal, Authorize.net, Global Payments and Illinois Funds E-PAY
  • Areas wishing to purchase applications that process, transmit or store cardholder data must insist that the vendor provide evidence that the application has been assessed against PCI Payment Application Data Security Standards (PA-DSS) and that the vendor has provided a PA-DSS implementation guide (where configuration options are provided) that shows how the application needs to be configured to maintain or achieve compliance.
  • Business Services will maintain documentation about the requirements the University and the server provider are responsible for to comply with PCI DSS standards.
  • Quarterly network scans conducted by a PCI Approved Scanning Vendor (ASV) are required.
  • Performing external penetration testing including both a Network-layer penetration test and an Application-layer penetration test is required at least once a year and after any significant infrastructure or application upgrade or modification.
  • Ensuring that web-facing applications are protected against known attacks by having custom application code reviewed for common vulnerabilities by an organization that specializes in application security or installing an application layer firewall in front of web-facing applications is required.
  • Areas must document the location of all payment card capturing devices. The list should be updated as new devices are added, old devices are removed or devices are moved to a new location. The list should at a minimum contain the following pieces of information; Make, Model, Location and Serial Number.
  • Annual training is required to educate users of payment card capturing devices on topics such as tampering, substitution and suspicious behavior.
  • Areas should periodically inspect devices for tampering or substitution.
  • Business Services will provide annual training on the proper handling of cardholder data. All employees who handle credit cards must take the required training and receive a passing score.
  • Areas must maintain a list of all personnel with access to cardholder data or credit card accepting devices. Areas must submit a complete list of personnel any time a new employee is hired or an employee leaves the area.
Credit Card Data Retention and Disposal Procedures

Payment Card Industry (PCI) Data Security Standard (DSS) requirement 3.1 requires that the university maintain and adhere to data retention and disposal procedures. The purpose of this procedure is to ensure that records that are no longer needed are discarded appropriately and in a timely fashion. Each area that takes credit cards as payment must periodically (minimally annually) review these procedures to determine any circumstances that necessitate changes in the way they retain or dispose of cardholder data.

Lack of compliance may result in fines of $25,000 per merchant per month and may eventually result in the loss of merchant privileges.

Retention Periods:

The state of Illinois defines credit card records as receipts and defines the following retention guidelines.

Cardholder Data Transmission, Retention and Disposal State of Illinois Guidance
Credit/Debit card data (Name, Authorization Code, Authorization Date) 3 years
Credit/Debit card data (Last 4 digits of account number) 3 years
Full credit card account number 3 years (encryption required prior to storage)
Credit/Debit card data (magnetic stripe track data, card validation code, PIN) Never stored
Cardholder data over electronic mail, instant messaging, text messaging, chat, blogging and voice-mail May only be used if data is encrypted.
Cardholder data over a wireless network May only be transmitted over secure wireless
Cardholder data over un-secure protocols (telnet, ftp, etc.) Encryption required prior to transmission
Credit Card Data Disposal:

Cardholder data maintained on paper should be shredded as soon as business conditions allow but not more than the guidance provided by the State of Illinois. If cardholder data must be maintained on paper for any period of time, caution must be taken to ensure control and protection of the data including:

  • Minimizing who has access to the data;
  • Ensuring that disallowed data (card validation code, PIN) is not present;
  • Concealing all but the last four (4) digits of the cardholder account number; and
  • Maintaining the paper document in a locked secure area with limited controlled access.

Cardholder data maintained electronically should be eliminated as soon as business conditions allow but not more than the guidance provided by the state of Illinois. If cardholder data must be maintained electronically for any period of time caution must be taken to ensure control and protection of the data. Electronic cardholder data presents additional challenges to data maintained on paper. In addition to the controls mentioned for cardholder data maintained on paper, the following require consideration for cardholder data maintained electronically:

  • If business conditions allow eliminate the electronic retention of cardholder data.
  • If business conditions allow conceal or remove as much of the cardholder data as possible (for example, remove all but the last 4 digits of the cardholder account number).
  • Encrypt or one-way hash cardholder data prior to storage.
  • Do not make backup copies of unencrypted cardholder data*
  • Cardholder data must not be transmitted via or stored on electronic mail, instant messaging, text messaging, blogging or voice-mail
  • Cardholder data must not be transmitted via unsecure protocols (such as telnet, FTP, etc.)
  • Cardholder data must not be transmitted over an unsecure wireless network
  • Regardless if you think your old computer holds or does not hold cardholder data, ensure proper disposal of end of life computer equipment by adhering to WIU's Data Security Policy