Florida International University - Office of the Controller Main Web Page
Florida International University Main Web PageOffice of the Controller Main Web Page
Office of Finance & Administration Home PageOffice of the Controller Home PageAbout UsController's Office Organizational ChartDepartmentsNewsFormsIndex
  Home
  About Us
  Organizational Chart
  Departments
News
 
 
  Forms
  Index
  Contact Us

Controller's Office > News > Panther Post Newsletter

Newsletter 2017-2018 Volume 3

In this Edition...

  • Monthly Closing Calendars
  • Important Credit Card Solutions Update: Distribution of Chip Cards
  • Annual Credit Limit Reviews
  • Unrelated Business Income Tax (Form 990-T)
  • Merchant Employee E-form
  • PCI Compliance- Ten Best Practices
  • Processing PCard International Transaction Fee
  • Reminders and Deadlines
  • Monthly Closing Calendars

    The August 2017 period in the general ledger has closed. When running your reports, please keep in mind that the reporting environment has a 24 hour delay in displaying data. The current and future month-end processing deadline schedules can be found at: Monthly Closing Deadlines.


    Important Credit Card Solutions Update: Distribution of Chip Cards

    We are happy to announce that FIU will be upgrading our existing credit cards to security enhanced Chip Cards. These new and improved cards will improve card security, making it more difficult for fraudsters to successfully counterfeit University issued credit cards.

    While EMV technology (Chip Cards) will not prevent data breaches from occurring, they do make it much harder for criminals to successfully profit from what they steal. Unlike magnetic-stripe cards, every time an EMV card is used for payment, the card chip creates a unique transaction code that cannot be used again, reducing fraud. The chip encrypts information to help increase data security when making transactions at terminals that are chip-enabled.

    On August 17th, JP Morgan Chase mailed your new Chip Card directly to your campus address, replacing your existing card. Your new card must be activated no later than October 2, 2017.

    Important Reminders

    • Your current card will remain active until you activate the new card, or until October 2, 2017 (if you fail to activate your new card).

    • Instructions for activating your new Chip Card will be included in the envelope with the card. Please do not activate the card in PaymentNet before receiving.

    • While the new card will have the same account number, it will have a new expiration date and CVV code.

    • Please use the last four digits of your Panther ID for activation, not your Social Security number.

    • After your new card is activated, you can cut up and discard your old card.

    Please alert the Credit Card Solutions Team if you do not receive your new Chip Card by September 18th.


    Annual Credit Limit Reviews

    We are currently conducting a spend analysis of all university issued credit cards for the 2017 fiscal year, in conjunction with their assigned credit limits.

    During this annual review, we analyze both single transactional purchases, as well as the overall monthly spend:

    • If we find a trend that a cardholder is regularly spending at their maximum limit or has requested numerous temporary limit increases throughout the year, we will recommend a permanent increase and provide an analysis of spending history.

    • If we note that a cardholder's credit limits are not regularly used, we will adjust their limits to align with their actual, historical spend.

    All cardholders were notified by email, the week of September 4th, if any changes were made (or recommended) for their cardholder account.


    Unrelated Business Income Tax (Form 990-T)

    Florida International University is required by Federal law to prepare an income tax return for net income from activities unrelated to the exempt mission of the University. This tax return (Form 990-T) must be filed annually with the Internal Revenue Service (IRS).

    The IRS has provided the following criteria to identify activities that are unrelated to the mission of an exempt organization. An activity is an unrelated business (and subject to unrelated business income tax "UBIT") if it meets three requirements: (1) It is a "trade or business"; (2) It is "regularly carried on"; and (3) It is "not substantially related" to furthering FIU's exempt purpose. Since these terms are given a specific meaning within the rules set forth by the IRS and several important exceptions exist, guidelines for these criteria are available from the Tax Compliance office for your review.

    Tax Compliance is gathering the data for the fiscal year ended June 30, 2017 and cannot identify all activities that are unrelated and subject to Federal income tax from the accounting records alone. Therefore, we are asking that all Departments review their operations for the 2016-2017 fiscal-year and determine what activities, if any, are potentially unrelated business income. Please keep in mind that Florida International University must account for and report all unrelated business income pursuant to the Internal Revenue Code.

    A reminder email with links to the UBIT questionnaire and additional UBIT information has been sent to those Department Heads & Finance Managers with UBIT activity in prior years. The information is also available on the Controller's website.

    If you have questions about unrelated business income or are conducting an activity/collecting revenue and are unsure if reporting is required, please contact tax@fiu.edu or call (305) 348-2655.


    Merchant Employee E-form

    The on-boarding and approval process to become/remain an approved merchant employee has been updated. We have implemented electronic workflow in an effort to centrally manage our merchant employees and the accompanying annual requirements. This new process will impact new and existing employees that have access to and/or handle sensitive credit card information. The form can be accessed via the link below:

    We are requesting that existing approved merchant employees initiate the merchant employee e-form no later than Friday, October 13th, 2017. If you have any questions or need further assistance, please do not hesitate to contact Katherine Cochran at kcochran@fiu.edu or 305-348-3888.


    PCI Compliance- Ten Best Practices

    Complying with the Payment Card Information Data Security Standard (PCI DSS) can be challenging and confusing. The following best practices should be implemented into your department’s daily operations to ensure you are complying with PCI DSS compliance requirements. For any questions please email the PCI Compliance team at the following address: pcicompliance@fiu.edu

    1. If You Don’t Need It, Don’t Store It!

      • Keep cardholder data storage to a minimum. Limit storage amount and retention time to only that which is required for legal, regulatory, and/or business requirements. Many offices retain cardholder data (CHD) “just because” or there is often a misconception this information is needed for “recurring” payments. If data is not absolutely necessary in order to conduct business, do not retain it in any format. If you retain the transaction number and date, you can always ask the acquiring bank for the cardholder data if requested.

      • This includes all paper and forms. Once a transaction has been processed, destroy all CHD on the form. This may require a redesign of the form to move the CHD to the bottom where it can be properly removed and cross-cut shredded.

    2. Eliminate Electronic Storage of CHD

      • Do not copy or type CHD into spreadsheets or documents on general use workstations even for temporary use. Even if you don’t save the document, an image or file of the data is stored on the hard drive. Portable electronic media devices should not be used to store cardholder data, including, but not limited to, the following: laptops, compact discs, floppy disks, USB flash drives, personal digital assistants and portable external hard drives.

    3. Implement Proper Destruction Methods

      • All forms or paper with cardholder data should be shredded in a cross-cut or finer shredder.

      • Third-party shredding services may be used, as long as the bins provided are secure and cannot be removed from the area.

    4. Use Online Payment Card Systems Appropriately

      • Many departments use third-party payment systems or gateways to outsource online payment card processing. Customers should be directed to complete payments online using these applications. If you are specifically directing people to use computer labs, kiosk machines, or other public-use computers to make payments, this can inadvertently bring these devices into PCI scope. Do not direct customers or offer payment card entry on any device that has not been properly secured or approved by the PCI Compliance Team.

      • Often staff members are under the impression that it is considered good customer service to take phone calls, emails, or some other form of communication to process a credit card transaction for a customer, however:

        • It is not recommended to act as the customer and input their data for them.

        • When it is necessary to provide this service: do not use a general-purpose workstation; transactions should be conducted on a separate (segmented) payment terminal.

    5. Never Email Credit Card Information

      • Staff should never use email as a manner of receiving or transmitting cardholder data.

      • Implement a formal policy denying the use of e-mail for payment acceptance across the institution and train all staff on what to do if they receive an e-mail with payment card details.

      • Should a customer email their payment card information:

        • Reply to the sender, deleting the credit card information from the reply and inform them that “for their protection and that of FIU policies dictate that payment card information shall not be accepted via email. Please use one of our accepted methods of processing your information: (in-person, online, fax, form, etc.).”

    6. Maintain Clean Desk Policy

      • CHD should not be left out on desks or in plain sight. Even if leaving the desk for a short period, staff should keep material in a folder and lock the folder in a secure location. At the end of the day, all CHD should be stored in a secure file cabinet or safe. Always log out or lock your computer when it is unattended.

    7. Limit and Monitor Physical Access to Systems That Store, Process or Transmit Cardholder Data.

      • If physical access is not restricted, malicious individuals could easily get their hands on sensitive data. Do not allow unauthorized personnel unaccompanied access to areas where credit card data is stored or processed. This includes other FIU staff.

      • Identify onsite personnel and visitors with badges and revoke badges upon termination or completion of visit.

      • Keep a visitor log to maintain a physical audit trail of visitor activity, documenting the visitor’s name, firm represented and the onsite personnel authorizing access.

    8. Secure the Processing Environment

      • The threat of Point of Sale (POS) terminal tampering is serious, as every day criminals attempt to install skimmers and other devices to capture cardholder data and create fraudulent cards. Ensure all POS devices are secure and periodically inspect devices for tampering and/or substitution.

      • Keep an inventory of all devices (with serial numbers) and train staff to look for abnormalities (broken seals, damage to the device, damage to external cables, etc.).

      • You should also train staff to limit access to POS devices to only authorized individuals. Report any third-party individuals claiming to be repair or maintenance personnel immediately.

    9. Keep Duties Related to Processing Cardholder Information as Separate Roles (i.e. issuing refunds, processing receipts, etc.)

      • Only those with a legitimate business need to access the information should be given privileges. Establish and define job roles and only provide access to the least amount of data needed to carry out individual responsibilities.

      • Separation of duties is an internal control, and the concept of having more than one person required to complete a task to prevent wrongful acts, fraud, abuse and errors. This can also help ensure any potential incidents are detected.

    10. Improve Oversight of Third-Party Service Providers

      • You cannot completely outsource your PCI compliance responsibility. It is important that you know and document all third-party service providers involved in your payment card processing. It is also critical to ensure the appropriate contractual language is in place dictating which specific PCI DSS requirements are the responsibility of each entity.

      • Assessing these vendors and service providers annually will ensure their compliance efforts are sufficient and protect the University from any collateral damage if a data breach occurs.


    Processing PCard International Transaction Fee

    As part of the university’s "TSYS" card conversion, your monthly bank statement will now contain an additional charge when a transaction posts from a foreign vendor.

    This International Transaction Fee is the 1.5% fee charged by JP Morgan Chase on all international purchases.

    To process the reconciliation for this bank charge:

  • Make the notation on the original purchase receipt: "This purchase also includes $x.xx (fee amount) International Transaction bank fee."

  • This receipt will support both the original transaction and the Int'l Transaction charge.

  • The expense account for International Transaction Fees is 772141 If you have any question about this process, please reach out to the Credit Card Solutions Team.
  • If you have any question about this process, please reach out to the Credit Card Solutions Team.

    Travel

    Let’s expedite approving Travel Authorizations, Cash Advances and Expense reports. Documents that have not been completely finalized and are older than 90 days will be cancelled or deleted by the Travel Department. A list of pending documents is located here. Information regarding report status abbreviations and how to close or cancel Travel Authorizations and/or Expense Reports, would be found here.


    Departmental Card Deadline

    As a reminder, Departmental Card billing transactions regularly load the first business day of the month; program participants will have 10 days to process this activity in its entirety. This month's billing statement (dated August 31, 2017) loaded into PantherSoft on August 2, 2017 and should have been completely processed by end of the business day on September 20, 2017.

    Any charges not processed by the closing deadline will be automatically charged to the cardholder's default accounting on file and will not be eligible for a transfer. Cardholders with three unjustified non-approvals in the same fiscal year will have their card temporarily suspended until they complete a retraining session.


    Friendly Reminder about Departmental Deposits

    To all University community, please verify the correct chart field values (Department number, Site, Fund Code and Program Code) for your activity or project number before you fill out the departmental deposit form.

    You can access the most current chart field values associated with your activity/project number in PeopleSoft Financials System:

    Main Menu => Set Up Financials/Supply Chain => Common Definitions => Design CharFields => Define Values => SpeedTypes

    Enter on Speed Type Key: your activity or project number

    Thank you for your cooperation.

    How to sign up for the Panther Post Newsletter

    If you wish to be added to the ListServ for the Panther Post, please email controller@fiu.edu.

     
    Office of the Controller