Payment Card Refund Guideline

1. Refunds must be completed using the same payment method card type (e.g. credit card, debit card) and account number as the original purchase.
2. Where a refund cannot be processed using the original payment method, card type and account number, it must be processed manually via the Workday Spend Module. The Supplier Set Up team will need to set up the customer as a supplier. An invoice for payment should be created. The 'invoice' should be submitted for payment and routed for approval in the same way as an external Supplier invoice. Documentation should be attached as to the reason for not using original payment method.  Management approvals are taken here to mean the direct supervisor of the person transacting the refund, or an M&P staff member that has signing authority for the area of business.
3. At no time should a refund be made with cash where the original transaction was done via a non-cash method (i.e. POI device, Virtual Terminal or eCommerce portal).
4. To provide additional control and reduce the impact of fraud, the merchant should request from the Acquirer [2] a refund limit which cannot be exceeded at any time.
5. The original transaction receipt and other supporting documentation should be attached to the refund request. Where the original receipt Is not available, a manual signed receipt by requestor and refund processor with reasons must be provided.
6. Authorised Personnel (AP)[3] are provided with either a specific refund code (PIN) or access credentials (password). The University’s PCI Compliance Officer in Revenue Accounting will maintain a control list of all Aps for each merchant ID.
7. PINs and Passwords are confidential information. The AP should safeguard it with strictest confidence. Under no circumstances should the PIN or Password be disclosed to third party. If the AP suspects the PIN and Password has been compromised, the AP should inform their supervisor immediately and request a PIN/Password reset.
8. Refunds should always be processed with supervisory approval. (Refer to #15)
9. Completed refunds should be recorded in a log for review and reconciliation with the daily transaction summaries by business unit. The reason for the refund should be recorded. (See Sample Refund Reconciliation Log)
10. Refund transactions in the log and supporting documentation should be reviewed by management at least weekly.
11. The refund log should be reconciled to the Acquirer daily transaction summaries by business unit at least monthly.
12. Separation of duties should be maintained as a means of protection against error, omission and fraud. This means separating the tasks of processing, approval and reconciliation. For example, the AP who process payments should not be responsible for reconciling payments.
13. All new staff involved in merchant activity should be provided with the refund policies and related procedures at their orientation. They are expected to follow the policies and procedures to ensure consistent handling of refunds.

[1] Management approvals are taken here to mean the direct supervisor of the person transacting the refund, or an M&P staff member that has signing authority for the area of business.
[2] A Merchant Acquirer is a third party that the University has contracted with to provide card payment service (credit and debit card transactions). The University has several Acquirers including TD Merchant Services, Chase Paymentech and Moneris.
[3] Authorised Personnel are members of staff with authority to approve refund transactions using payment card processing methods.

14. All refund transactions more than $5,000 require prior Treasury approval irrespective of the refund mode.
15. Refunds require prior management approval. Where this is not practical, compensating controls are required by means of subsequent management review and post event approval of transactions on a daily basis.
16. Where segregation of duties cannot practically be maintained, the Departmental Finance Officer should review and approve compensating controls.

17. Merchants should regularly review their refund transactions using reports from the Acquirer, either the TD Merchant Online Report, Moneris Merchant Direct or Chase Reporting, to verify/monitor refunds (or transactions) processed through POI devices, Virtual Terminals or eCommerce solutions. Access to online reporting can be requested by contacting the PCI Compliance Officer for the University. Unusual or unexplained trends should be reported to management, e.g. multiple transactions to the same card number.
18. The reconciliation of refund payments (from online reports to supporting systems, bank statements and the log summary) should be reviewed and signed off by management at least monthly.
19. All credit card clearing accounts should be cleared regularly and reconciled at least monthly per established Banking Procedures on credit card deposits.
20. The AP that handle the refunds and prepare the summary log should not be the same person that reconciles the log or daily transaction summaries.

21. The refund code (PIN) should be provided only to AP, and the safeguard of the PIN Code is the responsibility of the AP.
22. The refund code (PIN) should be stored securely or not recorded at all, for security reasons. In particular, it should NEVER be physically recorded on the POI device.
23. The refund code (PIN) should be changed when the AP with knowledge of it:
       a. No longer requires access (either due to a job change or employment termination) or
       b. There is suspicion that the PIN has been compromised.
24. POI devices should never be left unattended. Where possible, devices should be physically secured after hours to prevent unauthorized access, tampering or substitution.
25. Any instances of suspicious behaviour regarding the POI devices and PIN should be reported to management immediately and replace the POI.
       a. Merchant contacts UBC IT Security Centre to report the incident;
       b. Merchant contacts the Acquirer to request replacement of the POI device; and
       c. Merchant informs the PCI Compliance Officer to request for a new security seal.

26. Access to ePayment Virtual Terminals must be granted by Student Information System (SIS) security and approved by management.
27. Access to non-ePayment Virtual Terminals must be granted in accordance with the relevant PCI Usage Policy Document.
28. Access credentials (passwords) required to complete a refund should only be provided to AP.
29. AP in one department should not process refunds where the payment was initially processed by a different merchant department.
30. The VISA Merchant Best Practice Guide for Cardholder Not Present Transactions (pdf) must be followed for refund payment requests received by telephone, mail, or fax.
31. Under no circumstances is payment information (e.g. credit card number, cardholder name, expiry date and Card Verification Value (CVV) obtained by telephone, mail, email or fax be shared with other individuals or a third party. Payment information collected should be kept following the PCI DSS standards on storage.(pdf)

32. Business unit refund policies must be clearly identified to customers at the time of sales.
       a. Specific time frames in which refunds may be processed must be clearly stated (i.e. within 30, 60 or 90 days from date of purchase);
       b. Refund policies with regard to damaged and opened merchandise must be clearly stated;
       c. Refund policies must be clearly displayed in the store and website of the selling unit.
33. When processing refunds, returned goods must match the goods purchased and in original condition – this can be verified by reviewing the product ID or other identifier for the goods purchased and examination of the merchandise.
34. For telephone orders, the following information should be obtained from the customer to serve as refund evidence:
       a. Cardholder contact information, such as telephone number, billing address or email address;
       b. Details of the merchandise or services of the original order;
       c. Time and date of the original order;
       d. Details of the conversation including requestor’s information, refund requested.
35. If there is any doubt about the requestor’s identity, (i.e. not the original purchaser or cardholder), the refund request should be placed on hold and management be informed immediately.
36. For Mail or Fax orders, the cardholder’s signature on the order form should be validated against the refund request during refund processing.
37. Copies of order forms and proof of delivery of merchandise to the address specified by the cardholder and the refund request documentation should be retained for a period of at least 7 years.