GSA and OIG Debarred Merchant Alert

Evaluation of Card Program Controls

Card program controls should be:  appropriate; program should not be over- or under-controlled  effective, preventing and/or mitigating risk  efficient—not cumbersome, adding value (in consideration of the control costs versus benefits)

Reviewed Review Item Considerations Notes Actions Needed Risk Analysis Card program risk analysis Organization template or preferred format Schedule/frequency (e.g., annually) Responsible parties: who completes and who reviews/approves Status of action items identified last time Card Issuer Liability for fraud and misuse Cap on monetary loss per contract with issuer Chargeback rights

Transaction dispute process Number of days allowed to submit dispute The process and timeline

Card issuer’s fraud detection Activities that raise “red flags” within issuer’s methods system(s)

Methods by which card issuer Who issuer contacts, how (e.g., e-mail, communicates potential fraud phone) and what is communicated

Methods by which card issuer Organization needs to stay current, so what informs organization of new assistance or direction can issuer provide? fraud tactics and scams

Data Security Security of plastic cards Cards in transit Card receipt by appropriate person Storage/retention of cards Disposal of old cards Card account data transmitted, What, why, where and how—internally, by retained and discarded card issuer, by suppliers, etc. Encryption, password-protection, etc. Cardholder personal data (e.g., What, why, where and how—internally and SSN) transmitted and retained by card issuer

Reviewed Review Item Considerations Notes Actions Needed Organization requirements for The rules and/or guidelines applicable to information security business processes and systems

System IDs and passwords— Length and composition of IDs/passwords security and controls Access and ability to change System lockout after “x” number of failed login attempts Systems used and related Who reviews, how often, requirements for access issuing and discontinuing access

Data security language within Address security of: plastic cards, program policies and documentation containing key data, various procedures (P&P) ordering methods

Suppliers Suppliers’ level of compliance “Letter of attestation” or similar proof from with PCI DSS suppliers

PCI DSS language within Incorporating into standard contract supplier contracts templates

Policies and Procedures (P&P) P&P for: Accessibility: paper versus electronic (and 1) program participants and related “version control”) overall organization Accuracy, completeness and clarity 2) internal to program management team Process and responsibility for Managing “version control” changing program P&P Review and approval of changes Separation of duties Methods by which P&P Who needs to know changes are communicated to Effectiveness of communications program participants Roles and Responsibilities Roles and responsibilities Program participants, program management associated with card program team and program support Separation of duties Suitability of employees Required and desired qualifications fulfilling card program roles Addressing “not suitable” instances Methods by which employees Consistent enforcement of P&P fulfilling program roles are Consistent application of consequences for held accountable non-compliance Copyright © 2017 NAPCP 2 Evaluation of Card Program Controls

Reviewed Review Item Considerations Notes Actions Needed Card Issuance and Training Employee prerequisites for Any past compliance issues with employee applying for a card Duration of employment with organization

Methods by which card Use of e-mail confirmation instead of or in applicant’s supervisor is addition to signature on paper included in process Training for: When required versus optional 1) program participants Accuracy, completeness and clarity 2) program management Frequency 3) program support Delivery methods 4) overall organization Process and responsibility for Review and approval of changes reviewing and changing training program Training requirements for Who, what, why, when and how program participants: Coverage of ethics, scams and security 1) related to card issuance and Retention of training records 2) ongoing basis (e.g., card renewal, annually, etc.)

Methods by which program Internal agreement (with input from HR participants confirm and/or and/or legal team) demonstrate understanding of: Quiz/test 1) P&P 2) potential consequences for fraud and misuse Responsibility for submitting Separation of duties card/account requests to issuer and card receipt Methods by which card receipt Notification of card in transit and by appropriate person is subsequent activation confirmed/ensured Card Controls Appropriateness of card Frequency of reviews controls Business needs of each cardholder Program goals and P&P

Process and responsibility for Efficiency changing card controls and Documentation ensuring expiration of Approval temporary changes Separation of duties Copyright © 2017 NAPCP 3 Evaluation of Card Program Controls

Reviewed Review Item Considerations Notes Actions Needed Frequency of changes Causes (temporary or permanent) to Effect on procure-to-pay process card controls Impact on program administrator’s time Opportunity for improvement (e.g., loosening restrictions) Transaction Review and Approval Cardholders’ reconciliation of Frequency transactions Process, including actions during absences Technology Supporting documentation Paper versus electronic requirements Inclusion within P&P Prevention of duplicate payments Secondary review by Prerequisites for “approver” role (e.g., job cardholder supervisor, level, training, etc.) manager or other Frequency Process, including actions during absences Technology Records retention Regulatory and organization requirements Centralized versus decentralized Paper versus electronic Roles and responsibilities Accounting Process Process and responsibility for Separation of duties entries related to card Automation opportunities transactions/activity Data security Process and responsibility for Separation of duties payments to card issuer Automation opportunities Accuracy and timeliness Monitoring accuracy of Roles and responsibilities accounting/budget codes Frequency applied to transactions Monitoring of general ledger Roles and responsibilities accounts Separation of duties Frequency Card/Account Closure Methods by which employee Leaves of absence, change in department, status changes are terminations, etc. communicated Process and responsibilities Timing associated with card/account Impact on department operations closures Business continuity for department Documentation/audit trail Copyright © 2017 NAPCP 4 Evaluation of Card Program Controls

Reviewed Review Item Considerations Notes Actions Needed Termination of system access Timing Confirmation

Card collection, destruction Responsibility and/or disposal

Auditing and Reporting Process and responsibility for Frequency transaction audits Available reporting and automation Separation of duties Process and responsibility for Frequency process audits Available reporting and automation Separation of duties Instances of non-compliance Addressed per P&P Consistent enforcement Audit follow-up Needed actions Roles and responsibilities Program improvement opportunities Compliance metrics Roles and responsibilities Utilization Program reporting Types of reports utilized Roles and responsibilities Regulatory Relevance of Sarbanes-Oxley If not required to comply, organization may Act (SOX) to organization choose to comply Organization’s tax Roles and responsibilities requirements and subsequent Automation level and opportunities compliance strategies 1099-related requirements, if Roles and responsibilities any, for card program

Miscellaneous Methods by which employees Viability of anonymous hotline can report potential fraud and misuse

For more information on card program controls, visit: www.napcp.org.