Category Archives: Blog

W111: Cash Management through Crisis for Nonprofits & Associations [1.5 CPE/CAE credit]

Title Cash Management through Crisis for Nonprofits & Associations
Date November 5, 2020
Time 3:30 pm – 5:00 pm (EASTERN TIME)
Description COVID19 presents no shortage of challenges for executives leading not for profit organizations.  The magnitude of impact to most not for profit organizations far surpasses initial considerations.  As membership dues and conference registrations decline, many NFP and Associations are facing governance and management considerations related to the COVID19 Crisis.  These include cash management, and tightly related budgeting, forecasting and financial planning techniques, as well as a need to keep board and finance committees well informed with frequent meetings and reports.
Instructor:

 

 

Daniel O’Dea

Dan O’Dea joined CPA Department as Director of Outsourced Accounting, where he leads the accounting team and is responsible for managing the firm’s outsourced accounting function. Working closely with the founder, he supervises and evaluates employees to keep activities focused on the company’s overarching mission and goals of providing superior customer service designed to meet the needs of growing organizations.

Dan has been recognized for his extensive experience in accounting and finance, he was peer-selected as CFO of the Year, by the Charleston CFO Council in 2017. He has worked in a variety of local and national firms as Chief Financial Officer and Controller, as well as having served in the US Navy, and various community non-profit activities. Most recently Dan led finance and logistics operations for international manufacturing in the consumer-packaged goods space.

A US Navy veteran, Dan served more than 36 years of active and reserve service as an enlisted member and later as a commissioned officer. He received numerous awards and deployed multiple times to war zones, leading troops in hostile environments.

As a Joint Logistics officer, he led logistics operations for U.S. Security Cooperation as well as significant humanitarian assistance and disaster relief experience.

When not working Dan enjoys spending time with his family, boating, fishing, and doing a wide variety of outdoor activities.

Level Beginner
CPE (NASBA Category) Finance
CAE (Field of Study) Administration – Financial Management
Prerequisites None
Delivery Live Webinar
CPE / CAE Credits 1.5
Cost: $19
Learning Objectives Preparation of Cash Budgets, Forecasts and Financial Planning

Review of ‘What-if’ Scenarios for Planning

Monitoring of Operating Reserves

Tightening of Cash Management, Cost Containment and Cash Flow

Creating a Culture of Overcommunicating to Boards and Finance Committees

Blog0 comments

Associations: Preventing credit card fraud, Lesson #2 “Internal Fraud

Authors: Laura Tester Meyer, CPA, CGMA; Julie Duncan, Association Industry Practice Leader, U.S. Transactions Corp.; Wade Tetsuka, CPA

  • Internal fraud can cause mistrust in the association’s ability to manage resources, and troubling losses for nonprofits that reduce future contributions.
  • Every dollar lost to fraud represents a lost ability to provide needed public services to your members and communities at large.
  • By taking proper steps for PCI Compliance, you can protect against the risks of internal fraud.

In this 2nd article in a series on credit card fraud for Associations, we address internal fraud and embezzlement. Internal fraud may be the type of fraud that undermines an Association the most, creating a lack of faith or mistrust in the ability of the Association to responsibly manage the resources entrusted to it. Internal fraud results in losses that are especially troublesome for nonprofits because they come from tax-exempt funds earmarked for special purposes and may reduce future contributions and grants if an organization’s fiduciary practices are questioned by those being asked to make contributions. Every dollar lost to fraud represents a lost ability to provide needed public services, both to your members and communities at large.

According to data provided by Certified Fraud Examiners, fraud within nonprofit organizations can be prevented and/or loss can be mitigated by the implementation of important controls.

How is Internal Fraud related to Credit Card data?

It is an unfortunate reality that the more exposed your members/customers credit card data is, the more likely it is that an employee, either deeply in debt or deeply disgruntled may use the opportunity to steal credit card information. Those numbers can either be used by the employee directly or sold on the dark web. Either way, you are held liable for not protecting your customers data. Taking steps to reduce the exposure of credit card data will help mitigate the risk of internal fraud.

What are Internal Control Best Practices for Managing Sensitive Credit Card Data?

Strong internal controls can help reduce the risk of theft, fraud, and embezzlement in your Association. There are practical steps every Association can take (even those with very few staff members) to guard against theft and embezzlement in the nonprofit workplace.

What can your association do to protect credit card data from falling into the wrong hands?

The following best practices provide a comprehensive solution for protecting data.

  • Save Credit Card Data on a PCI Compliant Gateway1– a PCI compliant gateway ensures that the data you collect is housed in a PCI certified In fact, the best way to store credit card data for recurring billing is by utilizing a third party credit card vault and tokenization provider. By utilizing a vault, the card data is removed from your possession and you are given back a “token” that can be used for the purpose of [recurring or subsequent customer/member] billing .

All vaulted card data held in the gateway’s vault becomes the responsibility of the gateway. Your organization/employees will no longer see the full credit card number on customers/members but will only see a masked credit card number. If a customer or member makes a repeat purchase, your staff should not be asking again for full credit card data (instead ask for only the last 4 digits of the card for verification) because this exposes your staff repeatedly to sensitive customer data. Instead a repeat customer should have their card charged through the PCI compliant gateway using the “masked” card on file so that there is no need for the employee to have exposure to seeing the full credit card data.

You may notice many mom-and-pop or small business service providers ask you to give your full credit card data every time you make a repeat purchase under the premise that they don’t store credit card data for security purposes. This is factually a poor business practice for the reason stated above.

You can determine if your 3rd party gateway is PCI Compliant by going to the Visa International Website – The Visa Global Registry of Service Providers — and entering the name of the gateway that you currently use. https://usa.visa.com/splisting/splistingindex.html

  • Use a Payment Link that is connected to a secure Hosted Payment Page – using a Hosted Payment Page (HPP) allows your members/customers access to a payment link where they enter their personal credit card The credit card data is captured directly by the 3rd party PCI Compliant gateway so that this sensitive data does not travel across your server environment. Once the transaction is processed, your staff will only see a masked credit card number, never the full data.
  • Tokenization of CC information, especially when changing processors or gateways – storing data in the gateway vault tokenizes the The same is true when using API credentials between your AMS and your Processor. Your AMS should be storing only tokens of the actual credit card number which your AMS system receives back from the 3rd party PCI Compliant gateway.

If your Association changes processors or AMS systems, and this requires you to use a new 3rd party gateway, you can request your current 3rd party gateway to transfer the credit card data from their vault to the vault of your new 3rd party gateway. A service fee may apply. Once this is done, your new 3rd party gateway will send you a data file with new “tokens” for the underlying credit card data of each customer/member.

  • Complete a PCI Compliance SAQ at least annually and conduct your quarterly scans if Most processors require an annual SAQ (Self-Assessment Questionnaire) and will charge you additional monthly fees for non-compliance. Keeping your SAQ up-to-date ensures that you are mindful of best practices regarding PCI compliance. PCI rules require that you update your SAQ at least once per year. In addition, if you have significant credit card volume, you will be required to perform scans of your network. PCI scanning seeks and identifies vulnerabilities in your network and operating systems, enabling you to find and fix problems and improve security.
  • Limit your employee user privileges for The refund function in your gateway is a way internal credit card fraud can occur. Limiting/restricting access to refunds or limiting amounts that employees can refund will assist in protecting you against falsified refunds. A falsified refund could occur, for example, when an employee uses a personal credit card to have a refund or credit applied to their credit card at the expense of the organization.
  • Reconcile your batches to your settlements daily. Your daily batch should match your deposit. Daily reconciliation allows you to quickly monitor for any discrepancies.
  • Credit Card numbers should never be transmitted via email nor stored on your hard Emails and hard drives can be breached. Credit card information should only be provided verbally over the phone, faxed over an analog phone line (not voice over IP line or a phone number tied to a electronic fax delivery service), or through a hosted secure check out page. If full credit card information is received, it should never be stored on the hard drive of any computer. It should be input immediately into a PCI compliant payment gateway for vault storage.
  • Do not store the three-digit CVV/CSC code. PCI Compliance rules strictly prohibit anyone from storing the 3 digit CVV/CSC code (4 digits in the case of AMEX). That also means that PCI Compliant gateways which do store the full credit card data are not allowed to store the corresponding CVV/CSC code. As a result, should a hack occur and credit card information is compromised, the hacker will not receive the 3 digit security code which will make it more difficult for fraudsters to make online purchases using stolen credit card data since the 3 digit security code is often required for the credit card purchase to be successfully completed.

Associations bear the burden of convincing the public that they have the right systems and policies in place to ensure that contributions and other resources are being judiciously maintained and managed. The fiduciary responsibility to use donated funds in the manner intended is of utmost importance for Not for Profit organizations and Associations. The above steps will go a long way in ensuring that Associations are doing all they can to protect their organization from internal credit card fraud.

Talk with your team and consult with your credit card processing representative. See what solutions they recommend. A coordinated, proactive approach will ensure your Association will be in a better position to weather potential threats.

A final note to readers who are officers of nonprofit organizations and Associations, for personal identity protection and to prevent unintended comingling of personal banking account data with Association banking data, be sure to use your Driver’s License or Passport for identification purposes when it comes to your Association’s banking information, in lieu of your Social Security number. This will help to prevent your organization’s bank accounts from being associated with your personal bank accounts.

If you would like more information about how US Transactions Corporation helps Associations with credit card processing, please contact us directly at WadeTetsuka@ustranscorp.com or julie@ustranscorp.com.

 

References

1 Examples of PCI Compliant gateways include 3rd party services such as Authorize .net, PayFlow Pro (PayPal), CardPointe (CardConnect), MXMerchant , Cybersource, Network Merchants , PayTrace, and many ot hers.

2 Source: PCI Compliance.org

 

 

Blog0 comments

What are the Best Processing Software Solutions for Purchasing Cards (Reviews/Ratings)?

What are the Best Processing Software Solutions for Purchasing Cards (Reviews/Ratings)?

Each year, we at U.S. Transactions Corp. speak with well over 150 companies across the U.S. with respect to their credit card processing services. These companies are typically doing business with the Fortune 500 and are naturally concerned about how to have the lowest possible cost for processing Purchasing Card payments (Visa/MasterCard/AMEX) from their Fortune 500 clients. Likewise, these companies are concerned about credit card data security (referred to as PCI Compliance).

Continue Reading

Blog0 comments

The Top 5 Credit Card Processing Problems and Solutions for Associations

The Top 5 Credit Card Processing Problems and Solutions for Associations

Each year, we at U.S. Transactions Corp. speak with well over 100 Associations across the U.S. with respect to their credit card processing services. Out of countless discussions and observations, we have discovered the problems and solutions boil down to 5 major issues that make about 80% of the difference for Associations when it comes to credit card processing. These 5 “Problems” arise in virtually every Association we come across. Instead of keeping the solutions a secret to ourselves or to those Associations who happened to have met with us, we thought it would be worthwhile to make the recommendations available for everyone’s benefit.

Continue Reading

Blog0 comments

  • U.S. Transactions Corporation

    44044 Riverpoint Drive,
    Leesburg, VA 20176
    Phone: (866) 442-3327
    Fax: (866) 511-0935

  • Key Points About Services

    - Over the last 7 years, we have a client retention rate of 97.5% (vs. industry average of 67.4%).

    - Three consecutive years (2012, 2011, and 2010) in President’s Club

    - We prove and validate your success by providing an initial 6-month fee/savings analysis, and thereafter annually.