Note: This website contains current Finance policies and procedures. There are a few policies and procedures that are in the process of being updated and will be migrated to this site upon completion of updates. Please check the previous Finance Policy and Procedure Manual if you are not able to find an item on this site.

Policies and Procedures


Policy 308 – Credit Card Merchant Services

Policy Sections

Effective
July 30, 2010

Last Updated
July 15, 2011

Responsible University Officer
University Controller;
Executive Director and Information Security Officer, Information Technology Services

Responsible Unit
Accounting Services

Policy Statement

University policy provides standards to manage merchant accounts for credit card receipts; to ensure proper control, integrity, and security of credit card data; and to ensure compliance with State and industry standards.

A. Merchant Approval

All credit card processing activities at the University require approval of the Vice Chancellor for Finance and Administration or delegate. If an Internet application is to be used, approval of the Vice Chancellor for Information Technology or delegate is also required. University departments may NOT process credit cards under any circumstances without the required approvals. University departments shall NOT sign any contracts or enter into any agreements with a Third Party or purchase related equipment or software without approval. University departments may not set up their own banking relationships for payment card processing.

To become eligible or to remain eligible, a merchant must exceed the minimum annual transaction volume and dollar amounts as set forth by the Compliant Electronic Receipt Transactions through Innovation and Financial Integrity (CERTIFI) committee.

University departments are required to complete the necessary application forms and questionnaires to request approval to accept payments by credit card. The standard forms and instructions for their use are listed in the accompanying procedures.

B. Merchant Standards

University departments are required to adhere to appropriate standards for credit card merchant services including training, outsourcing agreements with third-party providers, data and system security, Payment Card Industry (PCI) Data Security Standard (DSS) compliance, cost responsibility, fiscal responsibility, truncation and retention of merchant cardholder account numbers.

C. Transaction Fees

Transaction fees may be charged to cover the cost of permitting a person to complete a transaction using a web application or other means of electronic access. The fee imposed must be approved by the Vice Chancellor for Finance and Administration or delegate and the Office of State Budget and Management, in consultation with the State Chief Information Officer and the Joint Legislative Commission on Governmental Operations. The transaction fees that are charged must be for conducting an electronic transaction, not for the use of a merchant card. Electronic access includes the internet and voice response systems but not mail orders, telephone orders, or a face-to-face transaction.

The revenues from the transaction fee and expenditures funded by the fee must be accounted for separately to provide an audit trail on the collection and use of the fees. Expenditures may only be made for e-commerce initiatives and projects, to include any third-party related fees and merchant card processing services.

D. Office of the State Controller (OSC) Policies

University departments and units that have been approved as merchants are required to adhere to the E-Commerce policies of the Statewide Electronic Commerce Program. These policies are located on the NC Office of State Controller website.

Reason for Policy

The purposes of the credit card merchant policies and procedures are to provide essential information in obtaining and managing merchant accounts for credit card receipts; to provide requirements to ensure proper control and integrity of credit card data as well as security in the collection, maintenance, and transfer of credit card data; and to ensure compliance with the Payment Card Industry (PCI) Data Security Standards.

The primary focus of the PCI Data Security Standards is to help merchants (such as University departments) improve the security of cardholder information by improving overall security standards which reduces the chances of security breaches. The growth of electronic commerce has resulted in increased occurrences of stolen cardholder information throughout the industry, which is an important concern to merchants and others that rely on electronic commerce as an efficient payment method.

The rise in cardholder information compromises has resulted in an increased focus and regulatory actions by the major card associations. To improve the integrity and security of the payment processes used for receipt of payments by credit cards, compliance with the PCI Data Security Standards is mandated. The standards help merchants improve the safekeeping of cardholder information, which in turn reduces the chances of security breaches, fraud, and potential financial losses. These policies and procedures will help ensure that cardholder data and the electronic commerce network are protected and kept secure.

Exclusions

There are no exclusions. Academic and administrative units; faculty, staff, and other employees; or others that use systems or networks supported by the University shall abide by these policies. These policies pertain to credit card processing of payments received by the University. All point of sale (POS) terminals and all servers or databases receiving, storing, or transmitting credit card numbers are subject to these policies.

Special Situations

None

Procedures

Additional Information

Frequently Asked Questions

Q: Can a University department accept credit cards as a form of payment?
A: University departments provide goods and services to its customers and accept credit cards as an appropriate form of payment. Many University departments have been set up with credit card merchant accounts consisting of point of sale (POS) terminals, customized internet applications, TouchNet Marketplace U-Pay sites, payment application software, or Yahoo store fronts. The University has a contract with TouchNet, a payment gateway. The State of North Carolina is under contract with Wachovia Bank for settlement of funds and with SunTrust Merchant Services to process payments received by credit card. Currently MasterCard, Visa, American Express and Diners Club are allowable forms of payment by credit card to the University.

Q: Are there any limitations on goods or services that can be sold by a University department?
A: With certain limited exceptions, State law (including the Umstead Act, also known as G.S. 66-58 prohibits University departments from selling goods and services to the general public. However, in conducting University business, some departments receive payments for goods or services such as application or registration fees. The Office of University Counsel should be consulted by the credit card merchant as necessary to document the goods or services for sale are consistent with State law and University trademark licensing.

Q: Can PayPal be used to accept payment?
A: PayPal has two products, one is a money transmitter and the other is a payment gateway which is called PayPal Payflow Pro. Payflow Pro may be allowed with approval from the CERTIFI Committee (see Procedure 308.1 for requesting an exception to the University payment gateway).

Q: What should we do if we suspect a breach of credit card or personal information (sensitive information)?
A: If you suspect a breach, please refer to the procedure as described in the University’s Information Technology Services Incident Management Policy.

Q: Can a department accept donations through an existing or new credit card merchant account?
A: All fundraising should be coordinated through the University Development Office. University Development can discuss the options available with the departments wishing to accept credit cards for donations.

Related Data

UNC-Chapel Hill TouchNet Payment Gateway Privacy Policy:

Protecting the privacy and personal data of our customers is very important. The University of North Carolina at Chapel Hill has taken numerous steps to protect the personal information of those who transact business with us. Personal information that you provide to us is not used, shared or sold to third parties except to the extent required by law. NO credit cardholder or bank account data is processed, transmitted or stored on our website, but rather is collected, transmitted and processed by a Payment Card Industry (PCI) compliant third party service provider.

Contacts

SUBJECT

CONTACT

TELEPHONE

FAX

E-MAIL

General Question

Accounting Services Cash Management

919-962-1601

919-962-3306

ccadmin@unc.edu

Establish Credit Card Process

Accounting Services Cash Management

919-962-1601

919-962-3306

ccadmin@unc.edu

Deposits and Reconciliation

Student Accts. And University Receivables/ Cashier’s Office

919-962-5846

919-962-1568

deposits@unc.edu

PCI Compliance and Data Security

ITS – Information Security

919 445-9393

  

security@unc.edu or certifi@unc.edu

TouchNet Connection

HELP Desk

919-962-4357

    

TouchNet Payment Gateway

ITS eCommerce Analyst

919-445-9319

919-962-0461

touchnet@unc.edu

PCI Training

Accounting Services Cash Management

919-962-1601

919-962-3306

pci_training@unc.edu

History

Revised:
July 15, 2011
July 1, 2006

TOP

Managed by Finance Communications for University of North Carolina at Chapel Hill