Policies and Procedures
Procedure 308.7 – Assuming Credit Card Merchant Account Cost and Fiscal Responsibility
July 1, 2006
July 18, 2011
Executive Director and Information Security Officer
Information Technology Services
University departments that provide credit card merchant services are responsible for related equipment and supply costs, processing fees, and fines and penalties resulting from noncompliance with University, State, and payment card industry policies. University departments are also responsible for adhering to internal control standards for the safeguarding of receipts and data.
Forms and Instructions
Equipment and Supplies needed to provide credit card merchant services:
- Point of Sale Swipe Terminal:
For non-Internet transactions, a point-of-sale (POS) swipe terminal with printer, optional pin pad, and a dedicated analog phone line are required. Each merchant is responsible for the installation and cost of their dedicated analog phone line. Merchants are also responsible to procure their own point of sale terminal. These are available through the State contract and the NC Office of the State Controller provides a list of available models, along with pricing for both purchase and rental. The cost of terminals purchased or rented through the State contract is billed directly to the merchant on their SunTrust Merchant Services monthly invoice. To order a terminal, complete the Merchant Card POS Terminals Order Form and submit it to the Cash Manager in Accounting Services. Terminal supplies, such as paper, printer ribbons, and Visa/MasterCard logo signage are available for just the cost of shipping. Contact the SunTrust Merchant Services help desk, (800) 654-8816, to order these supplies.
- 308.1.5f – Merchant Card POS Terminals Order Form
- Point of Sale Computer Terminal:
The merchant is responsible for all software used in a POS computer terminal application. The software and configuration must be compliant with the Payment Card Industry Data Security Standard (PCI DSS) and if applicable, the Payment Application Data Security Standard (PA-DSS) and its use must be approved by the University Controller’s Office and Information Security Office. See Procedure 308.1 – Establishing a New Credit Card Merchant Account, or Procedure 308.2 – Changing an Existing Credit Card Merchant Account for information related to establishing a new account or changing an existing account.
Disposition of POS terminals or computers that have processed or stored credit card information must be done in a secure manner. See Procedure 308.4 – Disposal of Point-of-Sale Terminals, for information about how to securely dispose the POS Terminal.
- Processing Fees:
The processing fees for payments by credit card include interchange fees, assessment and switch fees, and merchant service fees. Other fees include charges for use of TouchNet and Yahoo store fronts, if applicable.
The schedule of fees for merchant card services can be found online. This schedule applies to merchant card services acquired through the North Carolina Office of the State Controller, pursuant to the Master Services Agreement (MSA) with SunTrust Merchant Services, LLC (STMS), dated August 1, 2006.
The TouchNet gateway fee, assessed for internet transactions, is 55¢ per transaction. Current Yahoo storefront fees can be accessed online.
- Fines and Penalties:
The University department, as a merchant, has the final responsibility for complete compliance to the Payment Card Industry (PCI) Data Security Standard. If the merchant does not comply with the security requirements or fails to rectify a security issue, the payment card industry may:
- Fine the responsible merchant
- Impose restrictions on the merchant
- Loss or Theft of Account Information:
A merchant must immediately report to ITS-Information Security the suspected or confirmed loss or theft of any material or records that contain cardholder data, in accordance with the Incident Management Policy. Failure to immediately notify the proper authorities will put the merchant at risk of a penalty of $100,000 per incident. Merchants are subject to fines by the payment card industry, up to $500,000 per incident, for any merchant cardholder data that is compromised and not compliant at the time of the incident.
July 18, 2011