Policies and Procedures
Policy 308 – Credit Card Merchant Services
July 30, 2010
October 24, 2017
July 7, 2017
Executive Director and Information Security Officer
Information Technology Services
All components of the University of North Carolina at Chapel Hill that collect funds in the form of payment cards either directly through a merchant account with the University’s payment card processor or through a contract with a third party are required to support compliance with PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI DSS) and the E-Commerce policies of the Office of State Controller (NC OSC) Statewide Electronic Commerce Program.
A. PCI Compliance
University level compliance is the responsibility of the Compliant Electronic Receipt Transactions through Innovation and Financial Integrity (CERTIFI) committee. The committee establishes and manages an approval process for all payment card and electronic processes for all University Departments. The committee provides training and communication about PCI compliance and best practices in E-Commerce. The committee coordinates the annual process for documenting PCI compliance, including facilitating self-assessment questionnaires (SAQs) for all merchants, maintaining documentation of attestations of compliance (AOCs) for all third party payment processors, maintaining various merchant inventories and coordinating with various vendors to provide external attestations. Noncompliance or breaches in any one area of the University impacts the entire University’s level of compliance.
Department and Merchant level compliance is the responsibility of the chief business officer of each unit. Department managers and senior managers are required to participate in PCI Awareness training and require that merchant managers and staff meet all compliance requirements.
Key Compliance Requirements:
- All employees and agents interacting directly and indirectly with cardholder data must protect cardholder data by adhering to this policy and related procedure, including the Merchant expectations defined in Procedure 308.1.
- Department and senior managers will define access needs for each role in the payment card process, including: System components and data resources that each role needs to access for their job function; Level of privilege required (for example, user, administrator, etc.) for accessing resources (as defined in PCI DSS requirement 7.1.1).
- Additionally, they will restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
- Assign access based on individual personnel's job classification and function.
- Require documented approval by authorized parties specifying required privileges.
- Immediately revoke access for any terminated users. Remove/disable inactive user accounts within 90 days, or sooner, as prescribed by the guidance relevant to the system in use.
- Do not use group, shared, or generic IDs, passwords, or other authentication methods.
- Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties (as defined in PCI DSS v3.2 requirements 7.1.2, 7.1.3, 7.1.4, 8.1.3, 8.1.4, 8.5 and 8.8).
- The payment ecosystem includes any individual with access to cardholder data, point-of-sale terminals, ClientLine, TouchNet and IT Support who assist with software updates and changes related to cardholder systems. These individuals are required to have annual training that includes processing procedures, PCI compliance awareness training and safeguarding of cardholder data.
- All persons responsible for business processes that include handling cardholder data or participate in the payment card ecosystem must have annual PCI compliance awareness training and ITS Security Awareness Training.
- All persons providing IT support for applications that hold or interact with cardholder data must have annual PCI compliance awareness and ITS Security Awareness Training.
- Any cardholder data storage and processing involving the University’s network must be confined to the Cardholder Data Environment (CDE) maintained by Information Technology Services. Computer workstations used for processing and interacting with cardholder data should be restricted in purpose and not allowed for the checking of email or surfing of the internet.
- All work areas where cardholder data is handled should be physically secure. This includes limiting access to persons authorized to handle and process cardholder data.
- Communicating cardholder data via end-user messaging technologies, for example email, text, SMS, and/or chat, are strictly prohibited.
B. Merchant Approval
All credit card processing activity at or on behalf of the University requires approval of the CERTIFI committee. University departments may NOT process credit cards under any circumstances without the required CERTIFI approval. University departments may not set up their own banking relationships for payment card processing.
C. Transaction Fees
Transaction fees may be charged to cover the cost of permitting a person to complete a transaction using a web application or other means of electronic access. The fee imposed must be approved by the CERTIFI committee and General Administration. The transaction fees that are charged must be for conducting an electronic transaction, not for the use of a merchant card. Electronic access includes the internet and voice response systems but not mail orders, telephone orders, or a face-to-face transaction.
The revenues from the transaction fee and expenditures funded by the fee must be accounted for separately to provide an audit trail on the collection and use of the fees. Expenditures may only be made for e-commerce initiatives and projects, to include any third-party related fees and merchant card processing services.
Reason for Policy
The University engages in a variety of activities that involve the collection of payments by credit card. The Payment Card Industry Security Standards Council publishes PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARDS that are required as part of the University’s contract with its merchant card processor. As a state agency, the University is also required to follow the E-Commerce policies published by the NC Office of State Controller as part of their Statewide Electronic Commerce Program.
There are no exclusions. Academic and administrative units; faculty, staff, and other employees; or others that use systems or networks supported by the University shall abide by these policies. These policies pertain to credit card processing of payments received by the University, directly and indirectly. All point of sale (POS) terminals and all servers or databases receiving, storing, or transmitting credit card numbers are subject to these policies.
- 308.1 – Establishing a New Credit Card Merchant Account
- 308.2 – Changing an Existing Credit Card Merchant Account
- 308.3 – Deactivating a Credit Card Merchant Account
- 308.4 – Disposal of Point-of-Sale Terminals
- 308.5 – Reconciliation, Refunds, Chargebacks and Transaction Posting
- 308.6 – Maintaining Payment Card Industry (PCI) Compliance
- 308.7 – Assuming Credit Card Merchant Account Cost and Fiscal Responsibility
- 308.8 – Truncation and Retention of Cardholder Account Numbers
- 308.9 – The University’s Payment Gateway
Frequently Asked Questions
Q: Can a University department accept credit cards as a form of payment?
A: University departments provide goods and services to its customers and accept credit cards as an appropriate form of payment. Many University departments have been set up with credit card merchant accounts consisting of point of sale (POS) terminals, customized internet applications, TouchNet Marketplace U-Pay sites, or payment application software. The University has a contract with TouchNet, a payment gateway. The State of North Carolina is under contract with SunTrust Merchant Services/FirstData for settlement of funds and to process payments received by credit card. Currently MasterCard, Visa, American Express and Diners Club are allowable forms of payment by credit card to the University.
Q: Are there any limitations on goods or services that can be sold by a University department?
A: With certain limited exceptions, State law (including the Umstead Act, also known as G.S. 66-58 prohibits University departments from selling goods and services to the general public. However, in conducting University business, some departments receive payments for goods or services such as application or registration fees. The Office of University Counsel should be consulted by the credit card merchant as necessary to document the goods or services for sale are consistent with State law and University trademark licensing.
Q: Can PayPal be used to accept payment?
A: PayPal has two products, one is a money transmitter and the other is a payment gateway which is called PayPal Payflow Pro. Payflow Pro may be allowed with approval from the CERTIFI Committee (see Procedure 308.1 for requesting an exception to the University payment gateway).
Per state statute G.S. 147-77, all funds must be deposited daily in some bank or trust company designated by the State Treasurer (G.S. 147-81), and deposit in other banks is unlawful (G.S. 147-80). Deposits are also to be secured (G.S. 147-79). PayPal is listed as a “Money Transmitter” under G.S. 53-208. Although PayPal may function similar to a bank or official depository, money transmitters are not listed in the statutes as eligible “depositories.” Therefore, PayPal as a money transmitter may not be used at the University.
Q: What should we do if we suspect a breach of credit card or personal information (sensitive information)?
A: If you suspect a breach, please refer to the procedure as described in the University’s Information Technology Services Incident Management Policy, dial 919-962-HELP, or email firstname.lastname@example.org.
Q: Can a department accept donations through an existing or new credit card merchant account?
A: All fundraising should be coordinated through the University Development Office. University Development can discuss the options available with the departments wishing to accept credit cards for donations.
- SunTrust Merchant Program Guide: Your guide to card acceptance and processing can be located on the OSC web site.
- North Carolina General Statute 147-77 – Daily deposit of funds to credit of Treasurer.
- North Carolina General Statute 147-79 – Deposits to be secured; reports of depositories.
- North Carolina General Statute 147-80 – Deposit in other banks unlawful; liability.
- North Carolina General Statute 147-81 – Number of depositories; contract.
- North Carolina General Statute, Article 16A 53-208.1-30 – Money Transmitters Act
- North Carolina General Statute 66-58, aka Umstead Act – Sale of Merchandise or services by governmental units
- ITS Incident Management Policy
|General Questions||Accounting Services Cash Management||919-962-1601||919-962-3306|
|Establish Credit Card Process||Accounting Services Cash Management||919-962-1601||919-962-3306|
|Deposits and Reconciliation||Cashier’s Officeemail@example.com|
|Data Security||ITS – Information Security||919 firstname.lastname@example.org or email@example.com|
|TouchNet Connection||HELP Desk||919-962-4357|
|TouchNet Payment Gateway||ITS eCommerce Analystfirstname.lastname@example.org|
Oct. 24, 2017: Included prohibition language related to communicating cardholder data via end-user messaging technologies.
July 7, 2017: Key Compliance section updated to reflect departmental and senior oversight in giving access to the payment card process and the stipulations for training and levels of privilege limitations.
March 31, 2016: Policy review.
July 15, 2011
July 1, 2006