Policies and Procedures
Procedure 308.1 – Establishing a New Credit Card Merchant Account
July 1, 2006
August 23, 2016
July 25, 2017
Executive Director and Information Security Officer
Information Technology Services
This procedure explains how to request and establish a credit card merchant account.
Forms and Instructions
To request a credit card merchant account, contact the Cash Manager in Accounting Services to begin discussing the process for obtaining a merchant account and how to begin operations.
Once the Cash Manager has been contacted, a meeting will be arranged to discuss the line of business, description of transactions, capture method (Payment Applications, Payment Gateways, Point-of-Sale Terminal, etc), volume of business, go-live date and previous exposure the department has to credit card processing.
Timeline for Creating Credit Card Merchant Account
A credit card merchant account can take a minimum of six weeks to complete from the initial meeting until the account is in production and the first transaction has been accepted.
Payment Processing Service
All University merchants are setup through the State of North Carolina’s Master Service Agreement (MSA) with SunTrust Merchant Services (STMS), a partnership between SunTrust Bank and First Data Merchant Services (FDMS). STMS provides merchant card payment processing services. The North Carolina Office of the State Controller (OSC) has mandated that all agencies and universities of the State use the MSA unless an exemption has been approved. A University department may request an exemption from this requirement by providing a business case justifying an alternate vendor or process to the Cash Manager in Accounting Services. The business case will be reviewed by the CERTIFI Committee and forwarded as appropriate to OSC to request approval. A University department shall not enter into an outsourcing agreement with a third-party provider, including software applications for credit card processing, until the business case is approved. Upon approval, standard purchasing policies apply.
Outsourcing Credit Card Payments
The University is required to participate in the Master Service Agreement (MSA) for credit card merchant services provided by OSC due to Cash Management Law (General Statute 147-86.10 and 11). An exemption from participating may be obtained from OSC if a suitable business case is presented.
This requirement applies to all contracts, including outsourced functions if they involve credit card processing. The requirement does apply even when the University is not the merchant for the credit card processing.
Any area of campus involved in or negotiating an outsourcing agreement that involves processing credit cards through a processor not under the MSA should forward an exemption request to the Cash Manager in Accounting Services.
TouchNet is the University’s payment gateway and is required to be used for all internet credit card transactions. A University department may request an exemption from this requirement by providing a business case justifying an alternate vendor or process to the Cash Manager in Accounting Services. The business case will be reviewed and forwarded as appropriate to the CERTIFI committee to request approval. A University department shall not enter into an outsourcing agreement with a third-party provider, including software applications for credit card processing, until the business case is approved. Upon approval, standard purchasing policies apply. Please see Credit Card Merchant Procedure regarding The University’s Payment Gateway, TouchNet for more information.
Complete Setup Forms
Once the department has completed the initial meeting with the Cash Manager and decided on the capture method, relevant Setup Forms, listed below, must be completed as determined in conjunction with the Cash Manager. The requesting department should also complete the applicable PCI Assessment questionnaires, as determined in conjunction with the Cash Manager, as well as provide a workflow diagram and description. Submit completed forms to the Cash Manager in Accounting Services. These forms are reviewed by the CERTIFI Committee and forwarded as appropriate to the University Controller and Executive Director and Information Security Officer, if applicable, to request approval. Once approved, the forms are submitted to the NC Office of the State Controller to be reviewed and sent to SunTrust Merchant Services for setup.
- 308.1.1f - Merchant Outlet Setup Form
- 308.1.2f - ClientLine Merchant Sign-up Form
- 308.1.3f - American Express Merchant Outlet Setup Form
- 308.1.4f - American Express Online Merchant Services Sign-up Form
- 308.1.5f - Merchant Card POS Terminals Order Form
- 308.1.6f - Default Chartfield String Change Request
- 308.1.7f - Merchant Card Change Request
PCI Assessment Questionnaires:
- 308.1.10f – Vendor PCI Questionnaire
Credit Card Administrator Listserv
The email list is used to send out information regarding policies and procedures for the administration of credit card transactions and data. The email list is also used to distribute information from the NC Office of the State Controller and SunTrust Merchant Services regarding credit cards.
Departmental staff members who perform credit card administrative duties may participate in a campus listserv. To initiate or cease participation in the Credit Card Administrator listserv, an email should be sent to email@example.com. This restricted listserv is only available to employees of The University of North Carolina at Chapel Hill who have managerial, administrative, or operational duties as a credit card merchant. The business contact named on the Merchant Outlet Setup Form is automatically enrolled in the listserv at the time the merchant is established.
Credit Card Transaction Process
- Method 1: Payment Gateway
The credit card transaction process begins when the customer purchases a product/course or makes a donation through a payment application/website. This application website has a “Pay Now” button and passes the customer to the payment gateway to make the payment. The payment gateway interfaces with the payment processor. The payment processor interfaces with the credit card companies to validate the credit card and verify the address if address verification is used. The payment processor returns an authorization code to the payment gateway and settles the funds with the University’s bank account.
- Method 2: Point-of-Sale Terminal
The credit card transaction process begins when the customer purchases a product/course or makes a donation and their card is swiped or entered into a point-of-sale terminal. The terminal is connected through an analog telephone line to the payment processor for settlement. The payment processor interfaces with the credit card companies to validate the credit card and verify the address if address verification is used. The payment processor returns an authorization code to the point of sale terminal and settles the funds with the University’s bank account.
- Complete Training
University departments approved as merchants shall ensure that all employees involved in the credit card environment have completed the PCI training and ITS Security Awareness training on an annual basis. These trainings apply not only to those who have access to full credit card numbers, but also to those who have access to truncated credit card numbers that can be found in credit card receipts, payment gateways and merchant statements. These trainings also apply to IT support/developers of applications and software that access or process credit card information or interface with credit card payment gateways. University departments shall also provide necessary training to employees to ensure staff members adhere to the policies and procedures for credit card merchant services.
Two PCI online training courses developed with Vigitrust, are available. A guide for registering and using the portal is available on the Finance and Accounting Training website. All new users to the credit card environment should register using their University email address, and complete the trainings before handling credit card information.
The course titled “PCI Comprehensive” should be completed by the following:
1. The individual who completes the annual Self-Assessment Questionnaire.
2. Individuals who are the IT support of payment applications and software.
3. All CERTIFI (Compliant Electronic Receipt Transactions through Innovation and Financial Integrity) committee members.
Everyone else involved in the credit card environment is required to complete the course titled “PCI Basic.
- <!--•--> It is the responsibility of the department’s credit card merchant contact to make sure that everyone involved in the credit card environment in their area completes the appropriate PCI training course and ITS Security Awareness training in a timely manner.
Assess initial PCI Compliance
Once the credit card merchant account has been setup, testing will be done in a test environment. While this is occurring, the merchant needs to begin assessing their initial Payment Card Industry (PCI) Data Security Standard (DSS) Compliance.
1. Setup TrustKeeper Account – When the credit card merchant account is established, an account will be set up in TrustKeeper for the merchant to complete their initial PCI DSS Self-Assessment Questionnaire (SAQ). Access will be established for the business contact listed on the Merchant Outlet Setup Form. The business contact can contact the Cash Manager in Accounting Services to have other individuals access added. Please see Credit Card Merchant Procedure 308.6 – PCI Compliance for detailed information on PCI DSS and SAQ’s.
2. Complete Initial SAQ – Before the credit card merchant account may begin accepting transactions, the merchant must complete the initial SAQ. The merchant should consult with the Cash Manager and ITS Information Security, as required to verify which SAQ is applicable.
3. Review PCI DSS and University Security Guidelines – After completing the initial PCI DSS SAQ, review PCI DSS and University Security Guidelines to make sure that the merchant meets all security requirements. PCI Compliance is not a point-in-time, but a continuous day-to-day process.
- North Carolina General Statute 147-86.10, Cash Management – Statement of Policy
- North Carolina General Statute 147-86.11, Cash Management for the State
- NC Office of the State Controller:
- Statewide Electronic Commerce Program
- E-Commerce Policies and Procedures – Maximization of Electronic Payment Methods
- E-Commerce Policies and Procedures – Master Services Agreements for Electronic Payments
- PCI Security Standards Council
University IT Policies
- Payment Card Industry Online Training
- ITS Security Awareness Training
August 23, 2016 - updated forms.
June 29, 2011
April 19, 2007
November 9, 2016 - Removed 308.1.8f - PCI Scoping Questionnaire (archived in WordPress); 308.1.9f Web PCI Questionnaire (archived in WordPress)