308 - University of North Carolina at Chapel Hill Policy on Merchant Card Services

Introduction

Purpose

The Payment Card Industry (including American Express, Discover, Master Card, VISA, and other major card brands) has established important and stringent security requirements to protect payment card data. These requirements are called the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS provides standards for safeguarding payment card data for all card brands and details the security requirements for transmitting, storing, accessing, and processing card holder data.

Compliance is the responsibility of the entire university, with duties and accountability assigned at every level of the payment process. As a State agency, the University of North Carolina at Chapel Hill is also required to follow the E-Commerce policies published by the NC Office of State Controller (NC OSC).

Scope of Applicability

All constituents of the University of North Carolina at Chapel Hill that collect funds in the form of payment cards either directly through a merchant account with the University's payment card processor, an approved payment card processor or through a contract with a third party are required to adhere to compliance with PCI DSS and the NC OSC Statewide Electronic Commerce Program.

There are no exclusions. Academic and administrative constituents; faculty, staff, and other employees; or others that use systems or networks supported by the University shall abide by these policies. These policies pertain to payment card processing of payments received by the University, directly and indirectly. All point-of-sale (POS) terminals and all servers or databases receiving, storing, or transmitting payment card data numbers are subject to these policies.

For the purpose of this policy a merchant is any department or unit that accepts payment cards.

Policy

PCI Compliance

University-level compliance is the responsibility of the Compliant Electronic Receipt Transactions through Innovation and Financial Integrity (CERTIFI) committee. The committee establishes and manages an approval process for all payment card and electronic processes for all University Departments. The committee provides training and communication about PCI compliance and best practices in e-Commerce. The committee coordinates the annual process for documenting PCI compliance, including facilitating self-assessment questionnaires (SAQs) for all merchants, maintaining documentation of attestations of compliance (AOCs) for all third-party payment processors, maintaining various merchant inventories and coordinating with various vendors to provide external attestations. Noncompliance or breaches in any one area of the University impacts the entire University's level of compliance.

Merchant level compliance is the responsibility of the chief business officer of each unit. Departmental managers, senior managers, and merchant staff members are required to participate in PCI Awareness training. Merchant managers and staff are required to meet all compliance requirements.

Merchant Approval

All payment card processing activity at or on behalf of the University requires approval of the CERTIFI committee. University departments may NOT process payment cards under any circumstances without the required CERTIFI approval memo. University departments may not set up their own banking relationships for payment card processing. See the document section.

Key Compliance Requirements:

  1. All employees and agents interacting directly and indirectly with card holder data must protect card holder data by adhering to this policy and related procedure.
  2. Department and senior managers will
    1. define access needs for each role in the payment card process, including: System components and data resources that each role needs to access for their job function; Level of privilege required (for example, user, administrator, etc.) for accessing resources.
    2. restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
    3. require documented approval by authorized parties specifying required privileges.
    4. immediately revoke access or request revocation for any terminated or transferred employees or student staff. Inactive user accounts should be removed within 90 days, or sooner, as prescribed by the guidance relevant to the system in use.
    5. ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. The University's security policy outlines appropriate use of passwords and authentication methods.
    6. restrict use of University computers as payment terminals
  3. Training requirements are as follows:
    1. University departments approved as merchants shall ensure that all employees involved in the payment card environment have completed the PCI training and ITS Security Awareness training on an annual basis.
    2. These trainings apply not only to those who have access to full credit card numbers, but also to those who have access to truncated credit card numbers that can be found on credit card receipts, payment gateways and merchant statements.
    3. These trainings also apply to IT support/developers of applications and software that access or process credit card information or interface with credit card payment gateways. University departments shall also provide necessary training to employees to ensure staff members adhere to the policies and procedures for credit card merchant services.
    4. Card holder data (account number, expiration date, CVC code) transmission and storage is prohibited on the campus network. All merchants are required to use hosted payment pages and CERTIFI approved point-of-sale devices.
    5. All work areas where card holder data is handled should be physically secure. This includes limiting access to persons unauthorized to handle and process card holder data.

Protection of Devices against Tampering

Any department with access to payment card processing equipment including point-of-sale swipe devices or terminals must record device and serial number. This information must always be reported to Merchant Services on the appropriate form.

Departments must take protective action against tampering to prevent against the unauthorized capture and use of payment data for fraudulent purposes. Protective action against tampering includes ensuring only authorized staff have access to payment card devices. When applicable staff maintain a sign-out log for devices used at special events and camps. Record the serial number of the device being signed out, the employee PID, first name and last name. Confirm the employee has completed their annual PCI Awareness training. In addition, confirm the employee is familiar with the University's Payment Card Merchant Services policy. Upon return of device, the business officer or senior management should inspect the device for tampering.

The identity of any third-party persons claiming to be repair or maintenance personnel must be verified prior to granting them access to modify or troubleshoot devices. Do not install, replace or return devices without verification from CERTIFI.

Be aware of suspicious behavior around devices (for example, attempts by persons to unplug or open devices). Report suspicious behavior and indications of device tampering or substitution to ITS Security.

The CERTIFI reserves the right to conduct periodic announced and unannounced device inspections as part of the University's compliance requirements.

Transaction Fees

The University is charged a discount rate (fee) on all credit card transactions under the State's Master Service Agreement. The amount of the fee is determined by the accepting bank, the type of payment card, the number of transactions, and the method in which the card is processed.

The University is charged a discount rate (fee) on all credit card transactions under the State's Master Service Agreement. The amount of the fee is determined by the accepting bank, the type of credit card, the number of transactions, and the method in which the card is processed.

Related Requirements

External Regulations and Consequences

University Standards and Procedures

Contact Information

Policy Contacts
Subject Contact Telephone Fax E-Mail
General Questions and PCI Compliance Merchant Services 919-843-0420 919-962-1568 certifi@unc.edu
Deposits and Reconciliation Cashier's Office 919-962-5846 919-962-1568 deposits@unc.edu
Data Security ITS - Information Security 919-962-4357   security@unc.edu
TouchNet Connection HELP Desk 919-962-4357   certifi@unc.edu

Frequently Asked Questions

Q: Can a University department accept payment cards as a form of payment?
A: University departments can provide goods and services to its customers and accept payment cards as an appropriate form of payment. Many University departments have been set up with payment card merchant accounts consisting of point-of-sale (pos) terminals or hosted payment pages provided by the University contracted payment gateway TouchNet or other approved payment methods. The State of North Carolina is under contract with SunTrust Merchant Services/FirstData/Fiserv for settlement of funds and to process payments received by payment card. Currently MasterCard, Visa, American Express and Discover are allowable forms of payment by payment card to the University.

Q: Are there any limitations on goods or services that can be sold by a University department?
A: State law may prohibit University departments from selling certain goods and services to the general public. Departments may consult the Office of University Counsel to discuss proposed sales activities.

Q: Can my department use PayPal to collect payments?
A: No. The use of PayPal is not authorized by the State Treasurer as a depository of University funds, and state law makes it a criminal offense to deposit University funds in a depository other than those approved by the State Treasurer.

Q: What should we do if we suspect a breach of payment card or personal information (sensitive information)?
A: If you suspect a breach, refer to the procedure as described in the University's Information Technology Services PCI DSS Incident Management Policy Response Plan, dial 919-962-HELP, or email security (at) unc.edu. Request a critical ticket, indicating that payment card data is involved.Clearly state there is a possible payment card breach being reported.Separately report the incident to your manager and/or your Information Security Liaison.

Q: Can a department accept donations through an existing or new payment card merchant account?
A: All fundraising and donations should be coordinated through the University Development Office. University Development can discuss the options available with the departments wishing to accept payment cards for donations.

Details

Article ID: 131498
Created
Thu 4/8/21 9:10 PM
Modified
Tue 6/15/21 5:51 PM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
08/27/2020 3:37 PM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
University Cash Manager
Last Review
Date on which the most recent document review was completed.
08/27/2020 3:37 PM
Last Revised
Date on which the most recent changes to this document were approved.
08/27/2020 3:37 PM
Origination
Date on which the original version of this document was first made official.
07/01/2006 12:00 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
F&O-Finance