Title
University of North Carolina at Chapel Hill Finance Policy 308 - Policy on Merchant Card Services
Introduction
Purpose
The Payment Card Industry (including American Express, Discover, Master Card, VISA, and other major card brands) has established important and stringent security requirements to protect payment card data. These requirements are called the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS provides standards for safeguarding payment card data for all card brands and details the security requirements for transmitting, storing, accessing, and processing card holder data.
Compliance is the responsibility of the entire University of North Carolina at Chapel Hill ("UNC-Chapel Hill" or "University"), with duties and accountability assigned at every level of the payment process. As a State agency, UNC-Chapel Hill is also required to follow the E-Commerce policies published by the NC Office of State Controller (NC OSC).
Scope of Applicability
All constituents of UNC-Chapel Hill that collect funds in the form of payment cards either directly through a merchant account with the University's payment card processor, an approved payment card processor, or through a contract with a third party are required to adhere to compliance with PCI DSS and the NC OSC Statewide Electronic Commerce Program.
There are no exclusions. Academic and administrative constituents; faculty, staff, and other employees; or others that use systems or networks supported by the University must abide by these policies. These policies pertain to payment card processing of payments received by the University, directly and indirectly. All point-of-sale (POS) terminals and all servers or databases receiving, storing, or transmitting payment card data numbers are subject to these policies.
For the purpose of this policy a merchant is any department or unit that accepts payment cards.
Policy
PCI Compliance
University-level compliance is the responsibility of the Compliant Electronic Receipt Transactions through Innovation and Financial Integrity (CERTIFI) committee. The committee establishes and manages an approval process for all payment card and electronic processes for all University Departments. The committee provides training and communication about PCI compliance and best practices in e-Commerce. The committee coordinates the annual process for documenting PCI compliance, including facilitating self-assessment questionnaires (SAQs) for all merchants, maintaining documentation of attestations of compliance (AOCs) for all third-party payment processors, maintaining various merchant inventories and coordinating with various vendors to provide external attestations. Noncompliance or breaches in any one area of the University impacts the entire University's level of compliance.
Merchant level compliance is the responsibility of the chief business officer of each unit. Departmental managers, senior managers, and merchant staff members are required to participate in PCI Awareness training. Merchant managers and staff are required to meet all compliance requirements.
Merchant Approval
All payment card processing activity at or on behalf of the University requires approval of the CERTIFI committee. University departments may NOT process payment cards under any circumstances without the required CERTIFI approval memo. University departments may not set up their own banking relationships for payment card processing. See the document section.
Key Compliance Requirements:
- All employees and agents interacting directly and indirectly with card holder data must protect card holder data by adhering to this policy and related procedure.
- Department and senior managers will
- define access needs for each role in the payment card process, including: System components and data resources that each role needs to access for their job function; Level of privilege required (for example, user, administrator, etc.) for accessing resources.
- restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
- require documented approval by authorized parties specifying required privileges.
- immediately revoke access or request revocation for any terminated or transferred employees or student staff. Inactive user accounts should be removed within 90 days, or sooner, as prescribed by the guidance relevant to the system in use.
- ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. The University's security policy outlines appropriate use of passwords and authentication methods.
- restrict use of University computers as payment terminals
- Training requirements are as follows:
- University departments approved as merchants shall ensure that all employees involved in the payment card environment have completed the PCI training and ITS Security Awareness training on an annual basis.
- These trainings apply not only to those who have access to full credit card numbers, but also to those who have access to truncated credit card numbers that can be found on credit card receipts, payment gateways and merchant statements.
- These trainings also apply to IT support/developers of applications and software that access or process credit card information or interface with credit card payment gateways. University departments must also provide necessary training to employees to ensure staff members adhere to the policies and procedures for credit card merchant services.
- Card holder data (account number, expiration date, CVC code) transmission and storage is prohibited on the campus network. All merchants must use hosted payment pages and CERTIFI approved point-of-sale devices.
- All work areas where card holder data is handled should be physically secure. This includes limiting access to persons unauthorized to handle and process card holder data.
Protection of Devices against Tampering
Any department with access to payment card processing equipment including point-of-sale swipe devices or terminals must record device and serial number. This information must always be reported to Merchant Services on the appropriate form.
Departments must take protective action against tampering to prevent against the unauthorized capture and use of payment data for fraudulent purposes. Protective action against tampering includes ensuring only authorized staff have access to payment card devices. When applicable staff maintain a sign-out log for devices used at special events and camps. Record the serial number of the device being signed out, the employee PID, first name, and last name. Confirm the employee has completed their annual PCI Awareness training. In addition, confirm the employee is familiar with the University's Payment Card Merchant Services Policy. Upon return of device, the business officer or senior management should inspect the device for tampering.
The identity of any third-party persons claiming to be repair or maintenance personnel must be verified prior to granting them access to modify or troubleshoot devices. Do not install, replace, or return devices without verification from CERTIFI.
Be aware of suspicious behavior around devices (for example, attempts by persons to unplug or open devices). Report suspicious behavior and indications of device tampering or substitution to ITS Security.
The CERTIFI reserves the right to conduct periodic announced and unannounced device inspections as part of the University's compliance requirements.
Transaction Fees
The University is charged a discount rate (fee) on all credit card transactions under the State's Master Service Agreement. The amount of the fee is determined by the accepting bank, the type of payment card, the number of transactions, and the method in which the card is processed.
The University is charged a discount rate (fee) on all credit card transactions under the State's Master Service Agreement. The amount of the fee is determined by the accepting bank, the type of credit card, the number of transactions, and the method in which the card is processed.
Related Requirements
External Regulations and Consequences
University Standards and Procedures
Contact Information
Policy Contacts
Subject |
Contact |
Telephone |
Fax |
E-Mail |
General Questions and PCI Compliance |
Merchant Services |
919-843-0420 |
919-962-1568 |
certifi@unc.edu |
Deposits and Reconciliation |
Cashier's Office |
919-962-5846 |
919-962-1568 |
deposits@unc.edu |
Data Security |
ITS - Information Security |
919-962-4357 |
|
security@unc.edu |
TouchNet Connection |
HELP Desk |
919-962-4357 |
|
certifi@unc.edu |
Frequently Asked Questions
Q: Can a University department accept payment cards as a form of payment?
A: University departments can provide goods and services to its customers and accept payment cards as an appropriate form of payment. Many University departments have been set up with payment card merchant accounts consisting of point-of-sale (pos) terminals or hosted payment pages provided by the University contracted payment gateway TouchNet or other approved payment methods. The State of North Carolina is under contract with SunTrust Merchant Services/FirstData/Fiserv for settlement of funds and to process payments received by payment card. Currently MasterCard, Visa, American Express, and Discover are allowable forms of payment by payment card to the University.
Q: Are there any limitations on goods or services that can be sold by a University department?
A: State law may prohibit University departments from selling certain goods and services to the general public. Departments may consult with the Office of University Counsel to discuss proposed sales activities.
Q: Can my department use PayPal to collect payments?
A: No. The use of PayPal is not authorized by the State Treasurer as a depository of University funds, and state law makes it a criminal offense to deposit University funds in a depository other than those approved by the State Treasurer.
Q: What should we do if we suspect a breach of payment card or personal information (sensitive information)?
A: If you suspect a breach, refer to the process described in the University's Information Security Incident Management Standard. Also report the incident to your manager.
Q: Can a department accept donations through an existing or new payment card merchant account?
A: All fundraising and donations should be coordinated through the University Development Office. University Development can discuss the options available with the departments wishing to accept payment cards for donations.