308.1 - University of North Carolina at Chapel Hill Procedure on Establishing a New Credit Card Merchant Account

Introduction

Purpose

Payment card merchant accounts must be compliant with all applicable Data Security Standards (DSS) for their method of payment acceptance. Maintaining Payment Card Industry (PCI) compliance is a continual process. There are several types of DSS that exist and must be met if applicable to the method of payment acceptance by the merchant. This procedure explains how to request and establish a payment card merchant account.

Scope of Applicability

This procedure applies to any official or administrator with responsibilities for managing university payment card transactions and those employees entrusted with handling payment cards and payment card information.

Procedure

To request a payment card merchant account, contact merchant services by emailing certifi@unc.edu to begin discussing the process for obtaining a merchant account.

A meeting will be arranged to discuss the department's line of business, description of transactions, capture method (payment applications, payment gateways, point-of-sale terminal, etc.), volume of business, go-live date, and previous exposure to credit card processing.

Timeline for Creating Payment Card Merchant Account

A payment card merchant account can take a minimum of six weeks to complete from the initial meeting until the account is in production and the first transaction has been accepted.

Forms/Instructions

To obtain a merchant account contact the Merchant Services Manager by emailing certifi@unc.edu to schedule an in-person meeting.

As a merchant, a department inherently accepts responsibility for the security of card holder data. The Office of Cash Manager supports departments in maintaining security by providing annual Payment Card Industry Data Card Security (PCI DSS) Self-Assessment Questionnaire (SAQ) guidance, annual mandatory and PCI training.

• Finance Form 308.1.2f - ClientLine Merchant Sign-up Form
• Finance Form 308.1.6f - Default Chartfield String Change Request
• Finance Form 308.1.7f - Merchant Card Change Request Form

Payment Processing Service

All University merchants are setup through the State of North Carolina's Master Service Agreement (MSA) for Electronic Payments with SunTrust Merchant Services (STMS), a partnership between SunTrust Bank and First Data Merchant Services (FDMS) dba Fiserv. STMS provides merchant card payment processing services. The North Carolina Office of the State Controller (OSC) has mandated that all agencies and universities of the State use the MSA unless an exemption has been approved.

A University department shall not enter into an outsourcing agreement with a third-party provider, including software applications for payment card processing, until the business case is approved. Upon approval, standard purchasing policies apply.

Outsourcing Credit Card Payments

The University is required to participate in the OSC MSA for credit card merchant services pursuant to OSC Policy 500.2. An exemption from participating may be obtained from OSC if a suitable business case is presented. A University department may request an exemption from this requirement by providing a business case justifying an alternate vendor or process to Compliant Electronic Receipt Transactions through Innovation and Financial Integrity (CERTIFI) committee. The business case will be reviewed by the CERTIFI committee and forwarded as appropriate to OSC to request approval. Submitting a request is not a guarantee of approval by either CERTIFI or OSC.

Any area of campus considering negotiating an outsourcing agreement that involves processing payment cards through a processor not under the MSA should engage CERTIFI immediately.

Payment Gateway

TouchNet is the University's payment gateway and is required to be used for all online payment card transactions. A University department may request an exemption from this requirement by providing a business case justifying an alternate vendor or process to CERTIFI. The business case will be reviewed. A University department shall not enter into an outsourcing agreement with a third-party provider, including software applications for payment card processing, unless the business case is approved by CERTIFI. Upon approval, standard purchasing policies apply.

Complete Setup Forms

Once the department has completed the initial meeting with CERTIFI and decided on the capture method, relevant setup forms must be completed. The requesting department should also complete the applicable PCI Assessment questionnaires, create a department payment card manual, and ensure all appropriate staff have completed their annual assessments. Submit completed forms to certifi@unc.edu. These forms are reviewed by the CERTIFI Committee for approval. Once approved, the forms are submitted to OSC to be reviewed and sent to SunTrust Merchant Services for setup.

Payment Card Transaction Process

Method 1: Payment Gateway

The payment card transaction process begins when the customer purchases a product/course or makes a donation through a payment application/website. This application website has a "Pay Now" button and passes the customer to the payment gateway to make the payment. The payment gateway interfaces with the payment processor. The payment processor interfaces with the payment card companies to validate the payment card and verify the address if address verification is used. The payment processor returns an authorization code to the payment gateway and settles the funds with the University's bank account.

Method 2: Point-of-Sale Terminal

There are two types of authorized point-of-sale terminals permitted on campus. They are cellular, and PCI Council validated point-to-point encrypted terminals. The payment card transaction process begins when the customer purchases a product/course or makes a donation. Their card is swiped or entered into a point-of-sale terminal. The payment processor interfaces with the point-of-sale terminal to validate the payment card. The payment processor returns an authorization code to the point-of- sale terminal and settles the funds with the University's bank account.

Exceptions

CERTIFI does not support student groups or affiliated entities. Learn more about student organizations by visiting the Carolina Union's "Student Organizations" webpage.

Related Requirements

External Regulations and Consequences

• North Carolina General Statute 147-86.10, Cash Management - Statement of Policy
• North Carolina General Statute 147-86.11, Cash Management for the State
• NC Office of the State Controller
  • Statewide Electronic Commerce Program
  • E-Commerce Policies and Procedures 500.1 - Maximization of Electronic Payment Methods
  • E-Commerce Policies and Procedures 500.2 - Master Services Agreement for Electronic Payments
• PCI Security Standards Council

University Policies, Standards, and Procedures

• Finance Policy 308 - University of North Carolina at Chapel Hill Policy on Merchant Card Services
• Compliant Electronic Receipt Transactions through Innovation and Financial Integrity (CERTIFI) committee
• Merchant Application and Renewal Portal
• University IT Policies
• ITS Security Awareness Training

Contact Information

Important Dates

Revision and Review Dates, Change notes, title of Reviewer or Approver:

• Last Revised Date: October 2017
• Previous Revised Date: July 2017
  • Substantive Revisions:
    • Key Compliance section updated to reflect departmental and senior oversight in giving access to the payment card process and the stipulations for training and levels of privilege limitations.
• November 9, 2016 - Removed 308.1.8f - PCI Scoping Questionnaire (archived in WordPress); 308.1.9f Web PCI Questionnaire (archived in WordPress)
• August 23, 2016 - updated forms.
• Previous Revised Date: March 31, 2016
  • Revised by:
  • Substantive Revisions:
    • Policy review
• Previous Revised Date: July 15, 2011
• Previous Revised Date: June 29, 2011
• Previous Revised Date: July 30, 2010
• Previous Revised Date: April 19, 2007
• Effective Date and title of Approver: July 1, 2006