308.5 - University of North Carolina at Chapel Hill Procedure on Assuming Credit Card Merchant Account Cost and Fiscal Responsibility

Introduction

Purpose

Payment Card Merchant Account Cost and Fiscal Responsibility

University merchant departments that provide payment card merchant services are responsible for related equipment and supply costs, processing fees, and fines and penalties resulting from noncompliance with University, State, and Payment Card Industry (PCI) policies. University constituents are also responsible for adhering to internal control standards for the safeguarding of receipts and data.

Scope of Applicability

This procedure applies to any official or administrator with responsibilities for managing university payment card transactions and those employees entrusted with handling payment cards and payment card information.

Procedure

Equipment and Supplies needed to provide payment card merchant services.

Point-of-Sale Terminals

Each merchant is responsible for the installation and costs of point-of-sale terminals and accessories.

Point-to-Point encrypted (P2PE) and cellular terminals are procured through the State's Master Service Agreement for Electronic Payments and the University's CardConnect contract unless an exemption has been granted. The NC Office of the State Controller provides a list of available models, along with pricing for both purchase, rental, or lease. Request pricing for CardConnect terminals by emailing certifi@unc.edu. The costs of terminals purchased or leased through the State contract is billed directly to the merchant on their SunTrust Merchant Services and CardConnect invoices issued by First Data dba Fiserv and allocated to the chart field string on file. To order a terminal email certifi@unc.edu.

Supplies

Terminal supplies, such as paper, printer ribbons, and Visa/MasterCard logo signage are available for the costs of shipping. Contact the SunTrust Merchant Services help desk, (800) 654-8816, to order these supplies.

Fines and Penalties

The University unit, as a merchant department, has the final responsibility to maintain compliance to the PCI Data Security Standards (DSS). If the merchant does not comply with the security requirements or fails to rectify a security issue, the payment card industry may impose restrictions and issue the following fines to the responsible merchant:

Months and Assessments
Month Monthly assessment for failure to confirm prohibited data storage compliance
Months one through three $5,000
Months four through six $25,000
Months seven and beyond $50,000

Fraud and Identity Theft

A merchant department must immediately report suspected loss or theft of material or records that contain card holder data by calling 919-962-HELP. Clearly state to the phone attendant that you are reporting a "critical incident" related to PCI compliance.

Definitions

Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations and Acronyms

Related Requirements

External Regulations and Consequences

University Policies, Standards, and Procedures

Contact Information

Primary Contacts
Subject Contact Telephone E-Mail
General Questions and PCI Compliance Merchant Services 919-843-0420 certifi@unc.edu
Deposits and Reconciliation Cashier's Office 919-962-5846 deposits@unc.edu
Data Security ITS - Information Security 919-962-4357 security@unc.edu or certifi@unc.edu
TouchNet Connection TouchNet Administrator 919-445-9319 certifi@unc.edu

Important Dates

  • Effective Date and title of Approver: July 1, 2006
  • Revision and Review Dates, Change notes, title of Reviewer or Approver: July 18, 2011
100% helpful - 1 review