Introduction
Purpose
Payment Card Merchant Account Cost and Fiscal Responsibility
University merchant departments that provide payment card merchant services are responsible for related equipment and supply costs, processing fees, and fines and penalties resulting from noncompliance with University, State, and Payment Card Industry (PCI) policies. University constituents are also responsible for adhering to internal control standards for the safeguarding of receipts and data.
Scope of Applicability
This procedure applies to any official or administrator with responsibilities for managing university payment card transactions and those employees entrusted with handling payment cards and payment card information.
Procedure
Equipment and Supplies needed to provide payment card merchant services.
Point-of-Sale Terminals
Each merchant is responsible for the installation and costs of point-of-sale terminals and accessories.
Point-to-Point encrypted (P2PE) and cellular terminals are procured through the State's Master Service Agreement for Electronic Payments and the University's CardConnect contract unless an exemption has been granted. The NC Office of the State Controller provides a list of available models, along with pricing for both purchase, rental, or lease. Request pricing for CardConnect terminals by emailing certifi@unc.edu. The costs of terminals purchased or leased through the State contract is billed directly to the merchant on their SunTrust Merchant Services and CardConnect invoices issued by First Data dba Fiserv and allocated to the chart field string on file. To order a terminal email certifi@unc.edu.
Supplies
Terminal supplies, such as paper, printer ribbons, and Visa/MasterCard logo signage are available for the costs of shipping. Contact the SunTrust Merchant Services help desk, (800) 654-8816, to order these supplies.
Fines and Penalties
The University unit, as a merchant department, has the final responsibility to maintain compliance to the PCI Data Security Standards (DSS). If the merchant does not comply with the security requirements or fails to rectify a security issue, the payment card industry may impose restrictions and issue the following fines to the responsible merchant:
Months and Assessments
Month |
Monthly assessment for failure to confirm prohibited data storage compliance |
Months one through three |
$5,000 |
Months four through six |
$25,000 |
Months seven and beyond |
$50,000 |
Fraud and Identity Theft
A merchant department must immediately report suspected loss or theft of material or records that contain card holder data by calling 919-962-HELP. Clearly state to the phone attendant that you are reporting a "critical incident" related to PCI compliance.
Definitions
Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations and Acronyms
Related Requirements
External Regulations and Consequences
University Policies, Standards, and Procedures
Contact Information
Primary Contacts
Subject |
Contact |
Telephone |
E-Mail |
General Questions and PCI Compliance |
Merchant Services |
919-843-0420 |
certifi@unc.edu |
Deposits and Reconciliation |
Cashier's Office |
919-962-5846 |
deposits@unc.edu |
Data Security |
ITS - Information Security |
919-962-4357 |
security@unc.edu or certifi@unc.edu |
TouchNet Connection |
TouchNet Administrator |
919-445-9319 |
certifi@unc.edu |
Important Dates
- Effective Date and title of Approver: July 1, 2006
- Revision and Review Dates, Change notes, title of Reviewer or Approver: July 18, 2011