Body
Introduction
Purpose
Payment card merchant accounts must be compliant with all applicable Data Security Standards (DSS) for their method of payment acceptance. Maintaining Payment Card Industry (PCI) compliance is a continual process. There are several types of DSS that exist and must be met if applicable to the method of payment acceptance by the merchant. This procedure explains how to request and establish a payment card merchant account.
Scope of Applicability
This procedure applies to any official or administrator with responsibilities for managing university payment card transactions and those employees entrusted with handling payment cards and payment card information.
Procedure
To request a payment card merchant account, contact merchant services by emailing certifi@unc.edu to begin discussing the process for obtaining a merchant account.
A meeting will be arranged to discuss the department's line of business, description of transactions, capture method (payment applications, payment gateways, point-of-sale terminal, etc.), volume of business, go-live date, and previous exposure to credit card processing.
Timeline for Creating Payment Card Merchant Account
A payment card merchant account can take a minimum of six weeks to complete from the initial meeting until the account is in production and the first transaction has been accepted.
Forms/Instructions
To obtain a merchant account contact the Merchant Services Manager by emailing certifi@unc.edu to schedule an in-person meeting.
As a merchant, a department inherently accepts responsibility for the security of card holder data. The Office of Cash Manager supports departments in maintaining security by providing annual Payment Card Industry Data Card Security (PCI DSS) Self-Assessment Questionnaire (SAQ) guidance, annual mandatory and PCI training.
Payment Processing Service
All University merchants are setup through the State of North Carolina's Master Service Agreement (MSA) for Electronic Payments with SunTrust Merchant Services (STMS), a partnership between SunTrust Bank and First Data Merchant Services (FDMS) dba Fiserv. STMS provides merchant card payment processing services. The North Carolina Office of the State Controller (OSC) has mandated that all agencies and universities of the State use the MSA unless an exemption has been approved.
A University department shall not enter into an outsourcing agreement with a third-party provider, including software applications for payment card processing, until the business case is approved. Upon approval, standard purchasing policies apply.
Outsourcing Credit Card Payments
The University is required to participate in the OSC MSA for credit card merchant services pursuant to OSC Policy 500.2. An exemption from participating may be obtained from OSC if a suitable business case is presented. A University department may request an exemption from this requirement by providing a business case justifying an alternate vendor or process to Compliant Electronic Receipt Transactions through Innovation and Financial Integrity (CERTIFI) committee. The business case will be reviewed by the CERTIFI committee and forwarded as appropriate to OSC to request approval. Submitting a request is not a guarantee of approval by either CERTIFI or OSC.
Any area of campus considering negotiating an outsourcing agreement that involves processing payment cards through a processor not under the MSA should engage CERTIFI immediately.
Payment Gateway
TouchNet is the University's payment gateway and is required to be used for all online payment card transactions. A University department may request an exemption from this requirement by providing a business case justifying an alternate vendor or process to CERTIFI. The business case will be reviewed. A University department shall not enter into an outsourcing agreement with a third-party provider, including software applications for payment card processing, unless the business case is approved by CERTIFI. Upon approval, standard purchasing policies apply.
Complete Setup Forms
Once the department has completed the initial meeting with CERTIFI and decided on the capture method, relevant setup forms must be completed. The requesting department should also complete the applicable PCI Assessment questionnaires, create a department payment card manual, and ensure all appropriate staff have completed their annual assessments. Submit completed forms to certifi@unc.edu. These forms are reviewed by the CERTIFI Committee for approval. Once approved, the forms are submitted to OSC to be reviewed and sent to SunTrust Merchant Services for setup.
Payment Card Transaction Process
Method 1: Payment Gateway
The payment card transaction process begins when the customer purchases a product/course or makes a donation through a payment application/website. This application website has a "Pay Now" button and passes the customer to the payment gateway to make the payment. The payment gateway interfaces with the payment processor. The payment processor interfaces with the payment card companies to validate the payment card and verify the address if address verification is used. The payment processor returns an authorization code to the payment gateway and settles the funds with the University's bank account.
Method 2: Point-of-Sale Terminal
There are two types of authorized point-of-sale terminals permitted on campus. They are cellular, and PCI Council validated point-to-point encrypted terminals. The payment card transaction process begins when the customer purchases a product/course or makes a donation. Their card is swiped or entered into a point-of-sale terminal. The payment processor interfaces with the point-of-sale terminal to validate the payment card. The payment processor returns an authorization code to the point-of- sale terminal and settles the funds with the University's bank account.
Exceptions
CERTIFI does not support student groups or affiliated entities. Learn more about student organizations by visiting the Carolina Union's "Student Organizations" webpage.
Related Requirements
External Regulations and Consequences
University Policies, Standards, and Procedures
Contact Information
Primary Contacts
| Subject |
Contact |
Telephone |
E-Mail |
| General Questions and PCI Compliance |
Merchant Services |
919-843-0420 |
certifi@unc.edu |
| Deposits and Reconciliation |
Cashier's Office |
919-962-5846 |
deposits@unc.edu |
| Data Security |
ITS - Information Security |
919-962-4357 |
security@unc.edu or certifi@unc.edu |
| TouchNet Connection |
HELP Desk |
919-445-9319 |
certifi@unc.edu |
Important Dates
Revision and Review Dates, Change notes, title of Reviewer or Approver:
- Last Revised Date: October 2017
- Previous Revised Date: July 2017
- Substantive Revisions:
- Key Compliance section updated to reflect departmental and senior oversight in giving access to the payment card process and the stipulations for training and levels of privilege limitations.
- November 9, 2016 - Removed 308.1.8f - PCI Scoping Questionnaire (archived in WordPress); 308.1.9f Web PCI Questionnaire (archived in WordPress)
- August 23, 2016 - updated forms.
- Previous Revised Date: March 31, 2016
- Revised by:
- Substantive Revisions:
- Previous Revised Date: July 15, 2011
- Previous Revised Date: June 29, 2011
- Previous Revised Date: July 30, 2010
- Previous Revised Date: April 19, 2007
- Effective Date and title of Approver: July 1, 2006