Guideline for Outsourced Payment Processing

Purpose

The purpose of this document is to provide guidance in establishing and maintaining contracts with third party service providers that provide payment (credit/debit) card processing on behalf of UNC Charlotte or its affiliates.

Scope

This guideline applies to all University employees, affiliates and authorized users who want to utilize a third party to accept payment cards from University customers without utilizing a University merchant account.

Contacts

Direct general questions about this guideline to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu.

Guidelines

To streamline the receipt of cash according to the University’s Cash Management Plan, the preferred method of payment card acceptance is through a University-owned merchant account. However, there may be instances when it is more efficient or effective to outsource payment card processing through a third party’s merchant account and receive proceeds through another method of payment.

Before Outsourcing Payment Card Processing

1. Contact Merchant Services: Prior to entering into any contract or purchasing specialized software, equipment or systems necessary for payment card processing, departments must contact the Office of the Bursar – Merchant Services. They will review customized processing applications for compliance with standards, guidelines, security measures, contract requirements and feasibility.
2. Include Merchant Services in Request for Proposal (RFP): It is best practice to include the Office of the Bursar – Merchant Services in any formal RFP process involving payment acceptance.
3. Third-party Service Providers: Any unit that wishes to utilize third party software that includes the outsourcing of its credit card transaction processing must request approval in writing to ecommerce@charlotte.edu and provide proof of the vendor’s Payment Card Industry Data Security Standards (PCI DSS) compliance and/or validation of payment software. It is preferred that any third party that captures Cardholder Data (CHD) utilize a validated Level 1 Service Provider. The vendor must assume full responsibility for all PCI DSS requirements and notify the University and/or its affiliates of any CHD security breaches.
4. Departmental Collaboration: The Office of the Bursar – Merchant Services in conjunction with Materials Management, OneIT, the Office of Legal Affairs, the Internal Audit Department and the applicable computer support unit, will work with the department to ensure that processing standards, safeguarding measures and legal requirements are met.
5. OneIT Oversight: OneIT oversees the governance of data security, use of IT systems, evaluation and recommendations of technologies, and provides direction and support for the security and networking of campus infrastructure utilized for card processing systems. Any software and IT-related acquisition request must be submitted to OneIT for review before the acquisition. OneIT will oversee the final approval, signature and execution of contracts and acquisitions involving technology.
6. Additional information and Costs: Additional information or external consultation may be required. The requestor will bear all costs related to the external review if required for the approval process.
7. Implementation of Approved Software/Equipment: Implement approved third-party software/equipment according to third-party guidelines. Modify default vendor passwords and settings to unique ones before installing the system on the University network or using it for card processing.

Contract Elements

Contracts and associated documentation must address these elements:

1. Compliance with the OneIT Standards and Guidelines; specifically:
   1. Standard  for Security Requirements of Information Systems, and the related Information Security Checklist
   2. Standard for Information Security related to Vendors and External Parties
2. PCI SSC Requirements: Compliance with all appropriate Payment Card Industry Security Standards Council (PCI SSC) requirements and their responsibility for all PCI DSS requirements. If CHD is captured on the vendor’s network, they must address:
   1. Proof of PCI DSS compliance and/or validation of payment software
   2. Specifying that they will be fully responsible for all elements of the PCI DSS
   3. Documentation that clearly details the flow of CHD and specifies any outside entities’ applications or servers utilized
   4. Service level agreements
   5. Remote access and use of Multi Factor Authentication
   6. Protection of Personally Identifiable Information (PII)
   7. Data retention and destruction policies
   8. Liability
   9. Business continuity

A final copy of the executed contract must be emailed to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu.

Related Resources

• Standard for Accepting Electronic Payments
• Standard for Information Security related to Vendors and External Parties
• Standard  for Security Requirements of Information Systems
• University’s Cash Management Plan

Revision History

• Initially approved by the AVC for Finance on November 25, 2024