Payment (Credit/Debit) Card Processing Standard

I. Executive Summary and Purpose

The Payment (Credit/Debit) Card Processing Standard provides the requirements and direction for all payment (credit/ debit) card processing activities at UNC Charlotte.

The following sources were consulted and provide the basis for this program: ISO 27002 and the Payment Card Industry Data Security Standards (PCI DSS).

This Standard defines the responsibilities of employees, administrative units, organizations and affiliates that process payment cards on behalf of UNC Charlotte or its affiliates or have access to UNC Charlotte’s computing and network resources that are utilized for the processing of payment cards. All relevant provisions contained in University Policy #311 and the Standard for Responsible Use are applicable and included by reference in this document. This Standard supersedes all other associated UNC Charlotte regulations and procedures pertaining to payment card processing.

II. Scope

This standard applies to:

A. All academic and administrative units, organizations, affiliates, and employees of UNC Charlotte who accept credit/debit card payments for University business.

B. All external organizations contracted to provide outsourced services for Credit/Debit Card Processing for University business by the parties described in II. A.

C. All academic and administrative units, organizations, affiliates, and employees of UNC Charlotte who provide Credit/Debit Card Processing services for third parties.

III. Standard

A. Units must obtain approval from the Vice Chancellor for Business Affairs (VCBA) or his/her designee to process Payment (Credit/Debit) Cards.

This includes, but is not limited to:

1. All contract and software and/or equipment purchases or usage. This applies regardless of the transaction method used (e.g. eCommerce, POS device, mobile capture, or eCommerce outsourced to a third party). All outsourcing agreements must meet the standards set forth in the Payment (Credit/Debit) Card Processing Procedures.
2. All technology implementations associated with Payment (Credit/Debit) Card Processing. Implementations include any activity that impacts UNC Charlotte ITS infrastructure, enterprise applications, security, and/or staffing, as well as those that might impact the designated VCBA platform for card processing and/or the staff associated with it. All technology implementations (including approval of authorized payment gateways) associated with the Payment (Credit/Debit) Card Processing must be in accordance with the Payment (Credit Card) Processing Procedures.
3. All methods of capture and transmission of payment card data.
4. The approval of campus units, organizations, or individuals to conduct business utilizing payment cards and the approval of staff within their areas to interface with payment card data.

B. All Payment (Credit/Debit) Card Processing activities must be registered with the unit designated by the VCBA.

C. Cardholder data may not be stored on any UNC Charlotte computer device or network. Any exceptions must be in writing and signed by both the VCBA and Chief Information Officer (CIO). Anyone who is granted an exception must contact ITS Information Security for assistance with interpretation and implementation.

D. All departments or units which receive approval for UNC Charlotte card processing activity must comply with the Payment Card Industry Data Security Standards (PCI DSS) and are required to validate their compliance as specified by the Standard and UNC Charlotte validation requirements.

E. All Payment (Credit/Debit) Card Processing activities must comply with the state of North Carolina General Statutes (G.S.) and policies. That includes but is not limited to the North Carolina (NC) G.S. 147-77 (Daily Deposit Act), NC Office of the State Controller (NC OSC) Policy 500.1 (Maximization of Electronic Payment), 500.2 (Master Services Agreements for Electronic Payments), 500.11 (Compliance with PCI Data Security Standards), 500.13 (NC Security and Privacy of Data), and NC Session Law 99-434 which amended multiple General Statutes related to the acceptance of electronic payments.

F. All staff that interface with payment card activities, cardholder data, and/or associated reporting or administrative portals must meet requirements detailed within the PCI DSS and Payment (Credit/Debit) Card Processing Procedures.

G. All Payment (Credit/Debit) Card Processing will be conducted according to current Payment (Credit/Debit) Card Processing Procedures.

IV. Procedures

The Payment (Credit/Debit) Card Processing Procedures document provides the details for implementing this Standard. These procedures carry the full force of this Standard.

V. Revisions and Exceptions

This Standard may be revised only with the approval of the VCBA or his/her designee of UNC Charlotte. The VCBA and the CIO may grant exception to this Standard or the Payment (Credit/Debit) Card Processing Procedures document by mutual agreement.

Related Resources

Legal References:

• Payment Card Industry Data Security Standard (PCI-DSS)
• North Carolina State Laws and Regulations
  • NC G.S. 147-77 (Daily Deposit Act)
  • NC Session Law 99-434
  • NC OSC Policy 500.1 (Maximization of Electronic Payment)
  • NC OSC Policy 500.2 (Master Services Agreements for Electronic Payments)
  • NC OSC Policy 500.11 (Compliance with PCI Data Security Standards)
  • NC OSC Policy 500.13 (NC Security and Privacy of Data)

Other References:

• UNC Charlotte Credit/Debit Card Processing Procedures
• UNC Charlotte Policy 307 Responsible Use of University Computing and Electronic Communication Resources
• UNC Charlotte Policy 311 Information Security
• UNC Charlotte Standard for Information Classification
• UNC Charlotte Guideline for Data Handling
• ISO/IEC 27002

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management

Revision History

Approved: 10/5/2006
Revised: 1/7/2015

Last Updated: January 7, 2015