Requirements for Payment Card Processing
If you are considering the possibility of accepting payment cards as a method to collect revenues for your University department or unit, e.g., for merchandise sales, event registration, or other University-related revenues, you should become familiar with the UNC Charlotte Payment (Credit/Debit) Card Processing Standard and the UNC Charlotte Payment (Credit/Debit) card Processing Procedures. Below is an overview of some key points to understand:
General Requirements for Payment Card Processing
- Any department, college, group, or individual who wishes to process credit/debit cards (payment cards) must receive approval from their departmental Business Manager and the eCommerce Office (eCO).
- All card processing for the University must operate under a UNC Charlotte merchant Account / ID (see below under “Establishing a New Merchant Account”) or an approved alternate process.
- All contracted services or other purchases related to card processing must receive approval from the eCO and ITS (if appropriate) before they are initiated. All contracts which involve card processing, or link to third party card processing sites, must be reviewed by the eCommerce Manager before they are executed. Any contract that pertains to card processing that does not contain required language will be required to go through an Addendum process before card processing set ups are implemented.
- All online card processing must occur on an approved, secure web site, through an approved 3rd party processor.
- Face to face transactions must be processed on Point-of-Sale (POS) equipment ordered or rented through the eCO on terminals approved and provided by the State, or, through an eCO approved virtual terminal.
- All staff that interface with card transactions must complete the individual requirements for card processing, as listed below under “Establishing Merchant User Access”.
- Access to reporting systems will be based on a least privilege basis, or limited to the least number of staff that are required to complete the related tasks.
- All card transactions that are processed on behalf of the University or its affiliates must be deposited to the University Cashiers on a daily basis.
- Transaction fees, as set by NC OSC (North Carolina Office of the State Controller), are charged on all processed transactions. General Accounting receives and pays these invoiced charges and debits the designated merchant’s fund monthly.
- Documentation of processes related to card processing are required to be submitted to the eCO at least annually and whenever significant changes occur.
- Merchants must complete an annual Payment Card Industry (PCI) Self-Assessment Questionnaire (SAQ), signed Attestation, and other related documentation as required.
Establishing a New Merchant Account
- Complete an Initial Interest Form to Process Payment Cards to assess whether your department’s/unit’s activity meets the criteria to accept payment cards at UNC Charlotte.
- Once your Interest Form has been approved, complete an Application to Process Payment Cards (EC-APP).
- Approval must be obtained by your department’s Business Manager before submitting to the eCO.
- Note that a University eCommerce ‘Merchant Account’ is established for each major department on campus that accepts payment cards. If your department does not currently have its own Merchant Account, certain minimum sales thresholds apply for establishment of a new Merchant Account.
- Note also that you must know detailed information about your potential payment card processing setup to fill out this application. Required fields include: business case, frequency and volume of transactions, types of processing requested (e.g., online, face-to face/POS), Banner Fund code to deposit revenues into and from which to charge credit card fees, draft refund policy, list of employees who will be handling card data, and agreement to the following statements:
- Storage/Retention: University staff and entities are prohibited from storing the Primary Account Number (PAN) or Sensitive Authentication Data (SAD), physically or electronically (e.g., computer hard drives, CDs, Disks, and other external storage media), after authorization of the transaction. Records pertaining to card transactions will be kept in a physically secure, limited access location for two fiscal years. If no litigation, claim, audit, or other official action involving the records has been initiated, all records will be destroyed via cross-cut shredding after this time period.
- Sensitive Cardholder Data (CHD) (as defined by the Payment Card Industry Security Standards Council – PCI SSC): Our office will not store the Primary Account Number (PAN) or any sensitive authentication data (Full magnetic stripe data or chip equivalent, card validation number/security code, or PIN block) physically or electronically. Any request to accept sensitive CHD by mail will be pre-approved by the eCO, and the physically received portion of the record containing CHD will be cross-cut shredded immediately after the transaction is entered for processing (the day it is received). Sensitive CHD will not be collected/accepted via email or fax. Any sensitive CHD gathered via POS devices will only be stored within the device until settlement (must occur daily), after which the data is automatically erased.
- Receipts: All software will be configured so that all customer and merchant receipts print only the truncated card number (the last four digits), and the customer copy does not display the expiration date.
(N/A for internet-only merchants)
- Deposits: Our office will complete and submit a Payment Book Receipt (PBR) (with the required supporting documents attached) to the Cashier’s Office no later than noon of the business day following each credit card settlement.
- The eCommerce office will make a final determination of the best business solution available after evaluation of the application.
- If, as part of the payment card processing setup, the applicant desires a third party application that interfaces with the University network/gateway processor, the applicant must also:
- Receive approval from the eCO for the use of the requested third party before the third party is contracted.
- Work with the eCO to ensure contracts reflect required PCI and card processing language. No contracts that involve card processing are to be exectued without approval from the eCO first.
- Receive approval from ITS if the third party agreement that involves ITS resources must comply with IT Governance processes. A review of those may be located at IT Governance.
- Once a business solution is agreed upon and approved, if a new Merchant Account is to be created, the new Merchant must complete a Merchant Agreement Form.
- This must be signed by the departmental Business Manager before sending to the eCO.
- The eCO will then establish the new Merchant Account and set up required account information with NC OSC.
Establishing Merchant User Access
Once a Merchant Account is established, each employee that has access to and/or is required to handle cardholder data must:
- Be a permanent employee of UNC Charlotte.
- Complete a background check (completed by HR for all new employees prior to hire).
- Complete all required trainings and forms which include, but may not be limited to, initial and annual training required for the PCI Data Security Standards ( PCI DSS), and the ITS Security Awareness Training. Information on training may be located on the eCommerce Training page.
- Sign the DSS Acknowledgement Form (EC Acknowledgement Form).
- Complete the EC Merchant Access Request to Reporting Systems. (Access the form via the Imaging website at: https://workflowforms.charlotte.edu/imaging/imaging-forms-department/ecommerce)
- This must be approved by the employee’s supervisor.
- Approval for access will be evaluated based on:
- Whether the above requirements are met,
- The business need for access, and
- The number of access already granted within the requesting department.
- Once approved, the eCO will set up access with NC OSC to both ClientLine (for STMS) and OMS (for AmEx) and notify the user. The new user must login to OMS within 72 hours of initial setup. Access to the TouchNet Payment Gateway and/or TouchNet Marketplace is also initiated via the EC Merchant Access Request form and is implemented by the eCO.
- To maintain access to eCommerce reporting systems, users must login every 21 days, or their access will automatically lapse and may require that the access request be resubmitted.