Guideline for Card Present Payment Processing

Purpose

The purpose of this document is to provide guidance in the usage of Card Present (CP) in person payment (credit/debit) card processing.

Scope

This guideline applies to all UNC Charlotte employees, affiliates and authorized users who will interact with payment card data, functions or systems as part of their job duties.

Contacts

Direct general questions about this guideline to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu.

Guidelines

Merchants must purchase, lease, rent or utilize a Payment Card Industry (PCI)-listed Point-to-Point Encryption (P2PE) solution from the Payment Card Security Standards Council (PCI SSC), obtained through or approved by Office of the Bursar – Merchant Services in conjunction with North Carolina Office of the State Controller (NC OSC) to accept CP payments. 

Complete the EC : POS Terminal Order Form to request the rental of an approved POS device to accept CP transactions.

Approved Equipment Exceptions

Departments requiring customized equipment for POS transactions must contact the Office of the Bursar – Merchant Services before such equipment is purchased, leased, rented or utilized. Merchant Services will work in conjunction with OneIT to review and approve special requests. Additional information and/or external consultation may be required. The requestor will bear all external costs related to the exception approval process. 

• Any device not part of a PCI-listed P2PE solution from the PCI SSC must be configured to process transaction data only through a cellular connection or on the segregated PCI network. University card processing through any device not part of a PCI-listed P2PE solution from the PCI SSC must not take place on the main University network. Merchants are responsible for ensuring that the proper configuration of network devices is in place. OneIT and Merchant Services will assist as needed.

Using Your Approved Equipment

Current procedures for acceptance of CP transactions must be followed. Those may be referenced in the UNC Charlotte: Merchant Training, or at the websites of participating card companies (e.g., Visa, MasterCard, and American Express).

Protecting Your POS Equipment

• POS terminals must be protected from tampering and tracked. 
• Physical access to and oversight of terminals shall be limited to personnel who have completed the merchant training requirements for card processing. 
• If terminals are customer-facing, they should be monitored while in use and secured when not in use. 
• Terminals must be inspected for tampering daily and reports associated with inspections must be returned to ecommerce@charlotte.edu monthly. 
• Any suspicious behavior or indications of device tampering or substitution must be reported to ecommerce@charlotte.edu.  
• If terminals fail and are replaced by the merchant through the merchant services provider, ecommerce@charlotte.edu must be notified. 
• The identity of any third party persons claiming to be repair or maintenance personnel must be verified prior to granting them access to modify or troubleshoot devices. 
• Merchant Services must be notified at ecommerce@charlotte.edu if third party persons are granted access to terminals.

Related Resources

• Standard for Card Present Payment Processing

Revision History

• Initially approved by the AVC for Finance on November 25, 2024