Guideline for Contracting with Integrated Third Party Service Providers

Purpose

The purpose of this document is to provide guidance in establishing and maintaining contracts with integrated third party service providers that integrate with or have access to modify any portion of the UNC Charlotte payment card environment.

Scope

This guideline applies to all university employees, affiliates and authorized users who plan to work with a third party that will be interacting with payment card data, functions, or systems (e.g., credit and debit cards) as part of their payment processing services through a University or affiliated entity merchant account.

Contacts

Direct general questions about this guideline to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu.

Guidelines

Before Contracting for Goods or Services

1. Contact Merchant Services: Prior to entering into any contract or purchasing specialized software, equipment or systems necessary for payment card processing, departments must contact the Office of the Bursar – Merchant Services. They will review customized processing applications for compliance with standards, guidelines, security measures, contract requirements and feasibility. 
2. Include Merchant Services in Request for Proposal (RFP): It is best practice to include the Office of the Bursar – Merchant Services in any formal RFP process involving payment acceptance.
3. Third-party Service Providers interacting with payment card data, functions or systems as a part of their payment processing services must provide proof of Payment Card Industry Data Security Standards (PCI DSS) compliance  and/or validation of payment software. Preferably, any third party that captures Cardholder Data (CHD) be a validated Level 1 Service Provider.
4. Departmental Collaboration: The Office of the Bursar – Merchant Services in conjunction with Materials Management, OneIT, the Office of Legal Affairs, the Internal Audit Department and the applicable computer support unit, will work with the department to ensure that processing standards, safeguarding measures and legal requirements are met.
5. OneIT Oversight: OneIT oversees data security governance, IT systems use, technology evaluation and recommendations and provides direction and support for the security and networking of campus infrastructure utilized for card processing systems. Submit any software and IT-related acquisition requests to OneIT for review before acquisition. OneIT will oversee the final approval, signature and execution of contracts and acquisitions involving technology.
6. Additional information and Costs: Additional information or external consultation may be required. The requestor will bear all costs related to the external review if required for the approval process.
7. Implementation of Approved Software/Equipment: Implement approved third-party software/equipment according to third-party guidelines. Modify default vendor passwords and settings to unique ones before installing the system on the University network or using it for card processing.

Contract Elements

Contracts and associated documentation must address these elements:

1. Compliance with the OneIT Standards and Guidelines; specifically:
   1. Standard  for Security Requirements of Information Systems, and the related Information Security Checklist
   2. Standard for Information Security related to Vendors and External Parties
2. PCI SSC Requirements: Compliance with all appropriate Payment Card Industry Security Standards Council (PCI SSC) requirements and their responsibility for specific PCI DSS requirements. If the vendor impacts the CHD  environment, they must address:
   1. Proof of PCI DSS compliance  and/or validation of payment software
   2. Specific elements of the PCI DSS for which they will be responsible and those for which the University will be responsible
   3. Documentation that clearly details where CHD is captured, information regarding integration with the designated gateway provider and linkage type, and specifies any outside entities’ applications or servers utilized
   4. Service level agreements
   5. Remote access and use of Multi Factor Authentication
   6. Protection of Personally Identifiable Information (PII)
   7. Data retention and destruction policies
   8. Liability
   9. Business continuity

A final copy of the executed contract must be emailed to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu.

Related Resources

• Standard for Accepting Electronic Payments
• Standard for Information Security related to Vendors and External Parties
• Standard  for Security Requirements of Information Systems

Revision History

• Initially approved by the AVC for Finance on November 25, 2024