Guideline for Mail Order Payment Forms

Purpose

The purpose of this document is to provide guidance in the usage of mail order payment (credit/debit) card processing.

Scope

This guideline applies to all UNC Charlotte employees, affiliates and authorized users who will interact with payment card data, functions or systems as part of their job duties.

Contacts

Direct general questions about this guideline to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu.

Guidelines

Cardholder Data (CHD) through the Network (i.e., Email, Electronic Form) is Prohibited

If University staff receive an email containing CHD: 

• The CHD shall not be used to process the transaction 
• The email must be permanently deleted from the recipient’s mailbox 
• A new email must be created to reply to the sender with instructions on the proper procedures for submitting their card transaction for processing 
• Reply must not be used because the card information is not to be resent over the network

Obtain Approval to Receive Mail Order/Hard Copy Form

If acceptance of CHD via mail/hard copy is needed for business operations, approval must be requested and obtained through the Office of the Bursar – Merchant Services. A request including business justification must be submitted to ecommerce@charlotte.edu. The academic/business unit will be responsible for documenting internal processes to handle the CHD per Payment Card Industry Data Security Standards (PCI DSS) and the Standard for Handling Cardholder Data. 

• The CHD must be secured with access to it limited to only those individuals who have completed the merchant training requirements for card processing 
• The CHD must not be retained after authorization 
• The security code is not to be requested on any mailed in or hard copy forms

Handling Hard Copy/Physical Document Payments

Merchants approved to receive physical documents which contain the Primary Account Number (PAN) must ensure those documents are:

• Processed on approved devices as they are received
• Stored in a physically secure location until the transactions are processed, should there be any delay in processing
• Accessible only by staff who have completed the merchant training requirements for card processing
• Securely destroyed so that all CHD is rendered unreadable once the transaction is processed or documentation is no longer needed. At the time of disposal, all hard-copy materials containing the PAN and/or Sensitive Authentication Data (SAD) must be crosscut shredded, incinerated, or pulped so that the CHD is rendered incapable of being reproduced or retrieved. All disposal methods must meet or exceed the PCI DSS requirement for destruction.

Related Resources

• Standard for Card Not Present Payment Processing
• Standard for Handling Cardholder Data

Revision History

• Initially approved by the AVC for Finance on November 25, 2024