Manuals, Guides, and Procedures

Payment method

The preferred method for paying for memberships to professional associations is to use a University-issued Purchasing Card (P-card).

Other allowable methods include:

• Submit a Electronic Check Request (eCR) only if payee does not accept a credit card
• Submit an Employee & Student Direct Pay Request (ESDPR)

Rationale and other considerations

The costs associated with professional memberships related to an employee’s job duties may be allowable. The decision on allowability is based on the requirements in the Office of State Budget and Management (OSBM) Budget Manual Section 4.7.4, “Membership Dues” (see link below). Generally, OSBM requires that membership dues paid from state funds are 1) approved by the employee’s supervisor and department head or designee; and 2) for the benefit of the University, not the individual. Because the P-card allows for an improved approval and payment process, it is the preferred purchasing method for such transactions.

How to do it

1. Review the resources below to confirm the allowability of the purchase and obtain supervisor/department head approval.
2. The membership fee may then be paid using a P-card.
3. For memberships paid via General Funds, documentation must be uploaded into Works that shows department head approval and attestation that the membership is for the benefit of the University, not the individual.

Policies	Procedures	Training and Reference Materials
University Policy 601.8, Appropriate Use of University Funds OSBM Budget Manual (Refer to Section 4.7.4 on Membership Dues)	Purchasing Card Manual	Cardholder/Reconciler/Approver Training eCR Instructions Employee/Student Direct Pay Request (ESDPR) Form Expense Account Codes Purchasing Card Reference Guide (PCRG)

Questions?

Email the Purchasing Card staff at purchasingcard@charlotte.edu.

Last Updated: August 29, 2023

Overview

As part of UNC Charlotte’s PCI Compliance program (payment card security), all merchants that accept card information as a form of payment through point of sale, web, phone, or paper form are required to maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS) in order to continue to accept payment cards on behalf of the University or its affiliated entities.

Merchant Training

Merchant Training is required under PCI DSS and the University’s Payment (Credit/Debit) Card Processing Procedures section IV. B. for all employees who will be interacting with payment card data, functions, or systems (e.g., credit and debit cards) as part of their job duties. This training is now available on demand as employees are hired and/or change their role, and will be reassigned annually on February 15, as required under PCI DSS and the University’s Payment (Credit/Debit) Card Processing Procedures. 

• Email​ eCommerce@charlotte.edu to request this training for you or your employees. Once assigned, you will receive a separate email notification with more detailed instructions. You will have 30 days to complete the training through the Learning & Development Portal. Reminder notices will be sent to you and your supervisor closer to the due date.
• This training now includes information for individuals responsible for recording daily Payment Book Receipts. Email cashiersoffice@charlotte.edu if you have any questions about submitting your deposit.

Security Awareness Training

Security Awareness Training (SAT) is also an important component of merchant training offered through the Learning & Development Portal and is required for all employees who will be interacting with payment card data, functions, or systems (e.g., credit and debit cards) as part of their job duties. SAT is required to be completed annually by merchants.

• Guidance for accessing the training is located on the OneIT Information Security Education webpage and the University FAQ site.
• Guidance for completing SAT training again is located in this FAQ.

Contact Email: eCommerce@charlotte.edu

Last Updated: March 22, 2024

Payment method:

Authorized travelers can seek reimbursement for mileage, parking, and transportation costs using either the Travel Reimbursement & Expense Report (TRER) Form or the Mileage and Transportation Reimbursement (MTR) Form. The nature of the travel determines which form to use.

This applies to both employee and non-employee travel for valid university purposes.

When to use a Travel Reimbursement & Expense Report Form: Use a TRER for claiming mileage and parking expenses if the traveler claims other travel-related expenses while traveling on pre-approved University business, AND:

• The trip takes the traveler 35 miles or more from the University duty station; and
• Involves an overnight stay.

When to use a Mileage and Transportation Reimbursement Form: Use an MTR if the traveler is only claiming mileage and ground transportation expenses from an approved University business trip where there is no overnight stay and subsistence is not reimbursable.

Rationale and other considerations:

If you are using your personal vehicle on approved, official University business, you can be reimbursed for your mileage. Mileage will be reimbursed from the closer of home or duty station.

When driving to the airport mileage is allowed for the trip to and from Charlotte-Douglas International Airport, when you are planning to park your car for the duration of travel, or when a private party is dropping you off at the airport. Please note that mileage from the University is limited to 15 miles each way.

For mileage reimbursement, you should include printed directions that show total miles driven. You may use an online mapping service for this documentation (e.g., Google Maps, Mapquest). If your actual mileage exceeds direct round trip miles, please provide an explanation. Travelers are encouraged to request motor fleet vehicles or use rental cars for University travel, subject to availability.

Note: Please refer to the Safety & Security page for details regarding insurance coverage when using personally-owned or University-owned vehicles.

How to do it:

1. Review the policies and procedures listed below.
2. Complete the appropriate form:
   • Travel Reimbursement & Expense Report Form (tab 2 in the link provided below), or
   • Mileage and Transportation Reimbursement Form (link provided below).
3. Attach required documentation. Documentation depends on the type of reimbursement request and may include:
   • Parking receipts
   • Printed directions that show total miles driven
   • Travel Authorization
4. Obtain required signatures from traveler and approver.
5. Submit to Travel & Complex Payments.

Policies	Procedures	Forms/Links	Training and Reference Materials
University Policy 602.7, Travel Authorization and Reimbursement OSBM Budget Manual (Refer to Section 5 for Travel Policies) IRS Travel, Entertainment, Gift, and Car Expenses Publication (Publication 463) University Policy 601.8, Appropriate Use of University Funds	Travel Manual Safety & Security Insurance Page	Travel Forms Package Mileage and Transportation Reimbursement (MTR)	General Guide for Travelers

Contact for additional questions:

Send an email to the Travel mailbox at travel@uncc.edu, or refer to the list of contacts on the Travel & Complex Payments website. Last updated 10/05/2018, 7/19/19

Last Updated: July 19, 2019

University Policy 602.10, Mobile Communication Device (MCD) Allowances, establishes when the University will provide payment for employee use of MCDs when required to support business activities of the University, along with related administrative requirements. It is drafted with the intention of complying with the Internal Revenue Service (IRS) and other applicable statutes, regulations, and guidance. This policy was initially approved in September 2009, redesignated from UP-317 to UP 602.10 in October 2017, and last updated in April 2022.

Please see the following guidance:

• UP 602.10, MCD Allowances
• MCD Supplemental Procedures
• MCD Allowance Request eForm and documentation
• MCD Allowance FAQs

Please contact your department’s administrative office or the following departments for questions about MCD allowances:

• Program questions: Marlo Hardiman, assistant controller for tax and payroll, in the Payroll Department.
• Processing questions: Human Resources at hrsystems-support@charlotte.edu

Last Updated: April 26, 2022

• Independent Registered Municipal Advisor exemption letter (“IRMA Exemption”)

Purpose: The municipal advisor letter serves as a certificate of representation between UNC Charlotte, its affiliated entities, and their retention of a municipal advisor. We are represented and will rely on our municipal advisor to provide advice concerning the issuance of municipal securities, investment of bond proceeds, escrow investments, and other financial services needs. Once a new municipal advisor is assigned, an updated letter will be made public on this page.

Last Updated: September 16, 2022

• Nonresident Alien Tax Compliance

Training on Nonresident Alien Tax Compliance

Last Updated: February 22, 2017

Obtaining a receipt book

• Fill out section 1. of the Receipt Book Request Form and email it to bursar@uncc.edu.
• They will receive your request and update the “Cashiers Only” portion of the form. They will then email you and let you know your book is ready for pick up. Please allow 2 hours for us to log your information and send you a return email that your book is available for pick up.
• You must be a full time faculty or staff to request a book and you must bring your staff ID card with you to pick up your book. You are responsible for this book until it is checked back into the Cashiers.

depositing information

The Daily Deposit and Reporting Law (G.S. 147-77) require the depositing of all funds on a daily basis and to report the same on a daily basis. An exemption may be granted provided the funds to be deposited do not exceed $5000.00 and that they are deposited at least once per week. For additional information, see University Policy 602.4.

using the receipt book

A receipt must be written when receiving payment in cash. The receipt book consists of three copies. The top receipt should be given to the payee, the middle copy should stay with the department and the third copy stays in the book for cashier reconciliation purposes. You will need to bring this book to the Cashier’s Office each time you make a deposit. On the deposit form you should indicate the starting receipt and the last receipt included in the deposit. The cashier will add these receipts to make sure they balance with the deposit form and initial, date, and write down the Banner receipt number on the last receipt.

If you should need to void a receipt please write VOID in big letters across the receipt and all three copies MUST remain in the book. If the top copy has already been torn out, please staple or tape it back in.

When your event is over or all receipts have been used (whichever is first) please return the book back to the Cashier’s Office after all your deposits have been made. The cashier will sign it back in.

**If your receipt book is lost, we will notify the business manager/department head and inform them that you will no longer be able to collect monies on behalf of the department until the receipt book is found.**

If you have any questions regarding these procedures please email the Cashier’s Office at bursar@uncc.edu.

Last Updated: July 28, 2022

Instructions on how to pay for non travel reimbursements.

Payment method:

Use an Employee/Student Direct Pay Request (ESDPR) if the recipient is a:

• Current UNC Charlotte employee
• Student

For payments to non-student/non-employee vendors, use the electronic check request (eCR).

Rationale and other considerations:

Payment of non-travel reimbursements of expenses incurred (and not for services performed) should be initiated by submitting an ESDPR. This facilitates appropriate review and approval by Financial Services and helps ensure amounts paid are properly tracked for tax reporting purposes. How to do it:

1. Download the ESDPR and complete according to the form instructions.
2. Submit the completed form to the Disbursements Office according the instructions listed on the form.

Policies	Forms / Links
University Policy 601.8, Appropriate Use of University Funds	eCR Instructions Employee/Student Direct Pay Request (ESDPR)

Contact for additional questions:

Email the Disbursement-Travel inbox at travel@uncc.edu, or refer to the list of contacts on the Disbursements-Travel website.

Contact Email: travel@uncc.edu

Last Updated: December 1, 2022

Instructions on how to pay for other travel related expenses.

Payment method:

Use a Travel Reimbursement and Expense Report Form to request reimbursement of taxi, ridesharing services, train, bus, ferry, toll expenses, tips/gratuity, or other related expenses incurred while traveling on University business. This applies if the traveler is a:

• Current UNC Charlotte employee,
• Current employee of an NC state agency,
• Student, or
• Independent Contractor.

Other acceptable payment methods include using a University-issued Purchasing Card (“P-Card”).

Note: Refer to University Policy 601.8, “Appropriate Use of University Funds” to confirm if this is a permissible use of funds for your area.

Rationale and other considerations:

Allowable ground transportation expenses include:

• City/local subway, train, bus, taxi, ride-sharing services (i.e., Uber, Lyft), or ferry
• Rental car, if prudent
• Parking (lots and meters)
• Highway/interstate tolls

You will be reimbursed only for transportation used to ensure that you arrive at your business destination – not for personal preference, going to off-site restaurants, or for tourist activities. Original, itemized receipts are required for reimbursement of ground transportation expenses. Receipts are not required for ground transportation expenses under $5, such as parking meter payments (provide an explanation in the comments section of the form). “Tips” do not pertain to meals or tips that are added to other claimed expenses (such as taxi or bus), but rather refers to gratuities for services rendered in which there are no associated costs (example: bell service, housekeeping service, or airport luggage service). When tips are claimed in excess of the guidelines stated in the University Travel Manual, they should be justified in writing and attached to the travel reimbursement form. Please refer to the University Travel Manual (see link below) for additional details.

How to do it:

1. Review the policies and procedures listed below.
2. Complete the Travel Reimbursement and Expense Report Form (tab 2 in the link provided below), along with additional documentation, if required.
3. Submit the completed form(s), along with the previously approved Travel Authorization Form, to Travel & Complex Payments according to the instructions listed on the form.

Policies	Procedures	Forms / Links	Training and Reference Materials
University Policy 602.7, Travel Authorization and Reimbursement OSBM Budget Manual (Refer to Section 5 for Travel Policies) IRS Travel, Entertainment, Gift, and Car Expenses Publication (Publication 463) University Policy 601.8, Appropriate Use of University Funds	Travel Manual	Travel Forms Package	Know Before You Go: A General Guide for Travelers Expense Account Codes

Contact for additional questions:

Send an email to Travel or refer to the list of contacts on the Travel website.

Contact Email: travel@charlotte.edu

Last Updated: September 14, 2018

UNC Charlotte Strategy: physical location of workforce

• UNC Charlotte has a strong preference for a North Carolina workforce. Hiring preference should be given to employees living and working in-state when all other factors are equal.
  • As a North Carolina entity, UNC Charlotte has a responsibility to provide NC public sector jobs when possible.
  • This applies to students, including graduate assistants, and temporary employees.
• At this time, a workforce abroad should be avoided if possible considering the direct and indirect costs of compliance.
• Restrictions:
  • Term: Out-of-state arrangements must be temporary in nature. Terms are limited to one year. Renewals must be approved annually.
  • Multiple jurisdictions: UNC Charlotte cannot accommodate withholding prorated income taxes for more than one state in a single pay period.
  • IT Security: Employees must use University-managed devices when working remotely.

Definition of Out-of-State Employee

An employee who will be located outside the state of North Carolina when performing work for UNC Charlotte. Examples:

• A part-time faculty member teaching online classes 100% remotely outside of North Carolina.
• A full-time faculty member on paid leave residing out of state and working on grant activity for UNC Charlotte.
• Additional examples are included in the FAQs below.

Procedures

If a potential need arises for an employee to complete work for UNC Charlotte from a non-NC jurisdiction for more than one month, complete the Out-of-State Work Approval Form at least 60 days prior to the proposed start date of the arrangement. All approvals as indicated on the form must be obtained.

The form is not needed if:

• the duration of the work to be completed outside of NC is for one (1) month or less; or
• the employee will not be doing work for UNC Charlotte while outside of NC (e.g., employee is on leave, or employee is part of a faculty exchange program); or
• the employee is attending a work conference in another state

Note that the Out-of-State Work Approval Form must be completed in addition to standard Telework/Remote Work Request Form:

• For staff: Telework/Remote Work Request Form
• For faculty: Faculty Duty Station Attestation Form

potential costs

• Pass-through costs (e.g., state-specific benefits) may apply to individual employees or their hiring departments.
• Costs are incurred every time the University must set up to withhold income taxes and set up unemployment insurance in other states. To check if the University is already set up in a specific state, contact the Tax Office.
• Out-of-country employment requires contracted service with a professional employer organization (PEO). Estimated additional cost is 40-60% of the employee’s salary.

Background

Almost all states require employers to withhold tax from wages earned in that state. To maintain a lawful out-of-state or international employee, UNC Charlotte must comply with requirements that vary by jurisdiction and include:

• Employer registration
• Employment and wage laws, including minimum wage and required pay frequency
• Income tax withholding
• Other taxes/withholding (e.g., disability, paid family leave, local jurisdiction requirements, required benefits)
• Monthly/quarterly/year end reporting
• New hire reporting
• Unemployment insurance (UI)
• Workers’ compensation

Resources

• AA-43: Faculty Duty Station Attestation Form
• HR Teleworking/Remote Work Request Form for SHRA and EHRA Non-faculty Employees
• Out-of-State Work Approval Form – Must be completed in addition to the standard telework request forms, e.g., HR Teleworking/Remote Work Request Form for SHRA and EHRA Non-faculty Employees and the Faculty Duty Station Attestation Form
• UNC System Office Regulation 300.8.6[R] on Flexible Work Arrangements and Remote Work
• ​University Policy: UP 101.22, Flexible Work & Telework Arrangements, Section II.C.9

FAQs

Does this apply to faculty who are out of state while on paid leave? (e.g., FMLA or official Reassignment of Duties)?
Yes, but only if they are doing work for the University or receive special compensation while in a different state.

How does this apply to faculty/staff who are working remotely and who may live in South Carolina?
Employees should complete the Out-of-State Work Approval Form. If approved, they should switch their withholding to South Carolina by completing and signing the South Carolina Form SC W-4, South Carolina Employee’s Withholding Allowance Certificate, and returning it to the Payroll Department on campus (Reese Building 3rd Floor; do not email forms with Social Security numbers). If at any point employees need to change their withholding back to North Carolina, they should submit an updated NC-4 in My UNC Charlotte and notify the Payroll Department to stop withholding in South Carolina via an email to payrolldept@uncc.edu.

If a faculty member teaches out of state/out of the country for 5 weeks, is that ok?
They should complete the Out-of-State Work Approval Form. Approvers will determine if the arrangement introduces additional compliance requirements in the jurisdiction in question.

What is the risk to the University?
The individual has the tax liability to pay; however, they may make a case to their department that they were not informed of the tax concern and need to report and expect the department to pay the taxes owed (which has occurred). The risk to the University is financial in terms of back taxes owed, interest, and penalties that may be applied to the campus from the taxing entity (out of state local or state entity or international entity) due to non-compliance. This risk is tied to the dollar level and pattern of non-compliance, but regulations are becoming more closely monitored by all entities given better use of data matching and the states’ needs for tax revenue in the current environment.

Contacts

For tax withholding questions, contact the Tax Office.
For faculty teleworking questions, contact Academic Affairs Budget & Personnel.
For staff teleworking questions, contact Human Resources.

Created February 2019
Rev. 3/5/19, 6/11/19, 10/4/19, 11/06/20, 3/18/21, 4/09/21, 7/01/21, 12/02/2022

Last Updated: December 2, 2022

Click play for an Overview of Travel Rules for State Employees provided by the North Carolina Office of State Budget and Management (NC OSBM).

Click play for an Overview of Travel Reimbursement for State Employees provided by the NC OSBM.

UNC Charlotte specific travel guidance and forms for faculty and staff are available on the Financial Services Travel webpage.

Contact Email: travel@uncc.edu

Last Updated: September 30, 2022

• Payment Card Processing Procedures

I. Executive Summary and Purpose

All University departments and entities shall process inbound payment (credit/debit) card transactions through approved mechanisms/systems, processors, and equipment. The merchant services provider, which is contracted by the North Carolina Office of the State Controller (NC OSC) and by the University, must be utilized for the processing of payment card transactions.

These procedures are required in direct support of the UNC Charlotte Payment (Credit/Debit) Card Processing Standard. This document sets forth details and procedural requirements for the implementation of payment card processing at UNC Charlotte or the outsourcing of that processing to a third party. More detailed information may be referenced in the UNC Charlotte Merchant Manual (currently in development).

The procedures’ scope, revisions, exceptions, and compliance are noted in the Payment Card Processing Standard.

II. Definitions

Definitions may be referenced within the eCommerce Glossary and/or the Payment Card Industry Security Standards Council (PCI SSC) website.

III. General Requirements

Oversight

A. All departments accepting credit/debit cards for payment must comply with the UNC Charlotte Payment (Credit/Debit) Card Processing Standard.

B. The Vice Chancellor of Business Affairs (VCBA) directs all payment card processing activity and related compliance validation at The University of North Carolina at Charlotte (UNC Charlotte). The oversight of card processing operations is delegated to the eCommerce Office (eCO) which resides within the Controller’s office.

C. UNC Charlotte is a state agency and as such must operate under the authority of the State of North Carolina statutes, policies, and guidelines. These policies dictate that all card processing be conducted through the Master Services Agreement (MSA) contracted by NC OSC. To comply with that state policy:

1. All accounts for card processing must be established through NC OSC via eCO. Campus academic and administrative units, organizations, affiliates, and employees shall not establish accounts for the acceptance of payment cards outside of this established means, or utilize other mechanisms which bypass the established setup and approval of card processing activities.

2. The outsourcing of payment card processing as well as the contracts associated with that activity must be approved by eCO and other University entities as required.

3. All card processing activities are subject to the PCI SSC specifically the Standards overseen by the Council: the Payment Card Industry Data Security Standards (PCI DDS), the Payment Application Data Security Standard (PA-DSS), and the Pin Transaction Security Requirement (PCI- PTS).

4. All card processing must adhere to North Carolina General Statutes and applicable policies. NC OSC provides oversight for UNC Charlotte payment card processing.

D. UNC Charlotte Office of OneIT oversees the governance of data security, use of IT systems, evaluation and recommendations of technologies, and provides direction and support for the security and networking of campus infrastructure utilized for card processing systems.

Security of Card Data

E. University staff and entities are prohibited from storing the Primary Account Number (PAN) or Sensitive Authentication Data (SAD), physically or electronically (e.g., computer hard drives, CDs, Disks, and other external storage media), after authorization of the transaction.

F. UNC Charlotte academic and business units are prohibited from establishing websites to receive and/or process CHD outside of the allowed eCommerce web infrastructure.

G. All payment card transactions processed over digital/IP lines must be configured so that the transaction data is processed only on the segregated PCI network. University card processing must not take place on the main University network. Merchants are responsible for ensuring that the proper configuration of network devices is in place. ITS and eCO will assist as needed.

H. Third parties, including student organizations, may not process payment cards over the University’s wired or wireless network without the approval of the Vice Chancellor for Business Affairs (VCBA) or his/her designee. Transactions may be processed on cellular devices that do not interface with the University network.

I. In some cases, University departments may support student organizations with specified special status (e.g., student government organizations). If such a student organization website is hosted on a University server, it will not be allowed to link out for payment processing; it is prohibited. Externally hosted (i.e., not hosted at/or by UNC Charlotte) student organization webpages that include payment processing, must have a visible disclaimer readily viewable on the site stating that the site is not the University or a part of it.

J. The PAN must be masked when displayed (the first six and last four digits are the maximum number of digits to be displayed). In most cases where truncation is needed, only the last four digits of the PAN should be displayed. Only personnel with a legitimate business need should be able to see the full PAN.

K. Cardholder Data (CHD), the PAN, and/or SAD are not to be left unattended or disclosed to others.

L. To the extent possible on electronic transactions, the sale transaction shall not take place on University computers or network resources. Any instance where this occurs must be fully disclosed, in advance, to eCO and approved in advance by that office in conjunction with ITS.

M. UNC Charlotte academic and business units are prohibited from accepting CHD via email, fax, or any electronic means including end-user messaging technology.

1. If an email is received by University staff that contains CHD, the CHD shall not be used to process the transaction and the email must be permanently deleted from the recipient’s mailbox. A new email must be created to reply to the sender with instructions on the proper procedures for submitting their card transaction for processing. (“Reply” must not be used because the card information is not to be resent over the network.)

2. If acceptance of CHD via fax is needed for business operations, approval must be requested and obtained through eCO. A request including business justification must be submitted to eCO. If fax usage is approved for card acceptance, then an analog fax setup must be used (vs. digital). Approved analog fax machines must reside in a physically secure location with controlled/ restricted access limited to those individuals who have completed the Requirements for Card Processing.

N. If acceptance of CHD via mail/hard copy is needed for business operations, approval must be requested and obtained through eCO. The academic/business unit will be responsible for documenting internal processes to handle the CHD per PCI DSS and eCO processes. The CHD must be secured with access to it limited to only those individuals who have completed the Requirements for Card Processing. The CHD must not be retained after authorization. The security code is not to be requested on any mailed in or hard copy forms.

O. Merchants approved to receive physical documents which contain the PAN must ensure those documents are:

1. Processed on approved devices as they are received.

2. Stored in a physically secure location until the transactions are processed, should there be any delay in processing.

3. Accessible only by staff that have completed the Requirements for Card Processing.

4. Securely destroyed so that all CHD is rendered unreadable once the transaction is processed or documentation is no longer needed.

P. At the time of disposal, all hard-copy materials containing the PAN and/or SAD must be crosscut shredded, incinerated, or pulped so that the CHD is rendered incapable of being reproduced or retrieved. All disposal methods must meet or exceed the PCI DSS requirement for destruction.

Q. All card transactions must be keyed into approved devices. Desktop or laptop computers, tablets, or other electronic devices are deemed “virtual terminals” if utilized by merchant staff or provided for customers for the entry of CHD. Such setups, or virtual terminals, are not to be used for entry of CHD by staff or customers unless approved by eCommerce and set up by ITS. Contact eCommerce for approval. The completion and submission of the EC-Virtual Terminal Request form will be required.

R. Only designated personnel, who have completed the individual Requirements for Card Processing, may have access to CHD, interface with customer card transactions, and/or obtain access to card reporting or administrative portals. Access to system components and CHD will be limited to only those individuals whose job requires such access. Access requests are to be submitted to eCO using the eCommerce form EC-Access Request to Reporting Systems, or at the following URL: https://workflowforms.charlotte.edu/imaging/imaging-forms-department/ecommerce

S. Personnel granted access to card reporting and/or administrative portals are prohibited from copying, moving, and storing CHD onto local hard drives and removable electronic media unless explicitly authorized to do so by eCO for a defined business need. If a business need is authorized, the data must be protected in accordance with all applicable PCI DSS Requirements.

T. Designated personnel that are approved to interface with CHD, customers, or portals are subject to University Policy 101.23, Employment-Related Background Checks and Criminal Activity Reporting.

U. Access to eCommerce reporting systems from off campus must be conducted on University owned equipment that is updated with current antivirus and required patches. These reporting systems (e.g., TouchNet, ClientLine, Online Merchant Services, CEO Portal) are not to be accessed via personally owned computers and devices.

V. Physical security and storage of infrastructure components that control or interface with card processing systems is managed by University ITS.

W. Information security incidents or concerns should be reported to University ITS. The UNC Charlotte Standard for Managing Information Security Incidents as well as the Guideline for Reporting Information Security Incidents provides guidance regarding action to be taken if a security incident is suspected or confirmed. See section IX of this document for additional detail.

Card Acceptance

X. Any University unit wishing to accept payment cards for goods and/or services must complete the EC-Application to Process Payment Cards (EC-APP) (path: S:\Campus Merchants\eCommerce Forms\EC-APP – Application to Process Payment Cards) form and submit that to eCommerce@charlotte.edu.

Y. Business manager approval is required for all card processing.

Z. The acceptance of gifts, donations, or sponsorships must first be approved through University Advancement before public-facing sites are enabled for acceptance of those monies.

AA. Upon approval to process card transactions, eCO will work with the campus unit to determine the appropriate merchant account to be utilized for the processing of card transactions. The eCO will request a merchant account, if a separate merchant account is necessary, for the college or department through NC OSC.

BB. The eCO will work with the campus entity regarding the means by which card transactions will be accepted:

1. Online – Card Not Present (CNP)

2. In person – Card Present (CP)

The eCO will facilitate the establishment of all CNP and/or CP operations for approved setups as well as submit orders for Point of Sale (POS) terminal equipment to be utilized.

CC. If specialized software and/or systems are required for processing, eCO (in conjunction with the University ITS) will work with the campus entity to approve that processing and ensure that processing standards and security measures are met.

DD. All departments or units issued a merchant account will be required to:

1. Complete the EC-Merchant Agreement.

2. Submit business processes for card processing at least annually to eCommerce, and when significant changes to the card processing environment occur.

3. Submit card data flow diagrams to eCommerce.

4. Complete required Self-Assessment Questionnaires (SAQs) and associated validation documentation requirements.

5. Attest to compliance with PCI DSS.

6. Ensure staff meet all requirements for card processing.

EE. Currently, UNC Charlotte accepts four major payment cards: Visa, MasterCard, American Express, and Discover (please note: Diners’ Club and JCB are accepted under the Discover agreement). It is expected that all University merchants engaged in the acceptance of card transactions accept all card types supported by the University and no others.

FF. Audits will be performed periodically by the UNC Charlotte Internal Audit Department to confirm card processing complies with PCI DSS and University standards and procedures.

Daily Responsibilities

GG. All merchants are subject to University Policy 602.4, Handling Cash, Checks, and Other Monetary Receipts.

HH. On a daily basis, the department must balance transactions and settle their sales electronically to the merchant services provider.

II. All merchants are subject to North Carolina law and policies. Specifically, merchants must:

1. Prepare appropriate deposit documentation and submit it to the University Cashiers via the Financial Transaction Request (FTR) form by 12:00 noon on the day that the settlement of funds for card transactions is reflected in the banking settlement reports.

2. Provide appropriate backup documentation to substantiate the deposit.

3. Provide deposit documentation on a timely basis for amounts debited or credited directly to the merchant account due to chargebacks, retrievals, refunds, reversals, or other activity which affects the merchant account funds.

JJ. Departments shall maintain adequate records of the sales transactions. Daily sales totals, logs, etc. substantiating revenue should be stored in accordance with state record retention policies and the current MSA.

KK. Reconciliation of all transactions must be performed on a regular basis. Transactions and account charges deposited to the University Cashiers must be reconciled and verified before the deposit is submitted. Supervisory review of accounts reflecting refunds, chargebacks, reversals and card fees should be conducted at a minimum on a monthly basis.

IV. Requirements for All Payment Card Transactions

A. Return, refund, and/or cancellation policies must be disclosed to the cardholder before the cardholder enters their card information for processing. Signs disclosing the policy must be clearly visible at the Point of Sale (POS) for face to face transactions or web site/online portal utilized for the merchant for internet transactions.

B. All customer receipts must truncate the PAN so that only the last four digits are printed on the merchant and the customer copy of the receipts. The receipts must not display the card expiration date or SAD.

C. All POS terminal and internet transactions must be batched and transmitted to the merchant card processor on a daily basis. Transactions are not to be held and batched at a later time.

D. The settlement of all funds must be reported to the University Cashiers no later than noon of the day that the funds appear in the settlement account. Current procedures for the deposit of those funds must be followed. Currently, sales totals (net of refunds) must be submitted on a Payment Book Receipt (PBR) deposit form along with a copy of the sales report from the card processor. A copy of the gateway batch settlement report (totals reports, not detail) must be included for internet transactions. The settlement tape from the POS terminal is no longer required to be included for POS terminal transactions; the merchant is to retain the settlement tape for audit purposes. The Payment Book Receipt (PBR) form is available on the Financial Services website; it may be located under Transaction Type on the Financial Transaction Request (FTR) form.

Transactions that occur on Friday, Saturday, and Sunday (or over holiday periods) must be deposited in the same manner (as above) on Monday (or the following business day) to the University Cashiers. A separate deposit must be created for each day that transactions occurred. The transactions are not to be combined for the weekend (or holiday period) and deposited on one form for multiple days.

F. Sponsorship monies collected must be accounted for and viewable to University Advancement. All monies received for sponsorships are to be deposited to account code 102654; the preferred departmental fund number may be used. A report detailing the donor information is to be attached to the deposit. Please see University Advancement Procedures: Corporate Sponsorship for more detailed information. (A copy may be accessed at: S:\Campus Merchants\Helpful Documentation\Corporate Sponsorship Process – for Units)

G. It is important that all campus merchants reconcile their payment card transactions. For POS transactions, the terminal settlement tape should be reconciled to the card processors’ settlement report POS transactions. For internet transactions, the gateway reports should be reconciled to the banking reports, and third party reporting systems (if applicable). Banner fund and account numbers must be reviewed periodically to ensure that they accurately reflect reported sales, refunds, and fees. Departmental staff is responsible for reconciling the card transaction activity and accurately reporting those amounts to the University Cashiers through the deposit process. The merchant, not the Cashiers, is responsible for pulling the settlement reports, and reconciling the amounts. If the use of a generic merchant account is approved by eCO for a campus entity, eCO will provide the appropriate sales reports to the entity for the deposit; it is the merchant’s responsibility to make the deposit.

H. The Cashier’s Office will compare the sales amount submitted per the Payment Book Receipt (PBR) form to the merchant card processor records and banking funding reports. They will inform the merchant of discrepancies. All discrepancies should be resolved within 24 hours so that sales can be posted to the departmental account in the UNC Charlotte accounting system on a timely basis.

I. Access to eCommerce reporting systems must be requested by the merchant for the purpose of providing appropriate personnel with required reports for reconciliation, research, and deposit. Accesses will be restricted to the least privilege needed to perform job responsibilities. Access requests must be submitted to eCommerce@charlotte.edu on the EC-Access Request to Reporting Systems form.

J. Merchants are responsible for investigating and responding to disputes, retrievals, and chargebacks, and should do so on a timely basis.

V. Additional Requirements for Point-of-Sale (POS) Transactions

A. All Card Present (CP) transactions must be captured on equipment approved by and/or obtained through eCO in conjunction with NC OSC. All card transactions will be processed on equipment compatible with the processing platform(s) of the University’s merchant services provider. The University’s merchant services provider is determined by UNC Charlotte in accordance with the NC OSC MSA.

B. Departments requiring customized equipment for POS transactions must contact eCO before such equipment is purchased, leased, rented, or utilized. The eCO will work in conjunction with University ITS to review and approve special requests. Additional information and/or external consultation may be required. The requestor will bear all external costs related to the exception approval process.

C. Current procedures for acceptance of CP (i.e., a face-to-face transaction) and CNP (i.e. a transaction accepted over phone or fax and entered manually into an approved POS device) transactions must be followed. Those may be referenced in the UNC Charlotte Merchant Manual (currently in development), or at the websites of participating card companies (e.g., Visa, MasterCard, and American Express).

D. POS terminals must be protected from tampering and tracked. Physical access to and oversight over terminals shall be limited to personnel who have completed the Requirements for Card Processing. If terminals are customer-facing, they should be monitored while in use and secured when not in use. Terminals must be inspected for tampering on a regular basis and reports associated with inspections returned to eCommerce on a monthly basis. Any suspicious behavior or indications of device tampering or substitution must be reported to eCommerce. If terminals fail and are replaced by the merchant through the merchant services provider, eCO must be notified. The identity of any third-party persons claiming to be repair or maintenance personnel must be verified, prior to granting them access to modify or troubleshoot devices. The eCO must be notified if third-party persons are granted access to terminals.

VI. Additional Requirements for Internet Transactions

A. All internet based Card Not Present (CNP) transactions must be captured on approved web interfaces. Any newly established processing setup for internet based transactions must utilize a designated University payment gateway and platform. TouchNet Information Systems, Inc. is the primary designated gateway processor and online transaction platform.

B. All payment card processing for the University will be coordinated through eCommerce. No individual department or campus entity shall enter into a contract that includes card processing functions or outsources card processing functions to a third party without the approval of eCO in conjunction with ITS.

C. Departments must contact eCO prior to purchase of specialized software or equipment so that customized processing applications are reviewed for compliance with standards, procedures, contract requirements, and feasibility. The eCO in conjunction with University ITS, the Office of Legal Affairs, the Internal Audit Department, and the applicable computer support unit will work with the department to ensure that processing standards, safeguarding measures, and legal requirements are met. Additional information and/or external consultation may be required. The requestor will bear all costs related to the external review, if required, for the approval process.

D. Approved third party software/equipment must be implemented according to the third party guidelines. Default vendor passwords and settings must be modified to unique passwords or settings before the system is installed on the University network or utilized for card processing.

E. Customer CHD must be entered or captured on approved third party hosted websites or payment gateway interfaces and not on University computers or network resources.

F. All data requested and collected through online shopping carts and web portals must comply with the University Guideline for Data Handling.

G. If a merchant is processing card transactions online and has no approved means to accept card transactions at an event (in a face to face environment), they must either not accept payment at the event or accept cash or checks. If cash or checks are to be accepted, the merchant is responsible for following all cash handling policies (University Policy 602.4, Handling Cash, Checks, and Other Monetary Receipts). They will need to request a Receipt Book from the Cashiers to provide the required receipt to the customer for monies received at the event if the monies are to be deposited to a University account. If monies are to be deposited to a non-University account, a receipt must still be provided to the customer and supplied by the merchant. If the merchant would like to accept card transactions at the event, they must request through eCO the rental of an approved POS device (see: EC : POS Terminal Order Form) or the use of a laptop or desktop computer as a virtual terminal. The completion and submission of the EC-Request for Virtual Terminal for Card Processing form will be required for laptop use.

VII. Outsourcing/Third party Contract Requirements

A. Any unit that wishes to utilize third party software that includes card processing functions or the outsourcing of its credit card transaction processing must request approval to do so in writing to eCommerce@charlotte.edu. The vendor selected by the campus entity must be approved through eCO and meet current requirements. Contracts and associated documentation must address these elements:

1. Compliance with all appropriate PCI SSC requirements (Payment Card Industry Data Security Standards (PCI DDS), the Payment Application Data Security Standard (PA-DSS), and the Pin Transaction Security Requirement (PCI- PTS)).

2. Compliance with NC Daily Deposit Act (NC G.S. 147-77)

3. Statements clarifying where CHD is captured; specifically, detailed information regarding integration with the designated gateway provider and linkage type must be disclosed.

4. If CHD is captured on the vendor’s network, they must:

a. Provide proof of PCI validation and/or PA-DSS validation. It is preferred that any third party that captures CHD be a validated Level 1 Service Provider.

b. Specify the elements of the PCI DSS for which they will be responsible and those for which the University must be responsible.

c. Provide documentation that clearly details the flow of CHD and specifies any outside entities’ applications or servers utilized.

5. Service level agreements

6. Remote access and use of Multi Factor Authentication

7. Personally Identifiable Information (PII)

8. Data retention and destruction

9. Liability

10. Business continuity

B. All contracts must be submitted to eCO for review and revision, as necessary, before they are executed. ITS, The Office of Legal Affairs, and Materials Management will be integral in the review process. ITS will oversee the final approval, signature, and execution of contracts that involve ITS resources.

C. Any third party agreement that involves ITS resources must comply with IT Governance processes. A review of those may be located at IT Governance.

D. A final copy of the executed contract must be submitted to eCommerce.

VIII. Review Process for Processing Request

A. Requests for card processing must be submitted to eCommerce@charlotte.edu using the EC-Application to Process Payment Cards (EC-APP) (path: S:\Campus Merchants\eCommerce Forms\EC-APP – Application to Process Payment Cards) form. The application includes requirements to:

1. Document the business need for accepting credit card transactions in a new unit or location.

2. Document anticipated transaction volume and mechanism for card acceptance.

3. Agree to basic rules for card processing.

4. Obtain approval of the business manager.

B. The eCO will review submitted requests and confer with ITS as needed. Requests will be reviewed for feasibility, functionality, compliance, and business operations

C. Third party contracts associated with the request must be submitted to eCO and will be reviewed by eCommerce, ITS, Legal, and Materials Management as needed. All contracts meet federal, state, PCI DSS, and University contractual requirements.

IX. Incident Response

A. Report any suspected or known security incident to:

a. Your supervisor and/or primary merchant contact for your area.

b. ITS. See the following resources below:

i. Guideline for Reporting Information Security Incidents: https://oneit.charlotte.edu/iso/guideline-reporting-information-security-incidents

ii. FAQ: How do I report an IT security incident? https://services.help.charlotte.edu/TDClient/33/Portal/KB/ArticleDet?ID=2081

B. Note: If the potential information security incident involves a compromised computer system:

a. Leave the computer system on and as-is, with all current computer programs running and current state of network access.

b. Do not shut down the computer, restart the computer, or remove the computer from the network until/unless directed to do by the ITS incident response team.

C. If the incident involves criminal activity, report it immediately to the UNC Charlotte Police and Public Safety Office.

D. Notify the Data Security Officer (DSO) or Information Security Liaison (ISL) for your college or department. Designated DSOs and ISLs are listed at: https://oneit.charlotte.edu/security/standards-guidelines/compliance.

E. ITS and the eCommerce Office will coordinate review for any incident which involves CHD and escalate if the deemed incident is valid and meets the threshold for escalation.

F. All merchant/departmental entities involved are expected to cooperate fully and in a timely manner with any investigation.

X. Exceptions to Regulation

A. Any request for an exception to the UNC Charlotte Payment (Credit/Debit) Card Processing Standard or UNC Charlotte Payment (Credit/Debit) Card Processing Procedures should be made in writing to the VCBA and CIO and include the following:

1. Reason for the exception request.

2. Steps that will be taken to ensure compliance with the standard.

3. Date the need for the exception will be no longer needed.

B. The eCO in conjunction with University ITS will work with the VCBA and the CIO to review the request for exception. Following a review of the request, the final approval or denial will be made by the VCBA.

Related Resources

Legal References

• Payment Card Industry Data Security Standard (PCI-DSS)
• Payment Card Industry Security Standards Council (PCI SSC)
• North Carolina State Laws and Regulations
• NC G.S. 147-77 (Daily Deposit Act)
• NC Session Law 99-434
• NC OSC Policy 500.1 (Maximization of Electronic Payment)
• NC OSC Policy 500.2 (Master Services Agreements for Electronic Payments)
• NC OSC Policy 500.10 (Merchant Cards Security Incident Plan)
• NC OSC Policy 500.11 (Compliance with PCI Data Security Standards)
• NC OSC Policy 500.13 (NC Security and Privacy of Data)

Other References

• American Express Merchant Regulations
• ECommerce Glossary
• Mastercard Merchant Rules
• UNC Charlotte Guideline for Data Handling
• UNC Charlotte Guideline for Reporting Information Security Incidents
• UNC Charlotte Payment (Credit/Debit) Card Processing Standard
• UNC Charlotte Policy 101.23, Employment-Related Background Checks and Criminal Activity Reporting
• UNC Charlotte Policy 307 Responsible Use of University Computing and Electronic Communication Resources
• UNC Charlotte Policy 311 Information Security
• UNC Charlotte Policy 602.4, Handling Cash, Checks, and Other Monetary Receipts
• UNC Charlotte Standard for Information Classification
• UNC Charlotte Standard for Managing Information Security Incidents
• Visa – Card Acceptance Guidelines

Please note: eCommerce forms may be located on the campus S drive at: S:\Campus Merchants\eCommerce Forms

Revision History:
Initially approved October 5, 2006
Revised: 4/30/2015, 8/15/2016, 4/30/2018

Last Updated: April 05, 2024

Payroll Calendar

Purpose: Add and view the University’s Google payroll calendar by selecting the payroll calendar link. Detailed instructions are available on the University FAQ site.

Contact Email: PayrollDept@charlotte.edu

Last Updated: January 23, 2024

• Petty Cash/Change Fund Procedures

Procedures for Petty Cash and Change Fund at UNC Charlotte.

Last Updated: February 7, 2022

• Petty Cash Change Fund Training

Petty Cash/Change Fund Policy and Procedures

Last Updated: February 7, 2022

• Pilferable Assets Template Example

Purpose: This template is an example of how to maintain important information about assets that are at risk of theft. Examples of pilferable assets that each department shall maintain include laptops, computers, data projectors and other pilferable assets costing between $1,000 and $5,000.   

Contact: fixedassets@charlotte.edu

Last updated: April 22, 2024

• Procedures for Other Payments to a Foreign National

Describes procedures for other payments to a foreign national.

Last Updated: November 13, 2014

• Procedures for Scholarship/Fellowship Payment to a Foreign National

Purpose: Describes how to process scholarship and fellowship payments made to a foreign national person. Examples of these types of payment may include but are not limited to the following: qualified scholarships for tuition; nonqualified scholarships for living expenses; travel award.

Contact Email: taxoffice@uncc.edu

Last Updated: April 28, 2023