Full List of Resources

Other Reimbursements (Non-Travel), How to Pay

Instructions on how to pay for non travel reimbursements.

Payment method:

Use an Employee/Student Direct Pay Request (ESDPR) if the recipient is a:

  • Current UNC Charlotte employee
  • Student

For payments to non-student/non-employee vendors, use the electronic check request (eCR).

Rationale and other considerations:

Payment of non-travel reimbursements of expenses incurred (and not for services performed) should be initiated by submitting an ESDPR. This facilitates appropriate review and approval by Financial Services and helps ensure amounts paid are properly tracked for tax reporting purposes. How to do it:

  1. Download the ESDPR and complete according to the form instructions.
  2. Submit the completed form to the Disbursements Office according the instructions listed on the form.
PoliciesForms / Links

University Policy 601.8, Appropriate Use of University Funds


eCR Instructions

Employee/Student Direct Pay Request (ESDPR)

Contact for additional questions:

Email the Disbursement-Travel inbox at travel@charlotte.edu, or refer to the list of contacts on the Disbursements-Travel website.

Last Updated: December 1, 2022

Other Travel-Related Expenses, How to Pay

Instructions on how to pay for other travel related expenses.

Payment method:

Use a Travel Reimbursement and Expense Report Form to request reimbursement of taxi, ridesharing services, train, bus, ferry, toll expenses, tips/gratuity, or other related expenses incurred while traveling on University business. This applies if the traveler is a:

  • Current UNC Charlotte employee,
  • Current employee of an NC state agency,
  • Student, or
  • Independent Contractor.

Other acceptable payment methods include using a University-issued Purchasing Card (“P-Card”).

Note: Refer to University Policy 601.8, “Appropriate Use of University Funds” to confirm if this is a permissible use of funds for your area.

Rationale and other considerations:

Allowable ground transportation expenses include:

  • City/local subway, train, bus, taxi, ride-sharing services (i.e., Uber, Lyft), or ferry
  • Rental car, if prudent
  • Parking (lots and meters)
  • Highway/interstate tolls

You will be reimbursed only for transportation used to ensure that you arrive at your business destination – not for personal preference, going to off-site restaurants, or for tourist activities. Original, itemized receipts are required for reimbursement of ground transportation expenses. Receipts are not required for ground transportation expenses under $5, such as parking meter payments (provide an explanation in the comments section of the form). “Tips” do not pertain to meals or tips that are added to other claimed expenses (such as taxi or bus), but rather refers to gratuities for services rendered in which there are no associated costs (example: bell service, housekeeping service, or airport luggage service). When tips are claimed in excess of the guidelines stated in the University Travel Manual, they should be justified in writing and attached to the travel reimbursement form. Please refer to the University Travel Manual (see link below) for additional details.

How to do it:

  1. Review the policies and procedures listed below.
  2. Complete the Travel Reimbursement and Expense Report Form (tab 2 in the link provided below), along with additional documentation, if required.
  3. Submit the completed form(s), along with the previously approved Travel Authorization Form, to Travel & Complex Payments according to the instructions listed on the form.
PoliciesProceduresForms / LinksTraining and Reference Materials
University Policy 602.7, Travel Authorization and Reimbursement

OSBM Budget Manual (Refer to Section 5 for Travel Policies)

IRS Travel, Entertainment, Gift, and Car Expenses Publication (Publication 463)

University Policy 601.8, Appropriate Use of University Funds
Travel ManualTravel Forms PackageKnow Before You Go: A General Guide for Travelers

Expense Account Codes

Contact for additional questions:

Send an email to Travel or refer to the list of contacts on the Travel website.

Contact Email: travel@charlotte.edu

Last Updated: September 14, 2018

Out-of-State Employees Guidance

UNC Charlotte Strategy: physical location of workforce

  • UNC Charlotte has a strong preference for a North Carolina workforce. Hiring preference should be given to employees living and working in-state when all other factors are equal.
    • As a North Carolina entity, UNC Charlotte has a responsibility to provide NC public sector jobs when possible.
    • This applies to students, including graduate assistants, and temporary employees.
  • At this time, a workforce abroad should be avoided if possible considering the direct and indirect costs of compliance.
  • Restrictions:
    • Term: Out-of-state arrangements must be temporary in nature. Terms are limited to one year. Renewals must be approved annually.
    • Multiple jurisdictions: UNC Charlotte cannot accommodate withholding prorated income taxes for more than one state in a single pay period.
    • IT Security: Employees must use University-managed devices when working remotely.

Definition of Out-of-State Employee

An employee who will be located outside the state of North Carolina when performing work for UNC Charlotte. Examples:

  • A part-time faculty member teaching online classes 100% remotely outside of North Carolina.
  • A full-time faculty member on paid leave residing out of state and working on grant activity for UNC Charlotte.
  • Additional examples are included in the FAQs below.

Procedures

If a potential need arises for an employee to complete work for UNC Charlotte from a non-NC jurisdiction for more than one month, complete the Out-of-State Work Approval Form at least 60 days prior to the proposed start date of the arrangement. All approvals as indicated on the form must be obtained.

The form is not needed if:

  • the duration of the work to be completed outside of NC is for one (1) month or less; or
  • the employee will not be doing work for UNC Charlotte while outside of NC (e.g., employee is on leave, or employee is part of a faculty exchange program); or
  • the employee is attending a work conference in another state

Note that the Out-of-State Work Approval Form must be completed in addition to standard Telework/Remote Work Request Form:

potential costs

  • Pass-through costs (e.g., state-specific benefits) may apply to individual employees or their hiring departments.
  • Costs are incurred every time the University must set up to withhold income taxes and set up unemployment insurance in other states. To check if the University is already set up in a specific state, contact the Tax Office.
  • Out-of-country employment requires contracted service with a professional employer organization (PEO). Estimated additional cost is 40-60% of the employee’s salary.

Background

Almost all states require employers to withhold tax from wages earned in that state. To maintain a lawful out-of-state or international employee, UNC Charlotte must comply with requirements that vary by jurisdiction and include:

  • Employer registration
  • Employment and wage laws, including minimum wage and required pay frequency
  • Income tax withholding
  • Other taxes/withholding (e.g., disability, paid family leave, local jurisdiction requirements, required benefits)
  • Monthly/quarterly/year end reporting
  • New hire reporting
  • Unemployment insurance (UI)
  • Workers’ compensation

Resources

FAQs

Does this apply to faculty who are out of state while on paid leave? (e.g., FMLA or official Reassignment of Duties)?
Yes, but only if they are doing work for the University or receive special compensation while in a different state.

How does this apply to faculty/staff who are working remotely and who may live in South Carolina?
Employees should complete the Out-of-State Work Approval Form. If approved, they should switch their withholding to South Carolina by completing and signing the South Carolina Form SC W-4, South Carolina Employee’s Withholding Allowance Certificate, and returning it to the Payroll Department on campus (Reese Building 3rd Floor; do not email forms with Social Security numbers). If at any point employees need to change their withholding back to North Carolina, they should submit an updated NC-4 in My Charlotte and notify the Payroll Department to stop withholding in South Carolina via an email to PayrollDept@charlotte.edu.

If a faculty member teaches out of state/out of the country for 5 weeks, is that ok?
They should complete the Out-of-State Work Approval Form. Approvers will determine if the arrangement introduces additional compliance requirements in the jurisdiction in question.

What is the risk to the University?
The individual has the tax liability to pay; however, they may make a case to their department that they were not informed of the tax concern and need to report and expect the department to pay the taxes owed (which has occurred). The risk to the University is financial in terms of back taxes owed, interest, and penalties that may be applied to the campus from the taxing entity (out of state local or state entity or international entity) due to non-compliance. This risk is tied to the dollar level and pattern of non-compliance, but regulations are becoming more closely monitored by all entities given better use of data matching and the states’ needs for tax revenue in the current environment.

Contacts

Created February 2019
Rev. 3/5/19, 6/11/19, 10/4/19, 11/06/20, 3/18/21, 4/09/21, 7/01/21, 12/02/2022

Last Updated: December 2, 2022

Out-of-State Work Approval Form

Purpose: If a potential need arises for an employee to complete work for UNC Charlotte from a non-NC jurisdiction for more than one month, complete the Out-of-State Work Approval Form at least 60 days prior to the proposed start date of the arrangement. All approvals as indicated on the form must be obtained. For more details, see the Out-of-State Employees Guidance page.

Last Updated: May 16, 2022

Overview of Travel (Videos)

Click play for an Overview of Travel Rules for State Employees provided by the North Carolina Office of State Budget and Management (NC OSBM).

Click play for an Overview of Travel Reimbursement for State Employees provided by the NC OSBM.

UNC Charlotte specific travel guidance and forms for faculty and staff are available on the Financial Services Travel webpage.

Contact Email: travel@charlotte.edu

Last Updated: September 30, 2022

Payment (Credit/Debit) Card Processing Procedures

I. Executive Summary and Purpose

All University departments and entities shall process inbound payment (credit/debit) card transactions through approved mechanisms/systems, processors, and equipment. The merchant services provider, which is contracted by the North Carolina Office of the State Controller (NC OSC) and by the University, must be utilized for the processing of payment card transactions.

These procedures are required in direct support of the UNC Charlotte Payment (Credit/Debit) Card Processing Standard. This document sets forth details and procedural requirements for the implementation of payment card processing at UNC Charlotte or the outsourcing of that processing to a third party. More detailed information may be referenced in the UNC Charlotte Merchant Manual (currently in development).

The procedures’ scope, revisions, exceptions, and compliance are noted in the Payment Card Processing Standard.

II. Definitions

Definitions may be referenced within the eCommerce Glossary and/or the Payment Card Industry Security Standards Council (PCI SSC) website.

III. General Requirements

Oversight

A. All departments accepting credit/debit cards for payment must comply with the UNC Charlotte Payment (Credit/Debit) Card Processing Standard.

B. The Vice Chancellor of Business Affairs (VCBA) directs all payment card processing activity and related compliance validation at The University of North Carolina at Charlotte (UNC Charlotte). The oversight of card processing operations is delegated to the eCommerce Office (eCO) which resides within the Controller’s office.

C. UNC Charlotte is a state agency and as such must operate under the authority of the State of North Carolina statutes, policies, and guidelines. These policies dictate that all card processing be conducted through the Master Services Agreement (MSA) contracted by NC OSC. To comply with that state policy:

1. All accounts for card processing must be established through NC OSC via eCO. Campus academic and administrative units, organizations, affiliates, and employees shall not establish accounts for the acceptance of payment cards outside of this established means, or utilize other mechanisms which bypass the established setup and approval of card processing activities.

2. The outsourcing of payment card processing as well as the contracts associated with that activity must be approved by eCO and other University entities as required.

3. All card processing activities are subject to the PCI SSC specifically the Standards overseen by the Council: the Payment Card Industry Data Security Standards (PCI DDS), the Payment Application Data Security Standard (PA-DSS), and the Pin Transaction Security Requirement (PCI- PTS).

4. All card processing must adhere to North Carolina General Statutes and applicable policies. NC OSC provides oversight for UNC Charlotte payment card processing.

D. UNC Charlotte Office of OneIT oversees the governance of data security, use of IT systems, evaluation and recommendations of technologies, and provides direction and support for the security and networking of campus infrastructure utilized for card processing systems.

Security of Card Data

E. University staff and entities are prohibited from storing the Primary Account Number (PAN) or Sensitive Authentication Data (SAD), physically or electronically (e.g., computer hard drives, CDs, Disks, and other external storage media), after authorization of the transaction.

F. UNC Charlotte academic and business units are prohibited from establishing websites to receive and/or process CHD outside of the allowed eCommerce web infrastructure.

G. All payment card transactions processed over digital/IP lines must be configured so that the transaction data is processed only on the segregated PCI network. University card processing must not take place on the main University network. Merchants are responsible for ensuring that the proper configuration of network devices is in place. ITS and eCO will assist as needed.

H. Third parties, including student organizations, may not process payment cards over the University’s wired or wireless network without the approval of the Vice Chancellor for Business Affairs (VCBA) or his/her designee. Transactions may be processed on cellular devices that do not interface with the University network.

I. In some cases, University departments may support student organizations with specified special status (e.g., student government organizations). If such a student organization website is hosted on a University server, it will not be allowed to link out for payment processing; it is prohibited. Externally hosted (i.e., not hosted at/or by UNC Charlotte) student organization webpages that include payment processing, must have a visible disclaimer readily viewable on the site stating that the site is not the University or a part of it.

J. The PAN must be masked when displayed (the first six and last four digits are the maximum number of digits to be displayed). In most cases where truncation is needed, only the last four digits of the PAN should be displayed. Only personnel with a legitimate business need should be able to see the full PAN.

K. Cardholder Data (CHD), the PAN, and/or SAD are not to be left unattended or disclosed to others.

L. To the extent possible on electronic transactions, the sale transaction shall not take place on University computers or network resources. Any instance where this occurs must be fully disclosed, in advance, to eCO and approved in advance by that office in conjunction with ITS.

M. UNC Charlotte academic and business units are prohibited from accepting CHD via email, fax, or any electronic means including end-user messaging technology.

1. If an email is received by University staff that contains CHD, the CHD shall not be used to process the transaction and the email must be permanently deleted from the recipient’s mailbox. A new email must be created to reply to the sender with instructions on the proper procedures for submitting their card transaction for processing. (“Reply” must not be used because the card information is not to be resent over the network.)

2. If acceptance of CHD via fax is needed for business operations, approval must be requested and obtained through eCO. A request including business justification must be submitted to eCO. If fax usage is approved for card acceptance, then an analog fax setup must be used (vs. digital). Approved analog fax machines must reside in a physically secure location with controlled/ restricted access limited to those individuals who have completed the Requirements for Card Processing.

N. If acceptance of CHD via mail/hard copy is needed for business operations, approval must be requested and obtained through eCO. The academic/business unit will be responsible for documenting internal processes to handle the CHD per PCI DSS and eCO processes. The CHD must be secured with access to it limited to only those individuals who have completed the Requirements for Card Processing. The CHD must not be retained after authorization. The security code is not to be requested on any mailed in or hard copy forms.

O. Merchants approved to receive physical documents which contain the PAN must ensure those documents are:

1. Processed on approved devices as they are received.

2. Stored in a physically secure location until the transactions are processed, should there be any delay in processing.

3. Accessible only by staff that have completed the Requirements for Card Processing.

4. Securely destroyed so that all CHD is rendered unreadable once the transaction is processed or documentation is no longer needed.

P. At the time of disposal, all hard-copy materials containing the PAN and/or SAD must be crosscut shredded, incinerated, or pulped so that the CHD is rendered incapable of being reproduced or retrieved. All disposal methods must meet or exceed the PCI DSS requirement for destruction.

Q. All card transactions must be keyed into approved devices. Desktop or laptop computers, tablets, or other electronic devices are deemed “virtual terminals” if utilized by merchant staff or provided for customers for the entry of CHD. Such setups, or virtual terminals, are not to be used for entry of CHD by staff or customers unless approved by eCommerce and set up by ITS. Contact eCommerce for approval. The completion and submission of the EC-Virtual Terminal Request form will be required.

R. Only designated personnel, who have completed the individual Requirements for Card Processing, may have access to CHD, interface with customer card transactions, and/or obtain access to card reporting or administrative portals. Access to system components and CHD will be limited to only those individuals whose job requires such access. Access requests are to be submitted to eCO using the eCommerce form EC-Access Request to Reporting Systems, or at the following URL: https://workflowforms.charlotte.edu/imaging/imaging-forms-department/ecommerce

S. Personnel granted access to card reporting and/or administrative portals are prohibited from copying, moving, and storing CHD onto local hard drives and removable electronic media unless explicitly authorized to do so by eCO for a defined business need. If a business need is authorized, the data must be protected in accordance with all applicable PCI DSS Requirements.

T. Designated personnel that are approved to interface with CHD, customers, or portals are subject to University Policy 101.23, Employment-Related Background Checks and Criminal Activity Reporting.

U. Access to eCommerce reporting systems from off campus must be conducted on University owned equipment that is updated with current antivirus and required patches. These reporting systems (e.g., TouchNet, ClientLine, Online Merchant Services, CEO Portal) are not to be accessed via personally owned computers and devices.

V. Physical security and storage of infrastructure components that control or interface with card processing systems is managed by University ITS.

W. Information security incidents or concerns should be reported to University ITS. The UNC Charlotte Standard for Managing Information Security Incidents as well as the Guideline for Reporting Information Security Incidents provides guidance regarding action to be taken if a security incident is suspected or confirmed. See section IX of this document for additional detail.

Card Acceptance

X. Any University unit wishing to accept payment cards for goods and/or services must complete the EC-Application to Process Payment Cards (EC-APP) (path: S:\Campus Merchants\eCommerce Forms\EC-APP – Application to Process Payment Cards) form and submit that to eCommerce@charlotte.edu.

Y. Business manager approval is required for all card processing.

Z. The acceptance of gifts, donations, or sponsorships must first be approved through University Advancement before public-facing sites are enabled for acceptance of those monies.

AA. Upon approval to process card transactions, eCO will work with the campus unit to determine the appropriate merchant account to be utilized for the processing of card transactions. The eCO will request a merchant account, if a separate merchant account is necessary, for the college or department through NC OSC.

BB. The eCO will work with the campus entity regarding the means by which card transactions will be accepted:

1. Online – Card Not Present (CNP)

2. In person – Card Present (CP)

The eCO will facilitate the establishment of all CNP and/or CP operations for approved setups as well as submit orders for Point of Sale (POS) terminal equipment to be utilized.

CC. If specialized software and/or systems are required for processing, eCO (in conjunction with the University ITS) will work with the campus entity to approve that processing and ensure that processing standards and security measures are met.

DD. All departments or units issued a merchant account will be required to:

1. Complete the EC-Merchant Agreement.

2. Submit business processes for card processing at least annually to eCommerce, and when significant changes to the card processing environment occur.

3. Submit card data flow diagrams to eCommerce.

4. Complete required Self-Assessment Questionnaires (SAQs) and associated validation documentation requirements.

5. Attest to compliance with PCI DSS.

6. Ensure staff meet all requirements for card processing.

EE. Currently, UNC Charlotte accepts four major payment cards: Visa, MasterCard, American Express, and Discover (please note: Diners’ Club and JCB are accepted under the Discover agreement). It is expected that all University merchants engaged in the acceptance of card transactions accept all card types supported by the University and no others.

FF. Audits will be performed periodically by the UNC Charlotte Internal Audit Department to confirm card processing complies with PCI DSS and University standards and procedures.

Daily Responsibilities

GG. All merchants are subject to University Policy 602.4, Handling Cash, Checks, and Other Monetary Receipts.

HH. On a daily basis, the department must balance transactions and settle their sales electronically to the merchant services provider.

II. All merchants are subject to North Carolina law and policies. Specifically, merchants must:

1. Prepare appropriate deposit documentation and submit it to the University Cashiers via the Financial Transaction Request (FTR) form by 12:00 noon on the day that the settlement of funds for card transactions is reflected in the banking settlement reports.

2. Provide appropriate backup documentation to substantiate the deposit.

3. Provide deposit documentation on a timely basis for amounts debited or credited directly to the merchant account due to chargebacks, retrievals, refunds, reversals, or other activity which affects the merchant account funds.

JJ. Departments shall maintain adequate records of the sales transactions. Daily sales totals, logs, etc. substantiating revenue should be stored in accordance with state record retention policies and the current MSA.

KK. Reconciliation of all transactions must be performed on a regular basis. Transactions and account charges deposited to the University Cashiers must be reconciled and verified before the deposit is submitted. Supervisory review of accounts reflecting refunds, chargebacks, reversals and card fees should be conducted at a minimum on a monthly basis.

IV. Requirements for All Payment Card Transactions

A. Return, refund, and/or cancellation policies must be disclosed to the cardholder before the cardholder enters their card information for processing. Signs disclosing the policy must be clearly visible at the Point of Sale (POS) for face to face transactions or web site/online portal utilized for the merchant for internet transactions.

B. All customer receipts must truncate the PAN so that only the last four digits are printed on the merchant and the customer copy of the receipts. The receipts must not display the card expiration date or SAD.

C. All POS terminal and internet transactions must be batched and transmitted to the merchant card processor on a daily basis. Transactions are not to be held and batched at a later time.

D. The settlement of all funds must be reported to the University Cashiers no later than noon of the day that the funds appear in the settlement account. Current procedures for the deposit of those funds must be followed. Currently, sales totals (net of refunds) must be submitted on a Payment Book Receipt (PBR) deposit form along with a copy of the sales report from the card processor. A copy of the gateway batch settlement report (totals reports, not detail) must be included for internet transactions. The settlement tape from the POS terminal is no longer required to be included for POS terminal transactions; the merchant is to retain the settlement tape for audit purposes. The Payment Book Receipt (PBR) form is available on the Financial Services website; it may be located under Transaction Type on the Financial Transaction Request (FTR) form.

Transactions that occur on Friday, Saturday, and Sunday (or over holiday periods) must be deposited in the same manner (as above) on Monday (or the following business day) to the University Cashiers. A separate deposit must be created for each day that transactions occurred. The transactions are not to be combined for the weekend (or holiday period) and deposited on one form for multiple days.

F. Sponsorship monies collected must be accounted for and viewable to University Advancement. All monies received for sponsorships are to be deposited to account code 102654; the preferred departmental fund number may be used. A report detailing the donor information is to be attached to the deposit. Please see University Advancement Procedures: Corporate Sponsorship for more detailed information. (A copy may be accessed at: S:\Campus Merchants\Helpful Documentation\Corporate Sponsorship Process – for Units)

G. It is important that all campus merchants reconcile their payment card transactions. For POS transactions, the terminal settlement tape should be reconciled to the card processors’ settlement report POS transactions. For internet transactions, the gateway reports should be reconciled to the banking reports, and third party reporting systems (if applicable). Banner fund and account numbers must be reviewed periodically to ensure that they accurately reflect reported sales, refunds, and fees. Departmental staff is responsible for reconciling the card transaction activity and accurately reporting those amounts to the University Cashiers through the deposit process. The merchant, not the Cashiers, is responsible for pulling the settlement reports, and reconciling the amounts. If the use of a generic merchant account is approved by eCO for a campus entity, eCO will provide the appropriate sales reports to the entity for the deposit; it is the merchant’s responsibility to make the deposit.

H. The Cashier’s Office will compare the sales amount submitted per the Payment Book Receipt (PBR) form to the merchant card processor records and banking funding reports. They will inform the merchant of discrepancies. All discrepancies should be resolved within 24 hours so that sales can be posted to the departmental account in the UNC Charlotte accounting system on a timely basis.

I. Access to eCommerce reporting systems must be requested by the merchant for the purpose of providing appropriate personnel with required reports for reconciliation, research, and deposit. Accesses will be restricted to the least privilege needed to perform job responsibilities. Access requests must be submitted to eCommerce@charlotte.edu on the EC-Access Request to Reporting Systems form.

J. Merchants are responsible for investigating and responding to disputes, retrievals, and chargebacks, and should do so on a timely basis.

V. Additional Requirements for Point-of-Sale (POS) Transactions

A. All Card Present (CP) transactions must be captured on equipment approved by and/or obtained through eCO in conjunction with NC OSC. All card transactions will be processed on equipment compatible with the processing platform(s) of the University’s merchant services provider. The University’s merchant services provider is determined by UNC Charlotte in accordance with the NC OSC MSA.

B. Departments requiring customized equipment for POS transactions must contact eCO before such equipment is purchased, leased, rented, or utilized. The eCO will work in conjunction with University ITS to review and approve special requests. Additional information and/or external consultation may be required. The requestor will bear all external costs related to the exception approval process.

C. Current procedures for acceptance of CP (i.e., a face-to-face transaction) and CNP (i.e. a transaction accepted over phone or fax and entered manually into an approved POS device) transactions must be followed. Those may be referenced in the UNC Charlotte Merchant Manual (currently in development), or at the websites of participating card companies (e.g., Visa, MasterCard, and American Express).

D. POS terminals must be protected from tampering and tracked. Physical access to and oversight over terminals shall be limited to personnel who have completed the Requirements for Card Processing. If terminals are customer-facing, they should be monitored while in use and secured when not in use. Terminals must be inspected for tampering on a regular basis and reports associated with inspections returned to eCommerce on a monthly basis. Any suspicious behavior or indications of device tampering or substitution must be reported to eCommerce. If terminals fail and are replaced by the merchant through the merchant services provider, eCO must be notified. The identity of any third-party persons claiming to be repair or maintenance personnel must be verified, prior to granting them access to modify or troubleshoot devices. The eCO must be notified if third-party persons are granted access to terminals.

VI. Additional Requirements for Internet Transactions

A. All internet based Card Not Present (CNP) transactions must be captured on approved web interfaces. Any newly established processing setup for internet based transactions must utilize a designated University payment gateway and platform. TouchNet Information Systems, Inc. is the primary designated gateway processor and online transaction platform.

B. All payment card processing for the University will be coordinated through eCommerce. No individual department or campus entity shall enter into a contract that includes card processing functions or outsources card processing functions to a third party without the approval of eCO in conjunction with ITS.

C. Departments must contact eCO prior to purchase of specialized software or equipment so that customized processing applications are reviewed for compliance with standards, procedures, contract requirements, and feasibility. The eCO in conjunction with University ITS, the Office of Legal Affairs, the Internal Audit Department, and the applicable computer support unit will work with the department to ensure that processing standards, safeguarding measures, and legal requirements are met. Additional information and/or external consultation may be required. The requestor will bear all costs related to the external review, if required, for the approval process.

D. Approved third party software/equipment must be implemented according to the third party guidelines. Default vendor passwords and settings must be modified to unique passwords or settings before the system is installed on the University network or utilized for card processing.

E. Customer CHD must be entered or captured on approved third party hosted websites or payment gateway interfaces and not on University computers or network resources.

F. All data requested and collected through online shopping carts and web portals must comply with the University Guideline for Data Handling.

G. If a merchant is processing card transactions online and has no approved means to accept card transactions at an event (in a face to face environment), they must either not accept payment at the event or accept cash or checks. If cash or checks are to be accepted, the merchant is responsible for following all cash handling policies (University Policy 602.4, Handling Cash, Checks, and Other Monetary Receipts). They will need to request a Receipt Book from the Cashiers to provide the required receipt to the customer for monies received at the event if the monies are to be deposited to a University account. If monies are to be deposited to a non-University account, a receipt must still be provided to the customer and supplied by the merchant. If the merchant would like to accept card transactions at the event, they must request through eCO the rental of an approved POS device (see: EC : POS Terminal Order Form) or the use of a laptop or desktop computer as a virtual terminal. The completion and submission of the EC-Request for Virtual Terminal for Card Processing form will be required for laptop use.

VII. Outsourcing/Third party Contract Requirements

A. Any unit that wishes to utilize third party software that includes card processing functions or the outsourcing of its credit card transaction processing must request approval to do so in writing to eCommerce@charlotte.edu. The vendor selected by the campus entity must be approved through eCO and meet current requirements. Contracts and associated documentation must address these elements:

1. Compliance with all appropriate PCI SSC requirements (Payment Card Industry Data Security Standards (PCI DDS), the Payment Application Data Security Standard (PA-DSS), and the Pin Transaction Security Requirement (PCI- PTS)).

2. Compliance with NC Daily Deposit Act (NC G.S. 147-77)

3. Statements clarifying where CHD is captured; specifically, detailed information regarding integration with the designated gateway provider and linkage type must be disclosed.

4. If CHD is captured on the vendor’s network, they must:

a. Provide proof of PCI validation and/or PA-DSS validation. It is preferred that any third party that captures CHD be a validated Level 1 Service Provider.

b. Specify the elements of the PCI DSS for which they will be responsible and those for which the University must be responsible.

c. Provide documentation that clearly details the flow of CHD and specifies any outside entities’ applications or servers utilized.

5. Service level agreements

6. Remote access and use of Multi Factor Authentication

7. Personally Identifiable Information (PII)

8. Data retention and destruction

9. Liability

10. Business continuity

B. All contracts must be submitted to eCO for review and revision, as necessary, before they are executed. ITS, The Office of Legal Affairs, and Materials Management will be integral in the review process. ITS will oversee the final approval, signature, and execution of contracts that involve ITS resources.

C. Any third party agreement that involves ITS resources must comply with IT Governance processes. A review of those may be located at IT Governance.

D. A final copy of the executed contract must be submitted to eCommerce.

VIII. Review Process for Processing Request

A. Requests for card processing must be submitted to eCommerce@charlotte.edu using the EC-Application to Process Payment Cards (EC-APP) (path: S:\Campus Merchants\eCommerce Forms\EC-APP – Application to Process Payment Cards) form. The application includes requirements to:

1. Document the business need for accepting credit card transactions in a new unit or location.

2. Document anticipated transaction volume and mechanism for card acceptance.

3. Agree to basic rules for card processing.

4. Obtain approval of the business manager.

B. The eCO will review submitted requests and confer with ITS as needed. Requests will be reviewed for feasibility, functionality, compliance, and business operations

C. Third party contracts associated with the request must be submitted to eCO and will be reviewed by eCommerce, ITS, Legal, and Materials Management as needed. All contracts meet federal, state, PCI DSS, and University contractual requirements.

IX. Incident Response

A. Report any suspected or known security incident to:

a. Your supervisor and/or primary merchant contact for your area.

b. ITS. See the following resources below:

i. Guideline for Reporting Information Security Incidents: https://oneit.charlotte.edu/iso/guideline-reporting-information-security-incidents

ii. FAQ: How do I report an IT security incident? https://services.help.charlotte.edu/TDClient/33/Portal/KB/ArticleDet?ID=2081

B. Note: If the potential information security incident involves a compromised computer system:

a. Leave the computer system on and as-is, with all current computer programs running and current state of network access.

b. Do not shut down the computer, restart the computer, or remove the computer from the network until/unless directed to do by the ITS incident response team.

C. If the incident involves criminal activity, report it immediately to the UNC Charlotte Police and Public Safety Office.

D. Notify the Data Security Officer (DSO) or Information Security Liaison (ISL) for your college or department. Designated DSOs and ISLs are listed at: https://oneit.charlotte.edu/security/standards-guidelines/compliance.

E. ITS and the eCommerce Office will coordinate review for any incident which involves CHD and escalate if the deemed incident is valid and meets the threshold for escalation.

F. All merchant/departmental entities involved are expected to cooperate fully and in a timely manner with any investigation.

X. Exceptions to Regulation

A. Any request for an exception to the UNC Charlotte Payment (Credit/Debit) Card Processing Standard or UNC Charlotte Payment (Credit/Debit) Card Processing Procedures should be made in writing to the VCBA and CIO and include the following:

1. Reason for the exception request.

2. Steps that will be taken to ensure compliance with the standard.

3. Date the need for the exception will be no longer needed.

B. The eCO in conjunction with University ITS will work with the VCBA and the CIO to review the request for exception. Following a review of the request, the final approval or denial will be made by the VCBA.

Related Resources

Legal References

Other References

Please note: eCommerce forms may be located on the campus S drive at: S:\Campus Merchants\eCommerce Forms

Revision History:
Initially approved October 5, 2006
Revised: 4/30/2015, 8/15/2016, 4/30/2018

Last Updated: April 05, 2024

Payment (Credit/Debit) Card Processing Standard

I. Executive Summary and Purpose

The Payment (Credit/Debit) Card Processing Standard provides the requirements and direction for all payment (credit/ debit) card processing activities at UNC Charlotte.

The following sources were consulted and provide the basis for this program: ISO 27002 and the Payment Card Industry Data Security Standards (PCI DSS).

This Standard defines the responsibilities of employees, administrative units, organizations and affiliates that process payment cards on behalf of UNC Charlotte or its affiliates or have access to UNC Charlotte’s computing and network resources that are utilized for the processing of payment cards. All relevant provisions contained in University Policy #311 and the Standard for Responsible Use are applicable and included by reference in this document. This Standard supersedes all other associated UNC Charlotte regulations and procedures pertaining to payment card processing.

II. Scope

This standard applies to:

A. All academic and administrative units, organizations, affiliates, and employees of UNC Charlotte who accept credit/debit card payments for University business.

B. All external organizations contracted to provide outsourced services for Credit/Debit Card Processing for University business by the parties described in II. A.

C. All academic and administrative units, organizations, affiliates, and employees of UNC Charlotte who provide Credit/Debit Card Processing services for third parties.

III. Standard

A. Units must obtain approval from the Vice Chancellor for Business Affairs (VCBA) or his/her designee to process Payment (Credit/Debit) Cards.

This includes, but is not limited to:

  1. All contract and software and/or equipment purchases or usage. This applies regardless of the transaction method used (e.g. eCommerce, POS device, mobile capture, or eCommerce outsourced to a third party). All outsourcing agreements must meet the standards set forth in the Payment (Credit/Debit) Card Processing Procedures.
  2. All technology implementations associated with Payment (Credit/Debit) Card Processing. Implementations include any activity that impacts UNC Charlotte ITS infrastructure, enterprise applications, security, and/or staffing, as well as those that might impact the designated VCBA platform for card processing and/or the staff associated with it. All technology implementations (including approval of authorized payment gateways) associated with the Payment (Credit/Debit) Card Processing must be in accordance with the Payment (Credit Card) Processing Procedures.
  3. All methods of capture and transmission of payment card data.
  4. The approval of campus units, organizations, or individuals to conduct business utilizing payment cards and the approval of staff within their areas to interface with payment card data.

B. All Payment (Credit/Debit) Card Processing activities must be registered with the unit designated by the VCBA.

C. Cardholder data may not be stored on any UNC Charlotte computer device or network. Any exceptions must be in writing and signed by both the VCBA and Chief Information Officer (CIO). Anyone who is granted an exception must contact ITS Information Security for assistance with interpretation and implementation.

D. All departments or units which receive approval for UNC Charlotte card processing activity must comply with the Payment Card Industry Data Security Standards (PCI DSS) and are required to validate their compliance as specified by the Standard and UNC Charlotte validation requirements.

E. All Payment (Credit/Debit) Card Processing activities must comply with the state of North Carolina General Statutes (G.S.) and policies. That includes but is not limited to the North Carolina (NC) G.S. 147-77 (Daily Deposit Act), NC Office of the State Controller (NC OSC) Policy 500.1 (Maximization of Electronic Payment), 500.2 (Master Services Agreements for Electronic Payments), 500.11 (Compliance with PCI Data Security Standards), 500.13 (NC Security and Privacy of Data), and NC Session Law 99-434 which amended multiple General Statutes related to the acceptance of electronic payments.

F. All staff that interface with payment card activities, cardholder data, and/or associated reporting or administrative portals must meet requirements detailed within the PCI DSS and Payment (Credit/Debit) Card Processing Procedures.

G. All Payment (Credit/Debit) Card Processing will be conducted according to current Payment (Credit/Debit) Card Processing Procedures.

IV. Procedures

The Payment (Credit/Debit) Card Processing Procedures document provides the details for implementing this Standard. These procedures carry the full force of this Standard.

V. Revisions and Exceptions

This Standard may be revised only with the approval of the VCBA or his/her designee of UNC Charlotte. The VCBA and the CIO may grant exception to this Standard or the Payment (Credit/Debit) Card Processing Procedures document by mutual agreement.

Related Resources

Legal References:

Other References:

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management

Revision History

Approved: 10/5/2006
Revised: 1/7/2015

Last Updated: January 7, 2015

Payment Book Receipt (“PBR”)

Payment Book Receipt (“PBR”)

This is the book receipt form that should be used by all departments on campus that process cards via a University merchant account. Merchants must submit this form to allocate receipts to the appropriate Banner fund(s) and account(s).

Last Updated: January 11, 2021

Payment Card Industry (PCI) Security Standards Council

PCI Security Standards Council

The Payment Card Industry (PCI) Security Standards Council’s mission is to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.

Last Updated: November 10, 2014

Payment Research Request eForm (PRR)

Payment Research Request eForm (PRR)

Purpose: Use this form to provide the General Accounting department with information needed to research and/or void a check or direct deposit payment to students, vendors, or employees. Please use the Check Number found in Banner Vendor Detail History (FAIVNDH) or contact Payroll at Payrolldept@charlotte.edu or ext. 7-1919 to obtain a payroll check number.

Verify the correct address and direct deposit information is in Banner before submitting this request.

If fraud is suspected (e.g., altered check, forgery, direct deposit tampering), please contact GeneralAccounting@charlotte.edu immediately to investigate.

Last Updated: October 5, 2021

Payroll Calendar

Payroll Calendar

Purpose: Add and view the University’s Google payroll calendar by selecting the payroll calendar link. Detailed instructions are available on the University FAQ site.

Contact Email: PayrollDept@charlotte.edu

Last Updated: January 23, 2024

Petty Cash Fund Request Form

Use this form to request a petty cash fund.

Last Updated: February 7, 2022

Petty Cash Log

This form is a blank petty cash log.

Last Updated: January 11, 2021

Petty Cash Reimbursement & Reconciliation Form

Purpose: This Excel template provides petty cash reimbursement and reconciliation to give Recon & Control the necessary information for replenishing a petty cash fund.

Last Updated: January 11, 2021

Petty Cash/Change Fund Change of Custodian Form

Use this form to request a change to the custodian for petty cash or change fund.

Last Updated: February 7, 2022

Petty Cash/Change Fund Procedures

Procedures for Petty Cash and Change Fund at UNC Charlotte.

Last Updated: February 7, 2022

Petty Cash/Change Fund Training

Petty Cash/Change Fund Policy and Procedures

Last Updated: February 7, 2022

Pilferable Assets Template

Purpose: This template is an example of how to maintain important information about assets that are at risk of theft. Examples of pilferable assets that each department shall maintain include laptops, computers, data projectors and other pilferable assets costing between $1,000 and $5,000.   

Contact: fixedassets@charlotte.edu

Last updated: April 22, 2024