Standard for Accepting Electronic Payments

Purpose

The purpose of this document is to establish requirements for UNC Charlotte employees and other authorized users regarding the acceptance of electronic payments, including  payment (credit/debit) cards and electronic fund transfers (ACH/Wires). Adherence to this standard will help ensure that the University remains compliant with all University, State, National Automated Clearing House Association (NACHA) and Payment Card Industry (PCI) requirements.

Scope

This standard applies to all university employees, affiliates or authorized users who will be accepting electronic payments or interacting with payment card data, functions, or systems (e.g., credit and debit cards) as part of their job duties.

Contacts

Direct any general questions about this standard to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu.

Standard

In accordance with N.C.G.S. 147-86.22, and UNC Charlotte’s Cash Management Plan the University accepts electronic payments to the maximum extent possible and in a manner consistent with sound business practices.

The Vice Chancellor of Business Affairs (VCBA) directs all electronic payment processing activity and related compliance validation at the University.

• The oversight of automated clearing house (ACH) and wire transfer operations is delegated to the Controller’s Office – General Accounting
• The oversight of payment card processing operations is delegated to the Office of the Bursar – Merchant Services

University Advancement must approve the acceptance of gifts, donations, or sponsorships before the collection of those monies. Gifts must be processed through The Foundation of the University of North Carolina at Charlotte, Inc., as described in University Policy 602.2, Solicitation and Acceptance of Gifts.

Any department found accepting electronic payments without prior approval or not in compliance with this standard must discontinue operations until properly vetted and compliant.

Obtain Prior Approval

1. ACH and Wire Transfers: Campus units, organizations, departments, or employees  must obtain approval from their division or college/administrative Business Officer and authorization from the VCBA designee, like the Controller’s Office – General Accounting, to accept electronic funds transfers via ACH or Wire. ACH authorization will generally not be given to third parties making a single payment to the University in a fiscal year. ACH deposits must be accompanied with remittance information to properly identify and apply the payment. The department must provide General Accounting with the fund and account information necessary to process the receipts. General Accounting will provide the department with a wire transfer form to be completed by the department and given to the third party with instructions on how to send the payment.  A copy of the completed form must be sent to General Accounting so that the wire is applied to the correct fund and account.
2. Payment (Credit/Debit) Cards: Campus units, organizations, departments, or employees must obtain approval from their division or college/administrative unit Business Officer and authorization from the VCBA designee, such as the Office of the Bursar – Merchant Services, to accept credit or debit card payments, or interface with payment card data. This requirement applies regardless of the transaction method used, such as online (eCommerce), point of sale (POS) devices (hardware and/or software used at merchant locations), mobile capture or outsourced through a third party.
   
   All payment card processing functions for the University, including outsourced, must be coordinated through the Office of the Bursar – Merchant Services in conjunction with OneIT, prior to entering into a contract. This includes, but is not limited to:
   1. All University and/or affiliate contract, software and/or equipment purchases or usage, including implementation of technology that impacts the University’s designated payment card processing platform, or OneIT infrastructure, enterprise applications, security and/or staffing. OneIT is responsible for managing the physical security and storage of infrastructure components that control or interface with card processing systems hosted on campus, e.g., servers and other network infrastructure that connect to card processing systems.
   2. All outsourced payment processing agreements with third parties, as set forth in the Guideline for Outsourced Payment Processing.
   3. All third parties conducting business on UNC Charlotte’s campus that utilize payment cards or interface with payment card data, set forth in the Guideline for Third Parties Accepting Electronic Payments On Behalf of the University or on University Property.

Complete Merchant Requirements

All employees and other authorized users that interface with payment card activities, Cardholder Data (CHD), and/or associated reporting or administrative portals must be registered with the Office of the Bursar – Merchant Services, complete Merchant Training and meet requirements detailed within the Payment Card Industry Data Security Standards (PCI DSS) and/or University standards and guidelines before accepting payment (debit/credit) cards.

Only designated personnel, who have completed these requirements for card acceptance, may have access to CHD, interface with customer card transactions and/or obtain access to card reporting or administrative portals. Access to system components and CHD will be limited to only those individuals whose job requires such access. These individuals are subject to University Policy 101.23, Employment-Related Background Checks and Criminal Activity Reporting.

Continuous Compliance and Annual Attestation

UNC Charlotte is a State agency and as such must adhere to the authority of the State of North Carolina General Statutes (G.S.), policies and guidelines below. These policies dictate that all card processing be conducted through the Master Services Agreement (MSA) contracted by NC OSC. To comply with that State policy, refer to the Guideline for Establishing Merchant Accounts and Guideline for Maintaining Merchant Accounts.

All departments or units that receive approval for university card processing activity and have an active merchant account are required to validate their compliance with the PCI DSS, established by the Payment Card Industry Security Standards Council (PCI SSC) and University validation requirements annually. Audits will be performed periodically by the University’s Internal Audit Department to confirm card processing complies with the PCI DSS and University standards and procedures.

Related Resources

• Guideline for Contracting with Third Party Services Providers
• Guideline for Daily Cash Management
• Guideline for Establishing Merchant Accounts
• Guideline for Exceptions
• Guideline for Maintaining Merchant Accounts
• Guideline for Outsourced Payment Processing
• North Carolina (NC) G.S. 147-77 (Daily Deposit Act)
• NC Office of the State Controller (NC OSC) Policy 500.1 (Maximization of Electronic Payment)
• NC OSC 500.2 (Master Services Agreements for Electronic Payments)
• NC OSC 500.11 (Compliance with PCI Data Security Standards)
• NC OSC 500.13 (NC Security and Privacy of Data)
• NC Session Law 99-434, which amended multiple General Statutes related to the acceptance of electronic payments
• University’s Cash Management Plan
• University Policy 602.12, Revenue Generating Activities
• University Policy 602.2, Solicitation and Acceptance of Gifts
• University Policy 602.4, University Receipts and Deposits

Revision History

• Initially approved by the AVC for Finance on November 25, 2024