Standards and Governance

Spending is guided by University Policy 601.8, Appropriate Use of University Funds. Policy 601.8 is supported by standards developed by Financial Services.

These standards outline minimum requirements related to common fund expenditures and are designed to assist departments with implementing Policy 601.8. All departments must comply with the standards by following prescribed procedures or by developing unit-specific procedures that meet or exceed the minimum requirements established by the standards.

The Allowable Fund Use Table provides an overview of allowable fund sources for common fund expenditures.

STANDARDS

• Standard for Conferences and Events
• Standard for Expenditures from Distinguished Professorship Funds – New February 2024
• Standard for Gifts, Awards, and Other Payments
• Standard for Marketing and Development
• Standard for Meals and Entertainment
• Standard for Student-Oriented Activities

ALLOWABLE FUND USE TABLE

Click the image below to enlarge:

TRAINING

Sources and Uses of University Funds Training

Last Updated: February 1, 2024

• Capital Assets Standards

Purpose: Provides baseline standards for the capital assets process of the UNC System and general guidance on recording and maintaining capital assets.

Last Updated: June 2023

• NC Debarred Vendors List
• NC Purchasing & Contract System for Award Management

Purpose:

• Debarred vendors list – The North Carolina Department of Administration maintains a list of vendors debarred from doing business with the State of North Carolina, including their location, date of debarment, and reason for debarment.
• Purchasing & Contract – Governs procurement for the State of North Carolina. Learn about state procurement practices and access links to NC eProcurement resources.

Last Updated: September 12, 2024

Fly America Act

Purpose: All air travel and cargo transportation services funded by the federal government are required to use a “U.S. flag” air carrier service. You can find a complete list of certified U.S. flag air carriers on the U.S. Department of Transportation website.

Last Updated: July 16, 2024

Governmental Accounting Standards Board (GASB)

Established in 1984, the GASB is the independent, private-sector organization based in Norwalk, Connecticut, that establishes accounting and financial reporting standards for U.S. state and local governments that follow Generally Accepted Accounting Principles (GAAP).

Last Updated: December 23, 2014

Purpose

The purpose of this document is to provide guidance in the usage of Card Present (CP) in person payment (credit/debit) card processing.

Scope

This guideline applies to all UNC Charlotte employees, affiliates and authorized users who will interact with payment card data, functions or systems as part of their job duties.

Contacts

Direct general questions about this guideline to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu.

Guidelines

Merchants must purchase, lease, rent or utilize a Payment Card Industry (PCI)-listed Point-to-Point Encryption (P2PE) solution from the Payment Card Security Standards Council (PCI SSC), obtained through or approved by Office of the Bursar – Merchant Services in conjunction with North Carolina Office of the State Controller (NC OSC) to accept CP payments. 

Complete the EC : POS Terminal Order Form to request the rental of an approved POS device to accept CP transactions.

Approved Equipment Exceptions

Departments requiring customized equipment for POS transactions must contact the Office of the Bursar – Merchant Services before such equipment is purchased, leased, rented or utilized. Merchant Services will work in conjunction with OneIT to review and approve special requests. Additional information and/or external consultation may be required. The requestor will bear all external costs related to the exception approval process. 

• Any device not part of a PCI-listed P2PE solution from the PCI SSC must be configured to process transaction data only through a cellular connection or on the segregated PCI network. University card processing through any device not part of a PCI-listed P2PE solution from the PCI SSC must not take place on the main University network. Merchants are responsible for ensuring that the proper configuration of network devices is in place. OneIT and Merchant Services will assist as needed.

Using Your Approved Equipment

Current procedures for acceptance of CP transactions must be followed. Those may be referenced in the UNC Charlotte: Merchant Training, or at the websites of participating card companies (e.g., Visa, MasterCard, and American Express).

Protecting Your POS Equipment

• POS terminals must be protected from tampering and tracked. 
• Physical access to and oversight of terminals shall be limited to personnel who have completed the merchant training requirements for card processing. 
• If terminals are customer-facing, they should be monitored while in use and secured when not in use. 
• Terminals must be inspected for tampering daily and reports associated with inspections must be returned to ecommerce@charlotte.edu monthly. 
• Any suspicious behavior or indications of device tampering or substitution must be reported to ecommerce@charlotte.edu.  
• If terminals fail and are replaced by the merchant through the merchant services provider, ecommerce@charlotte.edu must be notified. 
• The identity of any third party persons claiming to be repair or maintenance personnel must be verified prior to granting them access to modify or troubleshoot devices. 
• Merchant Services must be notified at ecommerce@charlotte.edu if third party persons are granted access to terminals.

Related Resources

• Standard for Card Present Payment Processing

Revision History

• Initially approved by the AVC for Finance on November 25, 2024

Purpose

The purpose of this document is to provide guidance in establishing and maintaining contracts with integrated third party service providers that integrate with or have access to modify any portion of the UNC Charlotte payment card environment.

Scope

This guideline applies to all university employees, affiliates and authorized users who plan to work with a third party that will be interacting with payment card data, functions, or systems (e.g., credit and debit cards) as part of their payment processing services through a University or affiliated entity merchant account.

Contacts

Direct general questions about this guideline to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu.

Guidelines

Before Contracting for Goods or Services

1. Contact Merchant Services: Prior to entering into any contract or purchasing specialized software, equipment or systems necessary for payment card processing, departments must contact the Office of the Bursar – Merchant Services. They will review customized processing applications for compliance with standards, guidelines, security measures, contract requirements and feasibility. 
2. Include Merchant Services in Request for Proposal (RFP): It is best practice to include the Office of the Bursar – Merchant Services in any formal RFP process involving payment acceptance.
3. Third-party Service Providers interacting with payment card data, functions or systems as a part of their payment processing services must provide proof of Payment Card Industry Data Security Standards (PCI DSS) compliance  and/or validation of payment software. Preferably, any third party that captures Cardholder Data (CHD) be a validated Level 1 Service Provider.
4. Departmental Collaboration: The Office of the Bursar – Merchant Services in conjunction with Materials Management, OneIT, the Office of Legal Affairs, the Internal Audit Department and the applicable computer support unit, will work with the department to ensure that processing standards, safeguarding measures and legal requirements are met.
5. OneIT Oversight: OneIT oversees data security governance, IT systems use, technology evaluation and recommendations and provides direction and support for the security and networking of campus infrastructure utilized for card processing systems. Submit any software and IT-related acquisition requests to OneIT for review before acquisition. OneIT will oversee the final approval, signature and execution of contracts and acquisitions involving technology.
6. Additional information and Costs: Additional information or external consultation may be required. The requestor will bear all costs related to the external review if required for the approval process.
7. Implementation of Approved Software/Equipment: Implement approved third-party software/equipment according to third-party guidelines. Modify default vendor passwords and settings to unique ones before installing the system on the University network or using it for card processing.

Contract Elements

Contracts and associated documentation must address these elements:

1. Compliance with the OneIT Standards and Guidelines; specifically:
   1. Standard  for Security Requirements of Information Systems, and the related Information Security Checklist
   2. Standard for Information Security related to Vendors and External Parties
2. PCI SSC Requirements: Compliance with all appropriate Payment Card Industry Security Standards Council (PCI SSC) requirements and their responsibility for specific PCI DSS requirements. If the vendor impacts the CHD  environment, they must address:
   1. Proof of PCI DSS compliance  and/or validation of payment software
   2. Specific elements of the PCI DSS for which they will be responsible and those for which the University will be responsible
   3. Documentation that clearly details where CHD is captured, information regarding integration with the designated gateway provider and linkage type, and specifies any outside entities’ applications or servers utilized
   4. Service level agreements
   5. Remote access and use of Multi Factor Authentication
   6. Protection of Personally Identifiable Information (PII)
   7. Data retention and destruction policies
   8. Liability
   9. Business continuity

A final copy of the executed contract must be emailed to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu.

Related Resources

• Standard for Accepting Electronic Payments
• Standard for Information Security related to Vendors and External Parties
• Standard  for Security Requirements of Information Systems

Revision History

• Initially approved by the AVC for Finance on November 25, 2024

Purpose

The purpose of this document is to provide guidance for daily cash management of merchant accounts. 

Scope

This guideline applies to all UNC Charlotte employees, affiliates and authorized users who will interact with payment card data, functions or systems as part of their job duties.

Contacts

Direct general questions about this guideline to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu.

Guidelines

All merchants are subject to University Policy 602.4, University Receipts and Deposits and North Carolina law and policies. All departments or units issued a merchant account must:

• Daily Batching: Batch and transmit all POS terminal and internet transactions to the merchant card processor on a daily basis. Transactions should not be held more than 24 hours.
• Settlement Reports: Pull their own daily settlement reports. If the use of a generic merchant account is approved by Merchant Services, Merchant Services will provide the appropriate sales reports to the entity for reconciliation and deposit purposes.
• Reconciliation: Verify and reconcile all transactions on the settlement report to either the terminal settlement tape or the gateway report (e.g., TouchNet, Bluefin) and any third party reporting system(s) before submitting a deposit. Supervisors should review refunds, chargebacks, reversals and card fees at least monthly.
• Reporting Sales: Accurately report sales totals (net of refunds) by submitting a Payment Book Receipt (PBR) to the University Cashiers by 12:00 noon on the day that the settlement of funds is reflected in the banking settlement reports. This applies to card transactions debited or credited directly to the merchant account due to sales, chargebacks, retrievals, refunds, reversals or other activity.
  • Weekend or Holiday Transactions: Transactions that occur on Friday, Saturday, Sunday or holidays must be deposited to the University Cashiers on the next business day (usually Monday). 
  • Daily Deposits: Create a separate deposit for each day transactions occurred. 
  • Cashier Review: The Cashiers will review the deposit and inform the merchant of any discrepancies.
• Backup Documentation: Provide appropriate backup documentation to substantiate the deposit (i.e., a copy of the sales report from the card processor or a copy of the gateway batch totals settlement report, not detail). 
• Audit Retention: Retain the settlement tape from the POS terminal for audit purposes.
• Discrepancy Resolution: Resolve any discrepancies identified by the University Cashiers within 24 hours.
• Periodic Review: Periodically review Banner fund and account balances to ensure that they accurately reflect reported sales, refunds and fees.

Note that if they do not have an approved device to accept card present transactions at an event (in a face-to-face environment), a merchant must accept cash or checks and follow all cash handling procedures in University Policy 602.4, University Receipts and Deposits.

Related Resources

• Standard for Accepting Electronic Payments
• University Policy 602.4, University Receipts and Deposits

Revision History

• Initially approved by the AVC for Finance on November 25, 2024

Purpose

The purpose of this document is to provide guidance on establishing merchant accounts for accepting payment cards (credit and debit cards).

Scope

This guideline applies to all UNC Charlotte employees, affiliates and authorized users who will interact with payment card data, functions or systems as part of their job duties.

Contacts

Direct general questions about this guideline to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu.

Guidelines

To accept card payments, campus units (academic, administrative, organizations, affiliates and employees) must establish a merchant account through the North Carolina Office of the State Controller (NC OSC) via the Vice Chancellor for Business Affairs’ (VCBA) designee (Office of the Bursar – Merchant Services).

1. Consultation: Departments considering accepting card payments should first consult their division or college/administrative Business Officer.
2. Initial Interest Form: Complete the Initial Interest Form to determine if opening a new merchant account is appropriate.
3. Application: If opening a new merchant account is deemed feasible, complete the EC-Application to Process Payment Cards (EC-APP) located at path, S:\Campus Merchants\eCommerce Forms\EC-APP – Application to Process Payment Cards form, and submit it to ecommerce@charlotte.edu. The EC-APP must include:
   • The business need for accepting payment card transactions
   • Anticipated transaction volume
   • The proposed method for accepting card payments (e.g., online, in-person)
   • Signatures from the person responsible for managing the account, the Department Head and the division or college/administrative Business Officer
4. Review: The Office of the Bursar – Merchant Services will review submitted requests and consult with OneIT as needed. The review will assess feasibility, functionality, compliance and impact on business operations.
5. Approval: Upon approval, the Office of the Bursar – Merchant Services will work with the campus unit to determine the appropriate merchant account type, based on the intended card acceptance method:
   • Online (Card Not Present – CNP)
   • In-person (Card Present – CP)

If a separate merchant account is necessary, the Office of the Bursar – Merchant Services will establish it and submit orders for any necessary Point of Sale (POS) terminal equipment to be utilized through NC OSC.

Third party contracts associated with the request must comply with the Guideline for Contracting with Integrated Third Party Service Providers or the Guideline for Outsourced Payment Processing as applicable.

Related Resources

• Standard for Accepting Electronic Payments
• Guideline for Contracting with Integrated Third Party Service Providers
• Guideline for Outsourced Payment Processing

Revision History

• Initially approved by the AVC for Finance on November 25, 2024

Purpose

The purpose of this document is to provide guidance in the usage of mail order payment (credit/debit) card processing.

Scope

This guideline applies to all UNC Charlotte employees, affiliates and authorized users who will interact with payment card data, functions or systems as part of their job duties.

Contacts

Direct general questions about this guideline to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu.

Guidelines

Cardholder Data (CHD) through the Network (i.e., Email, Electronic Form) is Prohibited

If University staff receive an email containing CHD: 

• The CHD shall not be used to process the transaction 
• The email must be permanently deleted from the recipient’s mailbox 
• A new email must be created to reply to the sender with instructions on the proper procedures for submitting their card transaction for processing 
• Reply must not be used because the card information is not to be resent over the network

Obtain Approval to Receive Mail Order/Hard Copy Form

If acceptance of CHD via mail/hard copy is needed for business operations, approval must be requested and obtained through the Office of the Bursar – Merchant Services. A request including business justification must be submitted to ecommerce@charlotte.edu. The academic/business unit will be responsible for documenting internal processes to handle the CHD per Payment Card Industry Data Security Standards (PCI DSS) and the Standard for Handling Cardholder Data. 

• The CHD must be secured with access to it limited to only those individuals who have completed the merchant training requirements for card processing 
• The CHD must not be retained after authorization 
• The security code is not to be requested on any mailed in or hard copy forms

Handling Hard Copy/Physical Document Payments

Merchants approved to receive physical documents which contain the Primary Account Number (PAN) must ensure those documents are:

• Processed on approved devices as they are received
• Stored in a physically secure location until the transactions are processed, should there be any delay in processing
• Accessible only by staff who have completed the merchant training requirements for card processing
• Securely destroyed so that all CHD is rendered unreadable once the transaction is processed or documentation is no longer needed. At the time of disposal, all hard-copy materials containing the PAN and/or Sensitive Authentication Data (SAD) must be crosscut shredded, incinerated, or pulped so that the CHD is rendered incapable of being reproduced or retrieved. All disposal methods must meet or exceed the PCI DSS requirement for destruction.

Related Resources

• Standard for Card Not Present Payment Processing
• Standard for Handling Cardholder Data

Revision History

• Initially approved by the AVC for Finance on November 25, 2024

Purpose

The purpose of this document is to provide guidance on maintaining merchant accounts for accepting payment cards (credit and debit cards).

Scope

This guideline applies to all UNC Charlotte employees, affiliates and authorized users who will interact with payment card data, functions or systems as part of their job duties.

Contacts

Direct general questions about this guideline to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu.

Guidelines

All departments or units issued a merchant account will be required to:

• Disclose return, refund, and/or cancellation policies to the cardholder before the cardholder enters their card information for processing. Signs disclosing the policy must be clearly visible at the Point of Sale (POS) for Card Present (CP) transactions or on the website/online portal for Card Not Present (CNP) internet transactions.
• Follow the Standard for Handling Cardholder Data which includes reporting security incidents immediately.
• Reconcile transactions and settle sales electronically to the merchant services provider on a daily basis.
• Investigate and respond to disputes, retrievals, and chargebacks on a timely basis.
• Maintain adequate records of the sales transaction (i.e., daily sales totals, logs, etc.) in accordance with State record retention policies.
• Complete the EC-Merchant Agreement on an annual basis.
• Document their business processes for card processing on an annual basis or when significant changes occur to the card processing environment.
• Ensure staff meet merchant training requirements for card processing.
• Complete required Self-Assessment Questionnaires (SAQs), a reporting tool used by merchants and service providers to self-report their adherence to the Payment Card Industry Data Security Standards (PCI DSS), and associated validation documentation requirements. 
• Complete required Attestation of Compliance (AOC) with PCI DSS, which declares the accuracy and truthfulness of information provided in the SAQ. 

The Office of the Bursar – Merchant Services will review accounts periodically and reserves the right to close merchant accounts with extended periods of inactivity.

Related Resources

• Standard for Accepting Electronic Payments
• Standard for Handling Cardholder Data
• University Policy 605.3, Retention, Disposition, and Security of University Records

Revision History

• Initially approved by the AVC for Finance on November 25, 2024

Purpose

The purpose of this document is to provide guidance in establishing and maintaining contracts with third party service providers that provide payment (credit/debit) card processing on behalf of UNC Charlotte or its affiliates.

Scope

This guideline applies to all University employees, affiliates and authorized users who want to utilize a third party to accept payment cards from University customers without utilizing a University merchant account.

Contacts

Direct general questions about this guideline to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu.

Guidelines

To streamline the receipt of cash according to the University’s Cash Management Plan, the preferred method of payment card acceptance is through a University-owned merchant account. However, there may be instances when it is more efficient or effective to outsource payment card processing through a third party’s merchant account and receive proceeds through another method of payment.

Before Outsourcing Payment Card Processing

1. Contact Merchant Services: Prior to entering into any contract or purchasing specialized software, equipment or systems necessary for payment card processing, departments must contact the Office of the Bursar – Merchant Services. They will review customized processing applications for compliance with standards, guidelines, security measures, contract requirements and feasibility.
2. Include Merchant Services in Request for Proposal (RFP): It is best practice to include the Office of the Bursar – Merchant Services in any formal RFP process involving payment acceptance.
3. Third-party Service Providers: Any unit that wishes to utilize third party software that includes the outsourcing of its credit card transaction processing must request approval in writing to ecommerce@charlotte.edu and provide proof of the vendor’s Payment Card Industry Data Security Standards (PCI DSS) compliance and/or validation of payment software. It is preferred that any third party that captures Cardholder Data (CHD) utilize a validated Level 1 Service Provider. The vendor must assume full responsibility for all PCI DSS requirements and notify the University and/or its affiliates of any CHD security breaches.
4. Departmental Collaboration: The Office of the Bursar – Merchant Services in conjunction with Materials Management, OneIT, the Office of Legal Affairs, the Internal Audit Department and the applicable computer support unit, will work with the department to ensure that processing standards, safeguarding measures and legal requirements are met.
5. OneIT Oversight: OneIT oversees the governance of data security, use of IT systems, evaluation and recommendations of technologies, and provides direction and support for the security and networking of campus infrastructure utilized for card processing systems. Any software and IT-related acquisition request must be submitted to OneIT for review before the acquisition. OneIT will oversee the final approval, signature and execution of contracts and acquisitions involving technology.
6. Additional information and Costs: Additional information or external consultation may be required. The requestor will bear all costs related to the external review if required for the approval process.
7. Implementation of Approved Software/Equipment: Implement approved third-party software/equipment according to third-party guidelines. Modify default vendor passwords and settings to unique ones before installing the system on the University network or using it for card processing.

Contract Elements

Contracts and associated documentation must address these elements:

1. Compliance with the OneIT Standards and Guidelines; specifically:
   1. Standard  for Security Requirements of Information Systems, and the related Information Security Checklist
   2. Standard for Information Security related to Vendors and External Parties
2. PCI SSC Requirements: Compliance with all appropriate Payment Card Industry Security Standards Council (PCI SSC) requirements and their responsibility for all PCI DSS requirements. If CHD is captured on the vendor’s network, they must address:
   1. Proof of PCI DSS compliance and/or validation of payment software
   2. Specifying that they will be fully responsible for all elements of the PCI DSS
   3. Documentation that clearly details the flow of CHD and specifies any outside entities’ applications or servers utilized
   4. Service level agreements
   5. Remote access and use of Multi Factor Authentication
   6. Protection of Personally Identifiable Information (PII)
   7. Data retention and destruction policies
   8. Liability
   9. Business continuity

A final copy of the executed contract must be emailed to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu.

Related Resources

• Standard for Accepting Electronic Payments
• Standard for Information Security related to Vendors and External Parties
• Standard  for Security Requirements of Information Systems
• University’s Cash Management Plan

Revision History

• Initially approved by the AVC for Finance on November 25, 2024

Purpose

The purpose of this document is to provide guidance on how to request  approval for an exception to the Standard for Accepting Electronic Payments.

Scope

This guideline applies to all UNC Charlotte employees, affiliates and authorized users who will interact with payment card data, functions or systems as part of their job duties.

Contacts

Direct general questions about this guideline to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu.

Guidelines

The University does not currently store, process, or transmit Cardholder Data (CHD) on the University’s network. Therefore, any changes to the University’s CHD Environment or exceptions to the Standard for Accepting Electronic Payments must be submitted in writing to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu for consideration, and approval by both the Vice Chancellor for Business Affairs (VCBA) and Chief Information Officer (CIO). 

Requests should include:

1. Business reason for the exception
2. Steps that will be taken to ensure compliance with Payment Card Industry Data Security Standards (PCI DSS) requirements
3. The date that the exception will no longer be needed

The Office of the Bursar – Merchant Services, in conjunction with OneIT, will work with the VCBA and the CIO to review the request. The final approval or denial will be made by the VCBA or their designee.

The University prohibits the use of virtual terminals on its merchant accounts. The University no longer utilizes analog fax machines, and digital fax machines are not an acceptable method to receive mail order forms. These types of exceptions significantly change the scope of the University’s PCI DSS compliance requirements and will not be approved. 

Exceptions Requiring UNC System Office Endorsement and OSC Approval

1. Merchant Accounts outside the Merchant Card Master Service Agreement (MSA)
   
   The University does not currently allow departments to open merchant accounts outside of the State’s MSA.
   
   According to NC Policy 500.2 – Statewide Accounting Policy – Master Services Agreement for Electronic Payments, State agencies (including universities) are required to use the State’s MSA unless an exemption, endorsed by the UNC System Office, is approved by the State Controller. However, according to NC G.S. 116-40.22(e) (Management Flexibility), the University is authorized to contract with service providers specializing in services offered to institutions of higher learning that offer systems or services under arrangements that provide for the receipt of funds electronically, provided the services are in compliance with the requirements of the payment industry security standards. 
   
   Departments requesting to establish a merchant account through any other financial institutions besides the University’s merchant services provider (e.g., Fiserv) must provide a written business case to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu detailing:
   • Why the exception is necessary, and 
   • Who will be responsible for managing and supporting the new merchant account system(s)
2. Exemption from the North Carolina (NC) G.S. 147-77 (Daily Deposit Act)
   
   The University does not currently have any departmental daily deposit exemptions.
   
   According to the NC Daily Deposit Act, all funds in the hands of any agency of the State collecting or receiving money belonging to the State of North Carolina, must deposit and record those funds with the State Treasurer, at noon, daily. However, according to NC G.S. 116-40.22(e) (Management Flexibility), the State Treasurer may exempt the applicability of the daily deposit requirement for any standard business process resulting in a delay in the University receiving the funds from a service provider, when the exemption is based upon an acceptable business case that demonstrates an overall efficiency to the University and State. Such a business case must first be endorsed by The University of North Carolina System Office before submission to the State Treasurer for consideration. 
   
   Departments requesting an exemption from the daily deposit requirement must provide a written business case to the Office of the Bursar at bursar@charlotte.edu detailing:
   • Why the exception is necessary, and 
   • How frequently money will be deposited with the State Treasurer

Related Resources

• Merchant Card Master Service Agreement
• NC G.S. 116-40.22(e) (Management Flexibility)
• NC G.S. 147-77 (Daily Deposit Act)
• NC Policy 500.2 – Statewide Accounting Policy – Master Services Agreement for Electronic Payments
• Standard for Accepting Electronic Payments

Revision History

• Initially approved by the AVC for Finance on November 25, 2024

Purpose

The purpose of this document is to provide guidance in the usage of telephone order payment (credit/debit) card processing.

Scope

This guideline applies to all UNC Charlotte employees, affiliates and authorized users who will interact with payment card data, functions or systems as part of their job duties.

Contacts

Direct general questions about this guideline to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu.

Guidelines

Obtain Approval to Accept Telephone Order Payments

If the acceptance of cardholder data (CHD) via telephone order is needed for business operations, approval must be requested and obtained through the Office of the Bursar – Merchant Services. A request including business justification must be submitted to ecommerce@charlotte.edu.  Any voice over IP solutions must be hosted by a third party service provider who can provide proof of Payment Card Industry Data Security Standards (PCI DSS) compliance. CHD must not interface with the University network.

Physical University Phone, or other PCI Compliant Solution, is Required

Card Not Present (CNP) payments must not be accepted over the Zoom desktop client or mobile app installed on a University device connected to the University’s network. The Zoom application is not a certified PCI compliant solution. Once approved, merchants should retain or acquire a physical Zoom phone from OneIT by contacting zoom-phone-group@charlotte.edu before accepting payments over the phone.

Personal Mobile Devices are Prohibited from Accepting Telephone Orders

CNP payments must not be accepted over personal mobile devices or the Zoom mobile app installed on a personal mobile device. Your personal mobile device is not a certified PCI compliant solution. Merchants who receive calls after-hours or off-site on a personal mobile device should direct customers to their physical Zoom phone line or send the customer a link to their secure online payment platform. 

Handling Telephone Order Payments

Merchants approved to receive telephone order payments must ensure those payments are:

• Processed on approved devices as they are received (i.e., CHD should not be written down and never entered into a University device for processing later)
• Entered only by staff that have completed the merchant training requirements for card processing

Related Resources

• Standard for Card Not Present Payment Processing
• Standard for Handling Cardholder Data

Revision History

• Initially approved by the AVC for Finance on November 25, 2024

Purpose

The purpose of this document is to provide guidance for third party merchants, including student organizations, who accept payment (credit/debit) cards on behalf of the UNC Charlotte or on University property. Adherence to this standard will help ensure that the University is doing business with third party merchants who are compliant with Payment Card Industry Data Security Standard (PCI DSS) requirements.

Scope

This guideline applies to all third parties authorized to do business on behalf of or on University property who will be interacting with payment card data, functions, or systems as part of their job duties.

Contacts

Direct general questions about this guideline to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu.

Guidelines

Obtain Prior Approval(s)

Third parties, including student organizations, may not process payment cards on behalf of the University or on University property without proof of PCI DSS compliance and prior approval from their division or college/administrative Business Officer and authorization from the Vice Chancellor for Business Affairs’ (VCBA) designee (i.e., Office of the Bursar – Merchant Services). All third parties should coordinate their activity with relevant campus merchants prior to conducting business, regardless of the method of payment.

• All student organizations must be approved by the SGA Senate and abide by the Student Organization Handbook. 
• All dining or vending related activities (e.g., food trucks, delivery robots, etc.) must be approved  through the food service company under contract to the University in accordance with the Food Service Policy. Visit Auxiliary Services – Catering and submit a Food Service Waiver Form.
• All transportation related activities (e.g., scooters, bike rental) must be approved  through Parking and Transportation Services.
• All space reservations must be approved through the Conference, Reservations, and Event Services (CRES) Office, in accordance with the University’s Policy on Use of University Space.  
• All alumni related activities should be coordinated through the Office of Alumni Engagement.
• All gifts, donations, or sponsorships must be approved through University Advancement before acceptance of those monies.
• All athletic related activities (including camps and clinics) must be approved by the Division of Athletics. All University-sponsored programs involving non-student minors (including athletics camps sponsored by University coaches) must report their program to the Office of Risk Management and Insurance (RMI) at least two weeks prior to the program beginning. 

Card Present (CP) Transactions on Campus

Transactions must not be processed over the University’s wired or wireless network. They may only be processed on cellular devices that do not interface with the University network or over networks provided and managed by the third party.

Online Payment Processing

If a student organization website is hosted on a University server, it is prohibited from linking out for payment processing. 

Externally hosted (i.e., not hosted at/or by the University) student organization web pages that include payment processing, must have a visible disclaimer readily viewable on the site stating that the site is not the University or a part of it. Please see below for an example disclaimer:

This is not a University of North Carolina at Charlotte (“University”) website. This registration and payment portal is administered by a third party payment processor (“Payment Processor”). The Payment Processor is responsible for the security and system availability of the payment portal. The University does not endorse, recommend, guarantee, control, or accept responsibility for any product or service made available by Payment Processor. The presence of a link to the Payment Processor’s website does not imply any affiliation, endorsement, approval, or verification by the University.

You understand that the Payment Processor’s website may contain terms and privacy policies that are different from the University’s terms and policies. You should review these provisions to ensure that you understand them, and to determine whether the website is suitable for you. The University does not review, and is not responsible for, these provisions.

The University will not be liable for any losses arising from or in connection with any errors or omissions with respect to payments processed by the Payment Processor, or any fees or charges imposed by the Payment Processor. 

Related Resources

• Standard for Accepting Electronic Payments
• Student Organization Handbook
• University Policy 601.6, Use of University Space
• University Policy 709, Food Service Policy

Revision History

• Initially approved by the AVC for Finance on November 25, 2024

Internal Revenue Service

The Internal Revenue Service is the nation’s tax collection agency and administers the Internal Revenue Code enacted by Congress.

Last Updated: February 15, 2022

IT Procurement Homepage

The Statewide IT Procurement Office establishes processes, specifications, and standards for IT products and services that are purchased, licensed, or leased by state agencies and educational entities.

Last Updated: November 10, 2014

NCDOR

The North Carolina Department of Revenue’s mission is to fund public services benefiting the people of North Carolina.

Last Updated: February 15, 2022