Financial Services Policy 10.2 – Credit Card Acceptance and Processing

This policy provides the requirements for all payment (credit/debit) card processing activities at UNCG. It defines the responsibilities of employees, administrative units, organizations and affiliates that process payment cards on behalf of UNCG or its affiliates. All relevant provisions contained in the Information Security Policy , the Data Classification Policy and the Acceptable Use of Computing and Electronic Resources are applicable and included by reference in this document.

This policy applies to all academic units, organizations, affiliates, and employees of UNCG who accept credit/debit card payments for University business.

The Office of the State Controller has established a Master Services Agreement (MSA) with SunTrust Merchant Services. The MSA provides services to eligible state agencies, universities, community colleges, and local units of governments on a statewide enterprise basis, allowing eligible participants to benefit from the leveraging of volume pricing.

Business Affairs has signed a Participation Agreement with the Office of State Controller (OSC) which allows campus departments to participate in the Master Services Agreement with SunTrust for the acceptance of credit cards. UNCG departments are not permitted to contract for credit card services outside of the Master Services Agreement without written approvals from the Vice Chancellor for Business Affairs, the Vice Chancellor for Information Technology Services, and OSC. All accounts for card processing must be established by the Director of Cashiers and Student Accounts Office through OSC.

UNCG is required to be in compliance with Payment Cards Industry standards, which is referred to as PCI Compliance.  All payment transactions must be captured on approved processing systems. UNCG is taking an approach to consolidate vendors and minimize complexity and effort in building interfaces in order to support existing operations and control exposure. Accordingly, there is a freeze on adding any new credit card processing systems or vendors. Any request for use of a processing system not already in place at UNCG must include an explanation why one of the existing vendors/systems will not work, why UNCG should expend additional resources for the extra work and bear the additional exposure the new system will require.

To establish credit card processing the following must occur:

  1. The requesting entity (department, school, etc.) must forward a request to the appropriate Vice Chancellor or Provost for approval of the business need and acknowledgement of the responsibilities that are accepted by the department. If it is an unusual situation in which a new system/vendor is being requested, the request must include a thorough justification as indicated above.  Additional information to be included in this request can be found in Financial Services Procedure 13 –Credit Card Acceptance & Processing Procedures.
  2. The approved request is forwarded to the Vice Chancellor for Business Affairs for review and approval. Justification for not using one of the existing credit card processing systems/vendors must be provided to include a complete explanation as to why none of the existing credit card processing systems/vendors in place at UNCG will work and why UNCG should accept the additional exposure and expend the additional resources for the extra work required for implementation and PCI Compliance.
  3. If approved, by the Vice Chancellor for Business Affairs, the request will be forwarded to the Vice Chancellor for Information Technology Services for review and approval on the technical compliance and security issues.
  4. Once the approvals of both the Vice Chancellor for Business Affairs and the Vice Chancellor for Information Technology Services are obtained, the request will be forwarded to the Director of the Cashiers and Student Accounts Office. The Cashiers Office will serve as a liaison with the Office of State Controller for requesting the issuance of a merchant number for credit card acceptance.

All Payment (Credit/Debit) Card Processing activities must comply with the state of North Carolina General Statutes (G.S.) and policies. That includes but is not limited to the North Carolina G.S. 147.77 (Daily Deposit Act), NC Office of the State Controller Policy 500.2 (Master Services Agreements for Electronic Payments), 500.11 (Compliance with PCI Data Security Standards) and 500.13 (NC Security and Privacy of Data).

Payment Card Industry (PCI) standards apply to all organizations that process, transmit or store credit cardholder information. The University and all departments that process payment card data have an obligation to adhere to the PCI Standards and must annually certify their continued compliance by submitting the PCI-DSS Self-Assessment Questionnaire (SAQ) appropriate to their credit card activities. In addition, departments must comply with all information security policies established by UNCG Information Technology Services (ITS).

All departments accepting credit cards must maintain compliance with Payment Card Industry (PCI) standards at all times, including the following:

  1. Cardholder data may not be stored on any UNCG computer device or network.
  2. Never send or request cardholder information via email. Credit card number should never be sent via end-user messaging technologies.
  3. All media (including paper) containing cardholder data must be physically secured and protected against unauthorized access, and properly destroyed when it is no longer needed for business or legal reasons.
  4. All devices that capture payment card data via direct physical interaction (example: Point-Of-Sale terminal) must be protected against tampering and substitution.
  5. An accurate and up-to-date list of all such devices must be maintained that includes: the make and model of the device, the location of the device, and the device serial number and terminal ID.
  6. Device surfaces are periodically inspected to detect tampering
  7. Departmental personnel are trained to be aware of procedures to detect and report tampering or replacement of devices.
  8. Implement a formal security awareness program to make all personnel that interface with payment card activities or cardholder data aware of the importance of cardholder data security and their responsibilities for protection of cardholder data.   Access to cardholder data must be restricted for users on a need-to-know basis.
  9. For departments that utilize service providers, a list of service providers must be maintained. The user of services providers requires:
  10. A written agreement must be maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of UNCG, or to the extent that they could impact the security of UNCG’s cardholder data environment.
  11. The service providers’ PCI DSS compliance should be monitored and verified at least annually. The service provider must be listed as compliant on Visa’s “Global Registry of Service Providers” or on the PCI Security Standards Council’s website.
  12. Information must be maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the UNCG department

Any costs incurred by a department to become and remain compliant with the PCI Data Security Standards shall be borne by the department. In the event of a breach, all fines and expenses associated with the breach will be borne by the department accepting the credit card that was compromised.

Related Resources

Payment Card Industry Data Security Standard (PCI-DSS)

NC G.S. 147-77 (Daily Deposit Act)

NC OSC Policy 500.2 (Master Services Agreements for Electronic Payments)

NC OSC Policy 500.11 (Compliance with PCI Data Security Standards)

NC OSC Policy 500.13 (Security and Privacy of Data)

 

Annual PCI Compliance Security Procedures Review

 

Revised March 2017