DoIT 01 08 - University Acceptance of Credit or Debit Cards
Click here to download a MS Word file.
Effective date: April 24, 2008; Revised date: October 9, 2009
The University of North Carolina at Pembroke accepts credit or debit cards for payment of goods and services under controlled conditions to protect against the exposure and possible theft of account and personal cardholder information that has been provided to the university; and to comply with Payment Card Industry Security Standards Council (hereinafter “PCI”) requirements which became effective June 30, 2005. The university must adhere to these standards to continue to process payments using payment cards.
This policy applies to all UNC Pembroke departments and affiliated units, employees, contractors, consultants, temporaries and other workers. This policy is applicable to any unit that processes, transmits or handles cardholder information in a physical or electronic format. The PCI Data Security Standard governs all computers and electronic devices at UNCP involved in processing payment card data. This includes servers that store payment card numbers, workstations that are used to enter payment card information into a central system (for example, ordering tickets over the phone), and any computers, network devices or credit/debit card swipe devices through which the payment card information is transmitted.
PCI Data Security Standard (PCI DSS) – a document that defines the standards for secure processing, storage and transmission of payment card data. The standard is a result of collaboration among several large credit card brands. Each brand has its own standard similar to the PCID SS.
PCI Security Standards Council – an industry association whose purpose is to improve security of payment card data and foster support and adoption of the PCI Data Security Standard and related standards.
Payment Card – a credit or debit card.
Cardholder data – any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number or Card Validation Code (e.g., three-digit or four-digit value printed on the front or back of a payment card (e.g., CVV2 and CVC2 data)).
Merchant – any person or department accepting money for goods or services, including conference registrations, memberships, fees, etc.
Merchant Outlet ID – a unique id assigned to identify transactions specific to a merchant.
All transactions that involve the transfer of payment card information must be performed on systems jointly approved by the Offices of the Controller and the Division of Information Technology (DoIT). Said systems must pass an internal compliance and security review before payment processing begins. Any specialized servers or related equipment that have been approved for this activity must be housed in a protected, managed network that meets the full requirements of the PCI DSS. The Division of Information Technology must approve this network before operations begin and review yearly as long as the network is in use. The network must be administered in accordance with the requirements of all UNCP policies and the PCI DSS.
Departments involved with the acceptance and processing of cards for payment of goods and services must design adequate processes to ensure the following requirements are met continuously:
Any department wishing to enter or renew a credit card and/or debit card processing contract must provide the Offices of the Controller and the Division of Information Technology all relevant information related to the intended use of card processing and the technical specifications for said processing. Because the sale of goods and services to entities outside the university community may raise special considerations (e.g., unrelated business tax, accounting, legal, etc.) business plans concerning card sales should also be reviewed by the Controller’s Office.
Upon approval by both offices, and at the discretion of the Office of the Controller, a specialized Merchant Outlet ID will be established for use by the department. The department will work with the Controller’s Office and the Division of Information Technology to review their application and Web site, and to integrate the payment mechanism into campus systems. The Office of the Controller will establish the accounting practices that must be followed during payment processing and reconciliation.
Departments that need to accept credit/debit cards through a physical terminal or a swipe device must contact the Offices of the Controller and DoIT to execute the required paper work, obtain a Merchant Outlet ID, receive training, and be given direction as to the accounting of those transactions. All equipment must meet PCI DSS requirements.
Following review and approval, the department will be notified of the status and additional relevant information. The Office of the Controller must approve any subsequent changes in processes for handling payment card data before such processes are put into effect. The Division of Information Technology must approve any subsequent changes in the technology before such changes are put into effect. The changes that must be approved by the Controller’s Office or DoIT include, but are not limited to, changes to the department Web site, products or services to be sold, intended customer base, anticipated transaction volume, outside advertising, application software, or changes in the departmental contacts responsible for the e-commerce business plan.
Departments not complying with this policy may lose the privilege to serve as a payment card merchant. Additionally, the affected card company may assert authority to impose fines, beginning at $100,000 for the first violation. Other civil liabilities may exist as well.
Persons in violation of this policy are subject to the full range of sanctions, including the loss of computer or network access privileges, disciplinary action, suspension, termination of employment and legal action. Some violations may constitute criminal offenses under local, state, and federal laws. The university will carry out its responsibility to report such violations to the appropriate authorities and may prosecute any such violations to the full extent of the law.
Updated: Tuesday, June 7, 2011
© The University of North Carolina at Pembroke
PO Box 1510 Pembroke, NC 28372-1510 • 910.521.6000