CREDIT CARD MERCHANT SERVICES

Accounting Services Section (ACT)

POLICY 33

Effective Date: 07/01/2006

Last Modified: 03/18/2009

Responsible University Officers: University Controller and Assistant Vice Chancellor for Enterprise Applications, ITS

Responsible Units: Accounting Services, Cashier's Office, Controller's Office, ITS

POLICY STATEMENT

Introduction

University departments provide goods and services to its customers and accept credit cards as an appropriate form of payment. Many University departments have been set up with credit card merchant accounts consisting of point of sale (POS) terminals, customized internet applications, or Yahoo store fronts. The NC Office of the State Controller (OSC) is statutorily charged with administering the State's Electronic Commerce and Payments Program, which includes merchant credit card services through the Common Payment Service. The Common Payment Service (CPS), a payment gateway, is a shared service that enables University applications to interface and access the payment processing services of the State. The State of North Carolina is under contract with Wachovia Bank for settlement of funds and with SunTrust Merchant Services to process payments received by credit card.

Allowable Goods and Services

With certain limited exceptions, State law (including the Umstead Act) prohibits University departments from selling goods and services to the general public. However, in conducting University business, some departments receive payments for goods or services such as application or registration fees. The Office of University Counsel should be consulted as necessary to document that the goods or services for sale are consistent with State law and University trademark licensing.

Merchant Approval

The University Controller as delegate for the Vice Chancellor for Finance and Administration shall approve all credit card processing activities at the University. If an Internet application is to be used, approval of the Chief Information Officer or delegate is also required. University departments shall obtain approval before entering into any agreements or purchasing related equipment or software.

University departments shall complete the applicable Service Level Agreement for credit card merchant services and the Application Forms to request approval to accept payments by credit card. The Service Level Agreement provides the University terms and conditions for acceptance of credit cards. There are separate service level agreements for internet applications using CPS, non-CPS internet applications, point of sale terminals, and Yahoo store fronts. The agreements and forms are in the Procedures section, and completed forms should be forwarded to the Cash Manager in Accounting Services at CB# 1210.

Merchant Standards

University departments shall adhere to appropriate standards for credit card merchant services including training, outsourcing agreements with third-party providers, data and system security, PCI compliance, cost responsibility, and fiscal responsibility.

1. Training: University departments approved as merchants shall ensure that all employees responsible for systems or procedures related to credit card transactions or data have completed the Credit Card Merchant Services training provided by the Finance Division. To enroll for training, contact the Finance Training Coordinator (FinanceTrainer@unc.edu or 843-3069). University departments shall also provide necessary training to employees to ensure staff members adhere to the policies and procedures for credit card merchant services.

2. Outsourcing Agreements with Third-Party Providers

a. Payment Processing Service: The State of North Carolina has a Master Services Agreement (MSA) with SunTrust Merchant Services (STMS), a partnership between SunTrust Bank and First Data Merchant Services (FDMS). STMS provides merchant card payment processing services. The Office of the State Controller (OSC) has mandated that all agencies and universities of the State use the MSA unless an exemption has been approved. A University department may request an exemption from this requirement by providing a business case justifying an alternate vendor or process to the Cash Manager in Accounting Services at CB# 1210. The business case will be reviewed and forwarded as appropriate to OSC to request approval. A University department shall not enter into an outsourcing agreement with a third-party provider, including software applications for credit card processing, until the business case is approved. Upon approval, standard purchasing policies apply.

b. Payment Gateway: The Common Payment Service (CPS) is the State’s payment gateway used for internet credit card transactions. The Office of the State Controller (OSC) has mandated that all agencies and universities of the State use the CPS unless an exemption has been approved. A University department may request an exemption from this requirement by providing a business case justifying an alternate vendor or process to the Cash Manager in Accounting Services at CB# 1210. The business case will be reviewed and forwarded as appropriate to OSC to request approval. A University department shall not enter into an outsourcing agreement with a third-party provider, including software applications for credit card processing, until the business case is approved. Upon approval, standard purchasing policies apply.

3. Data and System Security: University departments shall adhere to the following data and system security requirements for credit card merchant services:

System Settings

• Change vendor default security settings prior to installing the system on the network.
  
• Disable or change default accounts and passwords prior to installing the system on the network.
  
• Harden production systems by removing all unnecessary services and protocols.
  
• Use secure, encrypted communications for remote administrative access.

Stored Data Protection

• Dispose of sensitive cardholder data when it is no longer needed.
  
• Do not store the full contents of any track from the magnetic stripe in any manner.
  
• Do not store the card-validation code (the three digit value printed on the signature panel of a card) in any manner.
  
• Mask all but the last four digits of the account number when displaying cardholder data.
  
• Accounts numbers must be securely stored by means of encryption or truncation.
  
• Account numbers must be sanitized before being logged in the audit trail.
  
• Access to card account numbers must be restricted for users on a need-to-know basis.

Transmitted Data Protection

• Transmissions of sensitive cardholder data must be encrypted through the use of SSL.
  
• Credit card numbers must not be transmitted via email.

Anti-Virus Protection

• All Microsoft Windows Servers and workstations must have antivirus software installed and the virus definitions must be updated regularly.
  
• The campus has a site license for Symantec Antivirus, which is managed by ITS and the virus definitions pushed out from central servers.

Applications and Systems Security

• All systems must be updated with the latest security patches within 30 days of their release.
  
• The software and development process must be based on industry best practice and information security must be included throughout the process.
  
• Sensitive cardholder data must be sanitized before it is used for testing and development.
  
• All changes must be formally authorized, planned and logged.
  
• Sensitive cardholder data stored in cookies must be secured or encrypted.

Account Security

• All users must authenticate using a unique user ID and password.
  
• Remote access must be via a secure connection, for example the VPN.
  
• All passwords must be encrypted.
  
• All user accounts must be revoked immediately upon termination.
  
• All user accounts must be regularly reviewed to ensure that malicious, out-of-date and unknown accounts do not exist.
  
• All inactive accounts must be automatically disabled after a pre-defined period.
  
• Vendor accounts used for remote maintenance must be disabled when not needed.
  
• Group, shared or generic accounts are prohibited.
  
• Passwords must be changed on a regular interval, current Onyen standards are every 90 days.
  
• Passwords must follow strong password conventions, help.unc.edu, and must not be allowed to be reused for at least a year.
  
• Multiple password attempts or brute force attacks must result in an account lockout.

Physical Access

• Multiple physical security controls must prevent unauthorized access to the facility.
  
• Equipment and media containing cardholder data must be physically protected against unauthorized access.
  
• Cardholder data printed on paper or received by fax must be protected against unauthorized access.
  
• Proper procedures for the distribution and disposal of any media containing cardholder data must be followed.
  
• All media devices that store cardholder data must be inventoried and properly secured.
  
• Cardholder data must be deleted or destroyed before it is physically disposed (e.g. by shredding paper and degaussing media).

Access Tracking

• All access to cardholder data must be logged.
  
• Logs must contain successful and unsuccessful login attempts and all access to the audit logs.
  
• Critical system clocks must be synchronized with the campus time server, clock2.unc.edu, and logs must include date and time stamps.
  
• Logs must be secured, regularly backed up and retained for three months online and one year offline.

4. PCI Compliance: All credit card merchants shall be compliant with the Payment Card Industry (PCI) Data Security Standards. If an active merchant becomes non-compliant with the PCI Data Security Standard, the ability to accept payments by credit cards will be revoked until a compliant status is attained. Based upon the merchant level determination, the PCI has defined the compliance validation requirements. However, the Office of the State Controller is requiring merchants at all levels to complete the annual self-assessment questionnaire and to perform the required network scans for all externally-facing IP addresses. University departments that provide merchant services shall participate in the completion of the PCI requirements as well as the necessary follow-up for issues noted in the questionnaire and scan. Refer to the Annual Questionnaire and Quarterly Scan part in the Procedures section for additional information.

5. Cost Responsibility: University departments that provide credit card merchant services are responsible for related equipment and supply costs, processing fees, and fines and penalties resulting from noncompliance with University, State, and payment card industry policies. Refer to the Equipment Requirements and Processing Fees parts in the Other Information section for additional information.

6. Fiscal Responsibility: University departments that provide credit card merchant services are responsible for adhering to internal control standards for the safeguarding of receipts and data, the proper deposit and posting of receipts, and the reconciliation of receipts. Refer to the Transaction Posting Reconciliation and Settlement of Funds parts in the Procedures section for additional information. Departments shall review and resolve any disputes between the customer and their credit card merchant account in a timely manner.

Transaction Fees

Transaction fees may be charged to cover the cost of permitting a person to complete a transaction using a web application or other means of electronic access. The fee imposed must be approved by the University Controller as delegate for the Vice Chancellor for Finance and Administration and also the Office of State Budget and Management, in consultation with the State Chief Information Officer and the Joint Legislative Commission on Governmental Operations. The transaction fees that are charged must be for the conducting of an electronic transaction, not for the use of a merchant card. Electronic access includes the internet and voice response systems but not mail orders, telephone orders, or a face-to-face transaction.The revenues from the transaction fee and expenditures funded by the fee must be accounted for separately to provide an audit trail on the collection and use of the fees. Expenditures may only be made for e-commerce initiatives and projects, to include any third-party related fees and merchant card processing services.

Office of the State Controller (OSC) Policies

University departments and units that have been approved as merchants shall adhere to the E-Commerce policies of the Statewide Electronic Commerce Program. These policies are located on the OSC website at the following address:
http://www.ncosc.net/SECP/SECP_Policies.html

REASON FOR POLICY

The purposes of the credit card merchant policies and procedures are to provide essential information in obtaining and managing merchant accounts for credit card receipts; to provide requirements to ensure proper control and integrity of credit card data as well as security in the collection, maintenance, and transfer of credit card data; and to ensure compliance with the Payment Card Industry (PCI) Data Security Standards.The primary focus of the PCI Data Security Standards is to help merchants (such as University departments) improve the security of cardholder information by improving overall security standards which reduces the chances of security breaches. The growth of electronic commerce has resulted in increased occurrences of stolen cardholder information throughout the industry, which is an important concern to merchants and others that rely on electronic commerce as an efficient payment method.The rise in cardholder information compromises has resulted in an increased focus and regulatory actions by the major card associations. To improve the integrity and security of the payment processes used for receipt of payments by credit cards, compliance with the PCI Data Security Standards is necessary. The standards help merchants improve the safekeeping of cardholder information, which in turn reduces the chances of security breaches, fraud, and potential financial losses. These policies and procedures will help ensure that cardholder data and the electronic commerce network are protected and kept secure.

EXCLUSIONS

There are no exclusions. Academic and administrative units; faculty, staff, and other employees; or others that use systems or networks supported by the University shall abide by these policies. These policies pertain to credit card processing of payments received by the University. All point of sale (POS) terminals and all servers or databases receiving, storing, or transmitting credit card numbers are subject to these policies. Currently MasterCard, Visa, and Diners Club are allowable forms of payment by credit card to the University.

SPECIAL SITUATIONS

None

OTHER INFORMATION

Frequently Asked Questions

This section is under development.

Related Data

1. Defininitions:

Ambiron TrustWave – A leading provider of information security and compliance management solutions.

Application Server – The computer hardware hosting the application used for processing credit card transactions or other data.

Authorization – The process used to verify the credit card transaction is allowable based on availability of funds for the transaction amount and on the authenticity of the card.

Bankcard – A type of payment card, such as MasterCard or Visa, issued by a financial institution.

Cardholder – An individual who appropriately uses a payment card for purchases.

CC – Control Center. A department of ITS - IT Infrastructure and Operations.

Config Files – SIS CPS processing files.

Credit Card Number – A unique number used in a financial transaction that identifies a particular credit card account.

Common Payment Service (CPS) – The interface or gateway that is used to access the payment processing services provided by the NC Office of Information Technology for credit card payments made using an internet application.

Database Servers – The computer hardware used for storage of credit card transaction or other data.

E-Commerce Application – An electronic business application used for buying and selling goods or services through electronic systems such as the Internet or other computer networks.

Encryption – The process of securing electronic data transmission through the encoding of transaction information.

FDMS – First Data Merchant Services. A credit card processing platform.

ITRC – ITS Response Center.

ITS – Information Technology Services. The central technology organization for the University of North Carolina at Chapel Hill.

ITS EA – Information Technology Services – Enterprise Applications. ITS division that is responsible for all major ITS application development.

ITS Security – Information Technology Services – Security. A division of ITS that manages all aspects of compliance with relevant university, State and Federal rules regarding data integrity and privacy.

ITS SIS Group – Information Technology Services – Student Information Systems. A department of ITS – EA.

jspbounceto – A required field populated by the department with the response url. SISCPS uses the value of this field to direct the user to a new webpage when the transaction was successful.

jspbounceErr – An optional field populated by the department with the error url. SISCPS uses the value of this field to direct the user to a new webpage when the transaction has an error.

Merchant – A University department or unit that is authorized to accept credit card payments for good or services provided to customers.

Merchant Number – A unique number that identifies a University department or unit that is an approved merchant.

Merchant Service Level Agreement – An agreement between a University department or unit and ITS / Finance and Administration that authorizes the department or unit to function as a merchant and documents the responsibilities for accepting credits cards as a method of payment.

MID (Merchant ID) – A unique number that identifies a University Department or Unit that is an approved Merchant.

MMV – MyMerchantView. The internet based reporting tool provided by SunTrust Merchant Services (STMS). This tool provides summary and detailed-level reports for all batches and transactions submitted to STMS for settlement.

order-descr – A unique variable that identifies the transaction. This is the only application generated variable that will appear on the VCCT reconciliation report.

OSC – Office of the State Controller.

Payment Card Industry (PCI) Data Security Standards (PCIDDS) – The compliance requirements that have been established by the leading card associations with the objective of improving the safekeeping of cardholder information and the prevention of system breaches.

Perl Page – PayNow Page, where user enters credit card information.

Point of Sale (POS) Terminal – A computer terminal functioning as a standalone system or connecting to a server and that is used for authorizing and processing sales transactions.

Point of Sale (POS) Swipe Terminal – A device placed in a merchant location which is connected to the Processor's system via telephone lines and is designed to authorize, record, and settle data by electronic means for all sales transactions with Processor.  The Swipe Terminal can process both card present and card not present transactions.

SISCPS – Application that Department’s web application interfaces with. This application will pass the credit card transaction from its secure server to the State CPS system.

STMS – SunTrust Merchant Services. The State has a Master Service Agreement with STMS for Credit and Debit Card payment processing services.

TID – Terminal ID.

TrustKeeper – Provides Merchants with a web-based portal that allows Merchants to assess vulnerability and compliance with PCIDSS.

VCCT – Virtual Credit Card Terminal. The State’s web-based application used by CPS clients to reconcile credit card transactions processed.

Yahoo Store Front – An Internet method used as a capture solution (gateway) through the NC @ Your Service Store for the sale of goods or services with payment by credit card.

2. Equipment and Supplies:

Point of Sale Swipe Terminal:
For non internet transactions, a point of sale (pos) swipe terminal with printer and a dedicated phone line are required. Each merchant is responsible for the installation and cost of their dedicated phone line. Merchants are also responsible to procure their own point of sale terminal. These are available through the State contract and an array of available models is listed at http://www.ncosc.net/EPP/Equipment_Fees.pdf along with pricing for both purchase and rental. The cost of terminals purchased or rented through the State contract is billed directly to the merchant on their SunTrust Merchant Services monthly invoice. To order a terminal, contact the Cash Manager in Accounting Services. Terminal supplies, such as paper, printer ribbons, and Visa/MasterCard logo signage are available for just the cost of shipping. Contact the SunTrust Merchant Services help desk, (800) 654-8816, to order these supplies.

Point of Sale Computer Terminal:
The merchant is responsible for all software used in a point of sale computer terminal application. The software and configuration must be compliant with the Payment Card Industry Data Security Standard and its use must be approved by the Controller’s Office.

3. Processing Fees: The processing fees for payments by credit card include interchange fees, assessment and switch fees, and merchant service fees. Other fees include charges for use of CPS and Yahoo store fronts, if applicable.

The schedule of fees for merchant card services can be found at http://www.ncosc.net/SECP/Cards_Schedule_of_Fees.pdf. This schedule applies to merchant card services acquired through the North Carolina Office of the State Controller, pursuant to the Master Services Agreement (MSA) with SunTrust Merchant Services, LLC (STMS), dated August 1, 2006.

The CPS gateway fee, assessed for internet transactions, is 41¢ per transaction. Current Yahoo store front fees can be accessed at http://smallbusiness.yahoo.com/ecommerce/plans.php.

4. Fines and Penalties: The University department, as a merchant, has the final responsibility for complete compliance to the Payment Card Industry (PCI) Data Security Standard. If the merchant does not comply with the security requirements or fails to rectify a security issue, the payment card industry may:

• Fine the responsible merchant.
• Impose restrictions on the merchant.

5. Loss or Theft of Account Information: A merchant must immediately report to ITS-Security the suspected or confirmed loss or theft of any material or records that contain cardholder data. Failure to immediately notify the proper authorities will put the merchant at risk of a penalty of $100,000 per incident. Merchants are subject to fines by the payment card industry, up to $500,000 per incident, for any merchant cardholder data that is compromised and not compliant at the time of the incident.

6. SunTrust Merchant Services Operating Procedures: Your guide to card acceptance and processing can be located on the OSC web site at the following address:

http://www.ncosc.net/SECP/OperatingGuide-OPSG801_.pdf

PROCEDURES

In support of this policy, the following procedures are included:

Procedure 9, Credit Card Merchant Services

CONTACTS

To Establish Credit Card Process/General Questions:
Merchant Card Accountant
Email: ccadm@unc.edu
Phone: (919) 962-1601

Technical Issues: Karen Michael, Business Analyst
Email: kmichael@email.unc.edu
Phone: (919) 445-9319

PCI Compliance and Data Security: ITS – Security
Phone: (919) 445-9393

CPS Connection: HELP Desk
Phone: (919) 962-HELP

Deposits and Reconciliation: Head Teller, Cashier’s Office
Email: deposits@unc.edu
Phone: (919) 962-5846

CPS Connection, VCCT: NC ITS Customer Support Center
Email: cpstechsupport@lists.ncmail.net
Phone: (919) 754-6000 or 1-800-722-3946

HISTORY

Revised: New policy created July 1, 2006
Modified December 6, 2006
Modified April 19, 2007
Modified December 21, 2007

Return to Accounting Services Section Contents

Return to Business Manual Table of Contents