REG 07.30.23 – Payment Card Merchant Services

Authority: Vice Chancellor for Finance and Administration and CIO/Vice Chancellor for Information Technology

History: First Issued: March 1, 2011.

Related Policies:
NCSU POL08.00.01 – Computer Use Policy
NCSU REG01.25.13 – Associated Entity – Creation and Retention
NCSU REG07.30.04 – Receipt Centers – Request for Authorization
NCSU REG07.70.01 – Identity Theft Prevention Program
NCSU REG08.00.02 – Computer Use Regulation
NCSU REG11.15.01 – AllCampus Network Cards 
NCSU REG11.55.06 – Recognized Student Organizations within theDivision of Academic and Student Affairs (DASA): Regulation for Undergraduate Student Leadership 
NCSU REG11.55.07 – Registered Student Organizations: Regulation for Undergraduate Student Leadership, Membership, and Registration

Additional References: 
NC State University Controller’s Office – Credit Card Procedures
Request/Authority to Establish Receipt Center (BA-114)
Information Security Acknowledgement Form
North Carolina State Government Office of the State Controller’s Statewide Electronic Commerce Program (SECP)
N.C. Gen. State. § 14-453 (1999) – Computer-Related Crimes
North Carolina Identity Theft Protection Act (2005 SB-1048)
VISA Cardholder Information Security Program
MasterCard Site Data Protection Program
American Express Data Security Operating Policy
Discover Card Security & Protection
PCI Data Security Standard

Contact Info: University Controller, University Accounting (919-515-3824); Director of Security & Compliance, Office of Information Technology (919-513-1194)

1. INTRODUCTION

1.1  Payment cards include credit cards, bank debit cards, and pre-paid cards used for cashless transactions.  University colleges, university departments (and their supported programs and projects), university associated entities as defined in UNC Policy Manual Section 600.2.5.2 and NCSU REG01.25.13 – Associated Entity – Creation and Retention, and university recognized and registered student organizations, as defined in NCSU REG11.55.06 – Recognized Student Organizations within the Division of Academic and Student Affairs (DASA): Regulation for Undergraduate Student Leadership and NCSU REG11.55.07 – Registered Student Organizations: Regulation for Undergraduate Student Leadership, Membership, and Registration, (collectively referred to as “university entities”) may accept payment card transactions as an appropriate form of compensation if they provide goods and services to their customers.  Many university entities have been set up with payment card transaction solutions provided by:

1.1.1 Simple swipe point of sale (POS) terminals,

1.1.2 Yahoo or other Web application store fronts,

1.1.3 Commercially acquired and customized Internet applications for the acquisition of payment card transactions, or

1.1.4 Internally developed applications to provide payment card processing.

2. RATIONALE

2.1  University entities that wish to utilize payment cards as a means of collection need a description of the selection, installation, implementation, and security aspects that are required for their use.  This regulation provides essential information in obtaining and managing merchant accounts for payment card receipts by university entities, and to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS).

3. RELATIONSHIP TO THE STATE OF NC PROVIDED PAYMENT CARD SERVICES

The NC Office of the State Controller (OSC) is statutorily charged with administering the State’s Electronic Commerce and Payments Program (SECP), which includes merchant payment card (credit and debit) services.  All university payment card processing will use the OSC SECP payment card services Master Service Agreement (MSA) unless specific written exemption is given by the vice chancellor for Finance and Administration and the vice chancellor for Information Technology.

4. PAYMENT CARD ACTIVATION

4.1  The University Controller’s Office provides Credit Card Merchant Services procedures for the university.  The university entity wishing to accept payment card transactions must obtain receipt center approval from the University Controller’s Office per NCSU REG07.30.04 – Receipt Centers – Request for Authorization, using form Request/Authority to Establish Receipt Center (BA-114).

4.2  The entity will need to develop a business case based on expected volume of transactions, income, fees, and costs to implement and administer the payment card acceptance solution.  The University Controller’s Office can assist with evaluating fees.

4.3  The Office of Information Technology (OIT) Enterprise Application Services (EAS) unit can assist with investigating the costs of implementing and ongoing support for various technological solutions.

4.4  The entity must decide which payment cards to accept (i.e., Visa, MasterCard, Discover or American Express).  In order to accept payment card transactions for each payment card, the entity must have a merchant account and an associated merchant identification number (MID).  These credentials furnish the payment card servicer information on where to deposit the funds from the accepted payment transactions.  The MID must be obtained from the University Controller’s Office by filling out the Request for Credit Card Outlet Authorization form.

4.5  Clearing and reconciling the money from the payment card transactions for receipts into all projects except Ledger 6 (Foundations trust fund) projects is coordinated through the University Controller’s Office.  This process is defined by the Campus Credit Card Reimbursement policy.  For receipts into Ledger 6 projects, the Foundations Accounting and Investments Office coordinates clearing and reconciling the money.

5. PAYMENT CARD IMPLEMENTATION

5.1  The approved receipt center must then implement their chosen payment card acceptance solution, and prove its security compliance with the PCI DSS standard.  OIT Security and Compliance (S&C) unit will assist with this process:

5.1.1 The successful completion of the annual PCI DSS self-assessment questionnaire,

5.1.2 Passing the required periodic network scans of the entity’s IT implementation, if the chosen solution involves technology “system components” as defined in the PCI DSS, and

5.1.3 Verification of PCI DSS compliance documentation submitted by any third party card payment processors.

5.2  The University Controller’s Office will make arrangements with the receipt center’s technical contact for the installation of the hardware for accepting payment cards, where necessary.  Additionally, the University Controller’s Office will provide training to functional staff on the proper use of merchant services as well as training for daily sales reconciliation and the use of online merchant service reporting tools for receipts deposited to all projects except Ledger 6 projects.  The Foundations Accounting and Investments Office will provide guidance on receipts deposited to Ledger 6 projects.

6. PAYMENT CARD REGULATORY COMPLIANCE

6.1 The compliance requirements for accepting payment cards as a form of payment are:

6.1.1  Compliance with North Carolina State Government Office of the State Controller’s Statewide Electronic Commerce Program (SECP)

6.1.2 Compliance with NC State University Controller’s Office – Credit Card Procedures

6.1.3 Compliance with the Payment Card Industry Data Security Standard (PCI DSS) and the payment card companies’ accreditation standards for the payment card type being accepted:

6.1.3.1 VISA: Cardholder Information Security Program (CISP)

6.1.3.2 MasterCard: Site Data Protection program (SDP)

6.1.3.3 American Express: Data Security Operating Policy (DSOP)

6.1.3.4 Discover Information Security & Compliance (DISC)

7. PCI DSS

7.1  PCI DSS is a set of standards created by the payment card companies and enforceable under contractual obligations with these payment card companies.  Members and merchants agree to abide by these standards under the terms of their contracts with payment card companies.  Failure to follow these policies could prevent an entity from using payment cards or dealing with the payment card companies.  There are also very significant fines associated with payment card security breaches if the university is found to be out of compliance with the PCI DSS when the breach occurred.  Any fines or costs incurred by the university as a result of PCI DSS non-compliance are the responsibility of the offending unit responsible for the breach.

7.2  The PCI DSS outlines the security requirements for transmitting, storing, accessing, or processing cardholder data.  All NC State University entities that accept payment cards must comply with PCI DSS before accepting payment card transactions.  If the payment card technical solution implementation is significantly modified for a particular university entity at any time, PCI DSS compliance must be verified again for each associated merchant account before the modified implementation is used to accept payment cards.  The university entity that requests the merchant account is responsible for ensuring that on-going maintenance activities required to keep the site PCI DSS compliant are performed.  PCI DSS non-compliance is prohibited, and will result in immediate shutdown of the affected merchant accounts in the event of an emergency situation or after notification is submitted to relevant merchant account owners.  The accounts will be restored upon confirmed PCI DSS compliance.

7.3  With respect to security compliance, all university payment card merchant accounts annual verification procedures will be designed around the appropriate merchant level as defined by the payment card companies’ security standards listed in item 6 of this document (i.e., VISA Cardholder Information Security program (CISP) and MasterCard Site Data Protection (SDP)).  The merchant level is determined by the aggregate university transaction volume for each payment card.  Compliance with the current version of PCI DSS at the appropriate merchant level must be proved in order to accept card payments or to process payment card data by any university payment card merchant account.  This involves at a minimum, completion of an annual PCI self-assessment questionnaire and a quarterly network scan of any IT implementation, as indicated in governing agreements.

8. PCI COMPLIANCE OF THIRD PARTY VENDORS

8.1 PCI compliance consists of regulation in three distinct areas:

8.1.1 PCI DSS (PCI Data Security Standard) is the core standard, which is primarily for merchants and card payment processors.  The standard addresses security technology controls and processes for protecting cardholder data.  Compliance with the PCI DSS is a requirement for all internal processing payment card implementations and all external service providers utilized by the university to assist with the processing and utilization of payment cards.

8.1.2 PA DSS (Payment Application Data Security Standard) is for software package developers who sell commercial applications for accepting and processing payment cards.  It is a requirement that an application developer or owner conform to PA DSS requirements prior to any purchase by the university of any such application.

8.1.3 PCI PED (PIN Entry Device) security requirements are for manufacturers of payment card devices used at the point of sale.  In addition to other PCI DSS requirements, software developers, merchants, and processors must use only approved devices compliant with PCI PED.

8.2  Any third party vendor used by the university or one of its associated entities to assist in storing, processing, or transmitting payment card data must provide a copy of their active certificate of PCI DSS, PA DSS, or PCI PED compliance at the appropriate audit Merchant Level.  This must be presented to the OIT Security and Compliance unit (OIT S&C) for review before any contractual agreement is finalized or renewed, and prior to the provider being used to process or interact with any live payment card transactions.

8.3  All new third party vendors not listed in the NC State University Controller’s Office – Credit Card Procedures must be approved by the University Controller’s Office and the OIT S&C unit prior to entering into any contractual agreement.  This will include a review of the vendor’s active PCI compliance by OIT.

8.4  OIT will also require an annual review of the PCI compliance of all such third party vendors.

9. OPTIONS FOR MERCHANT SERVICE ACCESS:

9.1 Standard payment card terminal access:

9.1.1 Standard credit card terminals (point-of-sale systems or card readers) have few security requirements under PCI DSS if using analog phone lines to transmit payment card information.  For example PCI DSS requirements are in place to limit displays of cardholder data on point-of-sale (POS) receipts so that cardholder primary account numbers (PANs) are masked.  All merchants must also physically secure all paper and electronic media that contain cardholder data and securely dispose of such media when retention is no longer required.

9.2 The university’s secure credit card solution (administered by OIT):

9.2.1 The university’s secure credit card solution is a requirement for initiating university payment card payments via computer payment applications created after January 1, 2009.

10. APPROVED INTERNET STOREFRONTS

10.1  The University Controller’s Office and OIT S&C unit jointly maintain a list of approved third party vendors compliant with PCI requirements and approved by the Office of the State Controller.  These vendors (as listed in the NC State University Controller’s Office – Credit Card Procedures) may be used by NC State university units.

11. OTHER APPROVED METHODS

11.1  The Vice Chancellor for Finance and Administration and the Vice Chancellor for Information Technology, in conjunction with the North Carolina Office of the State Controller, must approve in advance any other methods of processing and transmitting payment card information within the university.  Requests for methods other than those listed above should be submitted in writing to the University Controller.

11.2  Methods used to accept card payments other than those listed above will result in an immediate shutdown of the affected service.  However, these services may be restored upon use of an approved method of acceptance.