REG 07.30.23 - Merchant Services - Payment Card Processing

REG 07.30.23 – Merchant Services – Payment Card Processing

Authority: Executive Vice Chancellor, Finance and Administration and Vice Chancellor and Chief Information Officer, Office of Information Technology

History: First Issued: March 1, 2011. Last Revised: September 16, 2025

Additional References:
Information Security & Privacy Acknowledgement (ISPA) Form
North Carolina State Government Office of the State Controller’s Statewide Electronic Commerce Program (SECP)
N.C. Gen. State. § 14-453 (1999) – Computer-Related Crimes
North Carolina Identity Theft Protection Act (2005 SB-1048)
PCI Data Security Standard

Contact Info: University Controller’s Office (merchantservices@ncsu.edu); Chief Information Security Officer, Office of Information Technology (919-513-1194)

1. INTRODUCTION

1.1 Payment cards include credit cards, bank debit cards and prepaid cards used for cashless transactions. North Carolina State University (NC State) colleges, departments (and their supported programs and projects), associated entities as defined in UNC Policy Manual Section 600.2.5.2[R] and recognized and registered student organizations, as defined in NCSU REG11.55.06 – Recognized Student Organizations: Regulation for Undergraduate Student Leadership and Registration and NCSU REG11.55.07 – Registered Student Organizations: Regulation for Student Leadership, Membership, and Registration, (collectively referred to as “NC State Entities”) may accept payment card transactions as an appropriate form of compensation with appropriate vetting and approval from University Controller’s Office Merchant Services (Merchant Services) and Office of Information Technology (OIT) Security and Compliance (S&C).

2. RATIONALE

2.1 NC State Entities that wish to utilize payment cards as a means of collecting payments, known as merchant services, need to provide a description of the method, frequency, vendor, implementation, and security aspects, as well as other requirements, to be evaluated for merchant service approval. This regulation provides essential information to obtain and manage merchant accounts for payment card receipts by NC State Entities, and to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS).

2.2 For all merchant services, payment card processes must be evaluated by the IT Purchase Compliance process.

3. RELATIONSHIP TO THE STATE OF NC PROVIDED PAYMENT CARD SERVICES

The NC Office of the State Controller (OSC) is statutorily charged with administering the State’s Electronic Commerce and Payments Program (SECP), which includes merchant payment card (credit and debit) services. All NC State payment card processing where NC State is the merchant of record will use the OSC SECP payment card services Master Service Agreement (MSA).

4. PAYMENT CARD ACTIVATION

4.1 The University Controller’s Office manages and supports all merchant card services at NC State. NC State Entities should contact Merchant Services at merchantservices@ncsu.edu to initiate a new service or make changes to existing services.

4.2 The NC State Entity requesting or renewing the service will need to develop a business case based on expected volume of transactions, income, fees and costs to implement and administer the payment card acceptance solution.

4.3 Clearing and reconciling receipts from payment card transactions except ledger 6 (foundations trust fund) projects is coordinated through Merchant Services. Foundations Accounting and Investments coordinates clearing and reconciling daily receipts for ledger 6 projects.

4.4 The University Controller’s Office moves credit card transaction receipts to their appropriate projects daily. Funds are moved once they have been deposited into the appropriate depository account with the NC Department of State Treasurer.

5. PAYMENT CARD IMPLEMENTATION

5.1 The requestor must implement their chosen payment card acceptance solution with the assistance of Merchant Services and S&C, and prove its security compliance with the current PCI DSS standard, including:

5.1.1 The accurate completion of the required annual PCI DSS self-assessment questionnaire for all individual Merchant ID (MID) owners.

5.1.2 Completing required policy and procedure documents, list of payment links and data flow diagram and other documentation as needed.

5.1.3 Verification of PCI DSS compliance documentation submitted by any third party card payment processors and vendors. This is an annual requirement of the PCI DSS annual attestation.

5.2 Merchant Services and S&C will make arrangements with the requestor’s technical contact for the installation of the hardware and software as necessary. Additionally, Merchant Services will provide training to functional staff on the proper use of merchant services as well as training for daily sales reconciliation and the use of online merchant service reporting tools for university accepted solutions for receipts deposited to all projects except Ledger 6 projects. The Foundations Accounting and Investments Office will provide guidance on receipts deposited to ledger 6 projects.

6. PAYMENT CARD REGULATORY COMPLIANCE

6.1 The compliance requirements for accepting payment cards as a form of payment are:

6.1.1 Compliance with North Carolina State Government Office of the State Controller’s Statewide Electronic Commerce Program (SECP)

6.1.2 Compliance with University Controller’s Office – Merchant Services process

6.1.3 Compliance with the PCI DSS – (current version) and the payment card companies’ accreditation standards for the payment card type being accepted:

6.1.3.1 VISA: Cardholder Information Security Program (CISP)

6.1.3.2 MasterCard: Site Data Protection program (SDP)

6.1.3.3 American Express: Data Security Operating Policy (DSOP)

6.1.3.4 Discover: Information Security & Compliance (DISC)

7. PCI DSS

7.1 PCI DSS is a set of standards created by the payment card companies and enforceable under contractual obligations with these payment card companies. Members and merchants agree to abide by these standards under the terms of their contracts with payment card companies. Failure to follow these policies could prevent an entity from using payment cards or engaging with the payment card companies. There are also significant fines associated with payment card security breaches if NC State is found to be out of compliance with PCI DSS should a breach occur. Any fines or costs incurred by NC State because of PCI DSS non-compliance are the responsibility of the offending unit responsible for the breach. Additionally, the offending unit may lose its ability to accept payment cards.

7.2 The PCI DSS outlines the security requirements for transmitting, storing, accessing, or processing cardholder data. All NC State Entities that accept payment cards must comply with PCI DSS before accepting payment card transactions. If the payment card technical solution implementation is significantly modified for a particular university entity at any time, PCI DSS compliance must be verified again for each associated merchant account before the modified implementation is used to accept payment cards. The NC State Entity owning the merchant account is responsible for ensuring that ongoing maintenance activities required to keep the implementation PCI DSS compliant are performed. PCI DSS non-compliance is prohibited and will result in cancellation of the affected merchant account. After review, the account may be reinstated on confirmed PCI DSS compliance.

8. PCI COMPLIANCE OF THIRD PARTY VENDORS

8.1 Any third party vendor used by an NC State Entity for payment card transactions must be approved by Merchant Services and provide a copy of their Report On Compliance or Attestation Of Compliance at the appropriate merchant level. This must be provided to S&C for review before any contractual agreement is finalized or renewed, and prior to the provider being used to process or interact with any live payment card transactions. If the vendor utilizes any third party services providers whose services bring them into scope as a vendor as defined by PCI DSS, evidence of compliance for those third parties must also be provided.

8.2 S&C will also require an annual review of the PCI compliance of all third party vendors as part of the PCI-DSS annual attestation process.