University Computing and Information Services

• SERVICES
• Help Desk
• Interactive Video Facility
• Media Center
• ResNet
• Telephone Services
• Webmail
• Webmail (OWA)
• RESOURCES
• Computer Labs
• Computer Security
• Information for Faculty and Staff
• » Banner
• » Computer Training
• Policies
• Request Forms
• ABOUT UCIS
• News and Information
• Resources Available
• UCIS Staff

 

Policies

UCIS 01 08 - University Acceptance of Credit or Debit Cards

Click here to download a MS Word file.

---

Effective date: April 24, 2008

I. Purpose

The University of North Carolina at Pembroke accepts credit or debit cards for payment of goods and services under controlled conditions to protect against the exposure and possible theft of account and personal cardholder information that has been provided to the university; and to comply with Payment Card Industry (hereinafter “PCI”) requirements which became effective June 30, 2005. The University must adhere to these standards to continue to process payments using payment cards.

II. Scope

This policy applies to all UNC Pembroke departments and affiliated units, employees, contractors, consultants, temporaries, and other workers. This policy is applicable to any unit that processes, transmits, or handles cardholder information in a physical or electronic format. The PCI Data Security Standard governs all computers and electronic devices at UNCP involved in processing payment card data. This includes servers which store payment card numbers, workstations which are used to enter payment card information into a central system (for example, ordering tickets over the phone), and any computers, network devices, or credit/debit card swipe devices through which the payment card information is transmitted.

III. Definitions

PCI Data Security Standard (PCIDSS) – a document that defines the standards for secure processing, storage and transmission of payment card data. The standard is a result of collaboration among several large credit card brands. Each brand has its own standard similar to the PCIDSS.

PCI Security Standards Council – an industry association whose purpose is to foster support and adoption of the PCI Data Security Standard.

Payment Card – a credit or debit card

Cardholder data – any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, or Card Validation Code (e.g., three-digit or four-digit value printed on the front or back of a payment card (e.g.’ CVV2 and CVC2 data)).

Merchant – any person or department accepting money for goods or services. Includes conference registrations, memberships, fees, etc.

Merchant Outlet ID – a unique id assigned to identify transactions specific to a merchant.

IV. Policy

All transactions that involve the transfer of payment card information must be performed on systems jointly approved by the Offices of the Controller and University Computing and Information Services. Said systems must pass a compliance and security review before payment processing begins. Any specialized servers or related equipment that have been approved for this activity must be housed in a protected, managed subnet that meets the full requirements of the PCIDSS. University Computing and Information Services must approve this subnet before operations begin and periodically as long as it is in use. The subnet must be administered in accordance with the requirements of all UNCP policies and the PCIDSS.
Departments involved with the acceptance and processing of cards for payment of goods and services must design adequate processes to ensure the following requirements are met continuously:

Approval of the Offices of the Controller and University Computing and Information Services must be obtained before entering into any contracts, purchases of software and/or equipment, or purchases of any processing services related to payment card processing. This requirement applies regardless of the transaction method or technology used (e.g. e-commerce, Point-of-sale (POS) device, etc.).

Departments must comply with the Payment Card Industry Data Security Standard as it may be amended from time to time.

Departments must establish procedures for safeguarding cardholder information and secure storage of data. This pertains to ALL transactions regardless of whether initiated via the telephone, over the counter, mail order, Internet, etc. Departments must ensure compliance with UNCP’s Personal Information Security Breach Notification Protocol for notifying cardholders in the event of improper disclosure of personal identifying information.

Credit or debit card numbers must not be transmitted in an insecure manner, such as by e-mail, unsecured or stored fax or through unsecure campus mail (sealed envelopes must be used). Under no circumstances will it be permissible to obtain payment card information, or transmit payment card information by e-mail.

Sensitive cardholder data [i.e., full account number, card type, expiration, PIN, and card-validation code (three-digit or four-digit value printed on the front or back of the card)] should not be stored in any University system, personal computer, or e-mail account, nor should this data traverse UNCP’s network.

Departments should not print the entire credit or debit card number on the customer copy of any receipts. Whenever possible, departments should not print the entire credit or debit card number on the department’s copy of the receipt.

All documentation containing card account numbers must be stored in a secure environment until processed. Secure environments include locked drawers and safes, with limited access to only individuals who are processing the credit card transaction. Processing should be done as soon as possible and the credit card number should immediately be blacked out to the last four digits and the card expiration date must be masked.

Access to payment card data should be limited to those individuals who need access in order to perform their job duties. Access should be removed promptly when no longer required to perform current job duties.

Stored credit card information will be retained according to the University General Records Retention and Disposition Schedule and any requirements as set forth by the Office of the State Controller or the Office of the State Auditor. All media used for payment cards must be destroyed when retired from use. All hardcopy must be shredded prior to disposal.

Criminal background criminal checks must be performed prior to hiring of any new employee with access to stored cardholder information for multiple cards. This is not required for positions that only handle one card at a time, and do not have access to stored card data. Background checks must be carried out as set out in Human Resources policy.

Payment card handlers and processors must sign a written acknowledgement stating their understanding of their obligation not to disclose or acquire any information concerning a cardholder’s account without the cardholder’s consent, and to follow all PCIDSS requirements.
All personnel involved in payment card handling must attend card security training provided by the Offices of the Controller and University Computing and Information Services every year in conjunction with required PCIDSS reviews. New employees must attend this training prior to accessing payment card data.

Each department using servers or similar equipment must develop procedures to ensure that access privileges are controlled, software can only be accessed and used in secure locations, and access for former employees is promptly removed.

Units using third-party software, including cash register systems, are prohibited from storing complete payment card numbers on University computers at any time.

Departments must contractually require all third parties with access to cardholder data to adhere to PCIDSS security requirements and provide proof of PCIDSS certification to the Offices of the Controller and University Computing and Information Services. This certification may be required periodically in order to meet review and reporting needs needs.

Any member of the campus community, including faculty, staff, students, temporary workers, contractors, etc., must report any violation of this policy to the Offices of the Controller and University Computing and Information Services as soon as possible.

The Offices of the Controller, Internal Audit, and University Computing and Information Services may periodically review and assess the business processes and technology used to process payment card data in order to comply with PCIDSS requirements of those of the Offices of the State Controller or State Auditor.

V. Procedures

Any department wishing to enter or renew a credit card and/or debit card processing contract must provide the Offices of the Controller and University Computing and Information Services all relevant information related the intended use of card processing and the technical specifications for said processing. Because the sale of goods and services to entities outside the university community may raise special considerations (e.g. unrelated business tax, accounting, legal, etc) business plans concerning card sales should also be reviewed by the Controller’s Office.

Upon approval by both offices, and at the discretion of the Office of the Controller, a specialized Merchant Outlet ID will be established for use by the department. The department will work with the Controller’s Office and University Computing and Information Services to review their application and web site, and to integrate the payment mechanism into campus systems. The Office of the Controller will establish the accounting practices that must be followed during payment processing and reconciliation.

Departments who need to accept credit/debit cards through a physical terminal or a swipe device must contact the Offices of the Controller and UCIS to execute the required paper work, obtain a Merchant Outlet ID, receive training, and be given direction as to the accounting of those transactions. All equipment must meet PCIDSS requirements.

Following review and approval, the department will be notified of the status and additional relevant information. The Office of the Controller must approve any subsequent changes in processes for handling payment card data before such processes are put into effect. Any subsequent changes in the technology must be approved by University Computing and Information Services before such changes are put into effect. The changes that must be approved by the Controller’s Office or UCIS include, but are not limited to, changes to the department web site, products or services to be sold, intended customer base, anticipated transaction volume, outside advertising, application software, or changes in the departmental contacts responsible for the e-commerce business plan.

VI. Sanctions

Departments not complying with this policy may lose the privilege to serve as a payment card merchant. Additionally, the affected card company may assert authority to impose fines, beginning at $100,000 for the first violation. Other civil liabilities may exist as well.

Persons in violation of this policy are subject to the full range of sanctions, including the loss of computer or network access privileges, disciplinary action, suspension, termination of employment and legal action. Some violations may constitute criminal offenses under local, state, and federal laws. The University will carry out its responsibility to report such violations to the appropriate authorities.

VII. Resources

The PCI Security Standards Council: PCI Data Security Standard and related documents

 

 

Updated: Friday, May 9, 2008

About Site | Campus Directory | Ask UNCP | University Calendar