Skip to header Skip to Content Skip to Footer

05.118 Payment Card Acceptance

Establishes policy and guidelines to provide the administrative, technical and security standards that must be adhered to in order to ensure compliance with applicable rules, regulations and policies associated with merchant cards.

Authority:

Vice Chancellor of Business Affairs

History

Revised June 2021; Revised February 2013; Effective July 1, 2011

Source of Authority:

Office of State Controller (OSC); Office of State Budget and Management (OSBM); Payment Card Industry (PCI) Data Security Standards; NCGS § 66-58.12

Related Links:

Responsible Office:

Credit Card Acceptance Committee (CACC) overseen by UNCW Finance Team within Business Affairs

Policy Details:

  1. Introduction/Purpose

    This policy provides the requirements and direction for payment card processing at UNC Wilmington. This policy and the associated procedures define the responsibilities for administrative, technical and security standards that must be adhered to in order to ensure compliance with applicable rules, regulations and polices associated with processing payment cards.

  2. Scope

    Applies to all university departments that accept payment cards by any method on behalf of the University or via a University branded means, including external organizations contracted to provide these services. “Payment cards” are defined as branded credit or debit payment cards that bear the logo of Visa Inc., MasterCard Worldwide, American Express, JCB International, or Discover Financial Services.

  3. Policy

    The Vice Chancellor of Business Affairs or his/her designee must approve any request for university departments to accept payment cards.

    1. This includes but is not limited to:

      1. All contract, software, and equipment purchase and usage. This applies to any transaction method used such as but not limited to eCommerce, POS device, mobile capture or eCommerce outsourced to a third party.

      2. All methods of capture and transmission of payment card data. Payment card data includes the full primary account number (PAN) plus any of the following: cardholder name, service code (CVV), or expiration date.

      3. The approval of campus departments to conduct business utilizing payment cards.

      4. All technology implementations associated with payment card processing.

    2. All university departments receiving approval for payment card processing must comply with the current Payment Card Industry Data Security Standards (PCI DSS).

    3. Payment card data may not be stored in any form at any location. Exceptions must have the written approval of the VCBA.

    4. All payment card processing activities must comply with the state of North Carolina General Statutes (G.S.) and policies. These include but are not limited to the following:

      1. North Carolina G.S. § 147-77 (Daily Deposit Act)

      2. NC Office of the State Controller (NC OSC) Policy 500.1 (Maximization of Electronic Payment)

      3. NC OSC Policy 500.2 (Master Services Agreements for Electronic Payments)

      4. NC OSC Policy 500.11 (Compliance with PCI Data Security Standards)

      5. NC OSC Policy 500.13 (Security and Privacy of Data)

      6. NC Session Law 1999-434, which amended multiple General Statutes related to the acceptance of electronic payments by State agencies.

    5. All staff that work in payment card environments or environments that redirect to payment card environments must participate in PCI Awareness Training annually.

    6. All university departments approved to process payment cards are required to validate their compliance with the PCI DSS annually or upon request of the PCI Compliance Coordinator.

    7. All payment card processing must be conducted according to the current UNCW Payment Card Processing Procedures.

    8. Third parties may not process payment cards over the university phone or any wired/ wireless university networks without prior approval of the PCI Committee. Otherwise, transactions must be processed on non-UNCW cellular devices.

    9. Any device processing payment card transactions over the university phone or wired/wireless networks must be configured by ITS and the CACC.

    10. No university department or organization may enter into a contract that includes payment card processing or can affect the payment card environment without advance review and approval by the PCI Committee.

  4. Procedures

    The UNCW Payment Card Processing Procedures provides the details for implementing this policy. The Procedures carry the full force of this Policy.

  5. Enforcement / Addressing Concerns

    The university reserves the right to place restrictions on the use of payment card processing in response to evidence of violations of university policies, rules, regulations, PCI DSS, or codes, or local, state or federal laws and regulations. Actions that violate these policies can result in the VCBA or designee immediately disabling, suspending and/or revoking the payment card processing privileges pending review for further action.

    Concerns should be addressed to the PCI Committee at pci@uncw.edu or the VCBA.

  6. Review

    This Policy should be reviewed annually by the PCI Committee and VCBA.
top