Payment Cards

Card Processing

Payment Card Industry Data Security Standard Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures related to processing payment card transactions. This comprehensive standard is intended to help organizations proactively protect customer account data. Agencies found to be out of compliance that don’t take corrective action within a reasonable time may be required to stop accepting payment cards and may be liable for fines.

Becoming a Payment Card Merchant

University departments shall not enter into an outsourcing agreement with a third-party provider, including software applications for credit card processing, without prior approval. 

Merchant application process steps

1. In order for a department to be able to process credit card payments, approval must be obtained from the Controller’s Office. The form, Request for Credit Card Outlet Authorization (docx) must be completed and forwarded to the Bursar for review and approval.

2. The Controller's Office will determine the best method of credit card acceptance for the department (Point of Sale credit card machine, TouchNet Marketplace store, Payment Gateway or Upay link) based on volume of business, go-live date, and the needs of the department. The transaction process for each method is outlined below.

4. The Bursar will submit an application to the North Carolina Office of the State Controller for a merchant account identification number. It may take up to two weeks to receive the merchant ID.

5. If the acceptance method will be Point of Sale credit card machine, the Bursar will order the credit card machine. A list of the Point of Sale Terminals and costs may be found here (docx).

6. If the acceptance method will be a Touchnet Marketplace store or a Upay link, the department must submit a ticket on WCU’s IT Self-Service Portal.

7. All staff members of the requesting department that will have access to credit card information must complete PCI DSS training prior to ‘go live’ of the merchant account. PCI compliance evaluation and monitoring will be discussed with the merchant and will be continual while the merchant account remains active.

8. If the department will be using a merchant service provider, a business entity that is directly involved in the processing, storage, or transmission of cardholder data, it must provide the Bursar with a copy of the contract with the service provider. If the contract does not contain language that specifies that the service provider is responsible for the security of the cardholder data, the Bursar will request that an Agreement Addendum be signed by the Service Provider. The service providers’ PCI DSS compliance status will be monitored.

Payment Processing Service

All University merchants are set up through the State of North Carolina’s Master Service Agreement (MSA) with SunTrust Merchant Services (STMS), a partnership between SunTrust Bank and First Data Merchant Services (FDMS). STMS provides merchant card payment processing services. The North Carolina Office of the State Controller (OSC) has mandated that all agencies and universities of the State use the MSA unless an exemption has been approved. A University department may request an exemption from this requirement by providing a business case justifying an alternate vendor or process to the Bursar in the Controller’s Office. The business case will be reviewed by the Bursar and the OSC. If approved, the Bursar will work with the department to implement, monitor, and maintain security and compliance in accordance with University policy over the alternate vendor.

University departments shall not enter into an outsourcing agreement with a third-party provider, including software applications for credit card processing, without prior approval.

Outsourcing Credit Card Payments

The University is required to participate in the Master Service Agreement (MSA) for merchant services provided by OSC due to Cash Management Law (General Statute 147-86.10 and 11). An exemption from participating may be obtained from OSC if a suitable business case is presented. (See Payment Processing Service).

This requirement applies to all contracts, including outsourced functions if they involve credit card processing. The requirement does apply even when the University is not the merchant for the credit card processing.

Any area of campus involved in or negotiating an outsourcing agreement that involves processing credit cards through a processor not under the MSA should forward an exemption request to the Bursar who will forward the request to the OSC.

 

Payment Gateway

TouchNet is the University’s preferred payment gateway and is required to be used for all internet credit card transactions. A University department may request an exemption from this requirement by providing a business case justifying an alternate vendor or process to the Bursar. The business case will be reviewed and forwarded as appropriate to the OSC to request approval. A University department shall not enter into an outsourcing agreement with a third-party provider, including software applications for credit card processing, until the business case is approved.

Credit Card Acceptance Methods Transaction Process

Method 1: Point-of-Sale Terminal

The credit card transaction process begins when the customer purchases a product/event or makes a donation/payment and their card is swiped or entered into a point-of-sale terminal. The terminal is connected through an analog or cellular telephone line to the payment processor for settlement. The payment processor interfaces with the credit card companies to validate the credit card and verify the address if address verification is used. The payment processor returns an authorization code to the point of sale terminal and settles the funds with the University’s bank account.

Method 2: Payment Gateway

The credit card transaction process begins when the customer purchases a product/event or makes a donation/payment through a third party hosted payment application/website. This application website has a “Pay Now” button and passes the customer to the hosted payment gateway to make the payment. The payment gateway interfaces with the payment processor. The payment processor interfaces with the credit card companies to validate the credit card and verify the address if address verification is used. The payment processor returns an authorization code to the payment gateway and settles the funds with the University’s bank account.

Method 3: TouchNet Marketplace Store

The credit card transaction process begins when the customer purchases a product/event or makes a donation/payment through a TouchNet Marketplace store website. This website has a “Pay Now” button and passes the customer to the TouchNet hosted payment gateway to make the payment. The payment gateway interfaces with the payment processor. The payment processor interfaces with the credit card companies to validate the credit card and verify the address if address verification is used. The payment processor returns an authorization code to the payment gateway and settles the funds with the University’s bank account.

Method 4: TouchNet Upay Link

The credit card transaction process begins when the customer purchases a product/event or makes a donation through a website. The website has a TouchNet Upay link “Pay Now” button and passes the customer to the TouchNet hosted payment gateway to make the payment. The payment gateway interfaces with the payment processor. The payment processor interfaces with the credit card companies to validate the credit card and verify the address if address verification is used. The payment processor returns an authorization code to the payment gateway and settles the funds with the University’s bank account.

 

Office of Web Services