05.118 Payment Card Acceptance Policy

Authority: Vice Chancellor of Business Affairs History: Updated June 4, 2021 Updated February 2013 Effective July 1, 2011 Source of Office of State Controller (OSC); Office of State Budget and Management Authority: (OSBM); Payment Card Industry (PCI) Data Security Standards; NCGS § 66- 58.12

Related Links: UNCW Payment Card Processing Procedures; Departmental Funds Receipting Policy and Procedures; PCI Security Standards Council’s website; additional resources and policies are located at the Office of State Controller’s web site

Responsible Credit Card Acceptance Committee (CACC) overseen by UNCW Finance Team Office: within Business Affairs

I. Introduction/Purpose This policy provides the requirements and direction for payment card processing at UNC Wilmington. This policy and the associated procedures define the responsibilities for administrative, technical and security standards that must be adhered to in order to ensure compliance with applicable rules, regulations and polices associated with processing payment cards. II. Scope Applies to all university departments that accept payment cards by any method on behalf of the University or via a University branded means, including external organizations contracted to provide these services. “Payment cards” are defined as branded credit or debit payment cards that bear the logo of Visa Inc., MasterCard Worldwide, American Express, JCB International, or Discover Financial Services. III. Policy The Vice Chancellor of Business Affairs or his/her designee must approve any request for university departments to accept payment cards. A. This includes but is not limited to: 1. All contract, software, and equipment purchase and usage. This applies to any transaction method used such as but not limited to eCommerce, POS device, mobile capture or eCommerce outsourced to a third party. 2. All methods of capture and transmission of payment card data. Payment card data includes the full primary account number (PAN) plus any of the following: cardholder name, service code (CVV), or expiration date.

Page 1 of 3 05.118 PAYMENT CARD ACCEPTANCE 3. The approval of campus departments to conduct business utilizing payment cards. 4. All technology implementations associated with payment card processing. B. All university departments receiving approval for payment card processing must comply with the current Payment Card Industry Data Security Standards (PCI DSS). C. Payment card data may not be stored in any form at any location. Exceptions must have the written approval of the VCBA. D. All payment card processing activities must comply with the state of North Carolina General Statutes (G.S.) and policies. These include but are not limited to the following: a. North Carolina G.S. § 147-77 (Daily Deposit Act) b. NC Office of the State Controller (NC OSC) Policy 500.1 (Maximization of Electronic Payment) c. NC OSC Policy 500.2 (Master Services Agreements for Electronic Payments) d. NC OSC Policy 500.11 (Compliance with PCI Data Security Standards) e. NC OSC Policy 500.13 (Security and Privacy of Data) f. NC Session Law 1999-434, which amended multiple General Statutes related to the acceptance of electronic payments by State agencies. E. All staff that work in payment card environments or environments that redirect to payment card environments must participate in PCI Awareness Training annually. F. All university departments approved to process payment cards are required to validate their compliance with the PCI DSS annually or upon request of the PCI Compliance Coordinator. G. All payment card processing must be conducted according to the current UNCW Payment Card Processing Procedures. H. Third parties may not process payment cards over the university phone or any wired/ wireless university networks without prior approval of the PCI Committee. Otherwise, transactions must be processed on non-UNCW cellular devices. I. Any device processing payment card transactions over the university phone or wired/wireless networks must be configured by ITS and the CACC. J. No university department or organization may enter into a contract that includes payment card processing or can affect the payment card environment without advance review and approval by the PCI Committee.

IV. Procedures

The UNCW Payment Card Processing Procedures provides the details for implementing this policy. The Procedures carry the full force of this Policy.

Page 2 of 3 05.118 PAYMENT CARD ACCEPTANCE V. Enforcement / Addressing Concerns

The university reserves the right to place restrictions on the use of payment card processing in response to evidence of violations of university policies, rules, regulations, PCI DSS, or codes, or local, state or federal laws and regulations. Actions that violate these policies can result in the VCBA or designee immediately disabling, suspending and/or revoking the payment card processing privileges pending review for further action.

Concerns should be addressed to the PCI Committee at [email protected] or the VCBA.

VI. Review

This Policy should be reviewed annually by the PCI Committee and VCBA.

Page 3 of 3 05.118 PAYMENT CARD ACCEPTANCE