Skip to main content

Merchant Services supports the acceptance of credit cards in a compliant manner as payment for goods and services, to improve customer service, to bring efficiencies to UNC-Chapel Hill’s cash management process, and to increase volume of certain types of transactions. These activities are all performed under the guidance of Payment Card Industry Data Security Standards (PCI DSS), University policies and procedures, and state/federal law.

Privacy Policy

Protecting the privacy and personal data of our customers is very important. The University of North Carolina at Chapel Hill has taken numerous steps to protect the personal information of those who transact business with us. Personal information that you provide to us is not used, shared or sold to third parties except to the extent required by law. NO credit cardholder or bank account data is processed, transmitted or stored on our website, but rather is collected, transmitted and processed by a Payment Card Industry (PCI) compliant third party service provider.

Please see the memo regarding CERTIFI Limits and Prohibited WiFi Use on Third Party Purchases for more details about our campus guidelines on payment card services.

Contact

Brooke O’Neal
Merchant Services Manager
certifi@unc.edu
919-843-0420

Cynthia O’Daniel
TouchNet Administration
TouchNet_Admin@office.unc.edu
TouchNet Support

CERTIFI Committee

(Compliant Electronic Receipt Transactions through Innovation and Financial Integrity)

In order to implement and manage the directives of the Payment Card Industry Security Standards Council, NACHA and the electronic commerce requirements set forth by the North Carolina Office of the State Controller and North Carolina State legislature, the University has established the CERTIFI (Compliant Electronic Receipt Transactions through Innovation and Financial Integrity) Committee.

CERTIFI Committee Information

Policy 308: Credit Card Merchant Services

Self Assessment Questionnaires

Several self-assessment questionnaires (SAQs) can be found at the PCI Security Standards Council’s Document Library.

  • Select SAQ A if the department accepts online payments.
  • Select SAQ B if the department uses an analog or cellular terminal.
  • Select SAQ P2PE if the department utilizes Point-to-Point Encrypted technology.

Email certifi@unc.edu with questions.

Setup and Maintenance of Merchant Card Accounts

Departments interested in establishing a merchant card account should send an email to certifi@unc.edu requesting a meeting so that we can discuss the business need and provide guidance on next steps.

Related Documents

Flyers

Incidents involving cardholder data should be reported to ITS by calling the Help Desk at 919-962-HELP.

On February 1, 2015, the North Carolina Office of the State Controller executed a statewide Master Service Agreement (MSA) with SunTrust/Fiserv (Fiserv). Fiserv is the University’s state mandated processing bank. ClientLine, Fiserv’s banking portal, provides detailed account information.

Fiserv Contact Numbers
Issue Phone Number
ClientLine Login Issues 800-285-3978 (option 3)
Terminal Issues 800-654-8819
Terminal Supplies 800-654-8819 (follow prompts)
Chargebacks 800-654-8819 (follow prompts)
After-Hours Issues 800-555-9966

MSA Exemption Request

To request an exemption, under the signature of the Dean, Director, or Department Head, submit a letter to certifi@unc.edu detailing the business necessity. Within six months, the North Carolina Office of the State Controller, The University of North Carolina System, and the North Carolina Department of State Treasurer will issue a determination.

Schedule of Fees

Merchant Card Processing Services
State of North Carolina and Suntrust Merchant Services
Contract Number 14-008474
Effective February 1, 2015

Interchange & Assessment Fees “Pass Through Cost”

Visa and MasterCard Interchange fees are Pass-through. These fees are based upon the clearing of Visa and MasterCard transaction submitted by Customer. All Bankcard transactions will be subject to the applicable Visa and MasterCard interchange fees and Assessments in effect. The interchange fees, assessments and qualifying criteria set forth in “Visa and MasterCard’s Interchange Qualification Data Requirements” Non-Qualified Interchange will be passed through to the Client.

  • Visa and MasterCard Assessments Fees – “Pass through Cost”
  • Debit Network Charges for Debit Cards – “Pass through Cost”
Cards and Costs
Processing Fee All Card Types “Vendor Levied Cost” Unit Cost
Visa/MasterCard $0.0185 per transaction
American Express/Discover $0.0185 per transaction
Debit $0.0185 per transaction
Additional Costs
Additional Services “Vendor Levied Cost” Unit Cost
PayPoint Gateway Fees for Card Transactions $.08
PayPoint Gateway Fees for ACH Transactions $.10
AVS (Address Verification Service) $0.02
Supplies: (Shipping costs passed through) No charge
Chargeback Fee: $9.75
Reporting, Client Line, Hard Copy No Charge
Voice Authorizing and VRU Authorization $0.25
On-site PayPoint Training $2,000
Payment email notification $.01
Global Gateway e4 $.0175
Hosted recurring payments $.05
Alternative Payments $.05
TransArmor $.0075
CardConnect Equipment
Device Description Fee
CardPointe Terminal
iCT220
iCT250
CardPointe Terminal devices not only leverage industry leading P2PE security measures, they are also plug-and-play ready and EMV-enabled. All functions, from payment processing and receipt printing to settlement reporting, operate from a single, secure device. Simply plug, connect and accept – it’s that easy! iCT220: $170
iCT250 (color display): $220
Monthly Rental Fee: $15 per device
ID TECH SREDKEY
ID TECH SREDKEY
The SREDKey is an encrypted keypad with an LCD and an encrypted MagStripe reader that offers a complete and reliable security solution. Even better, because swiped transactions and keyed-in data are encrypted at the point of interaction, the scope of PCI-compliance is dramatically reduced. $160
iSC Touch 250
iSC Touch 250
Designed for use in demanding, multi-lane environments, the iSC Touch 250 combines signature capture and touchscreen technologies in a compact design and comes with a Cat 5 ethernet cable and power supply. And because it is powered by Bolt, all transactions are secured with point-to-point encryption (P2PE) and EMV acceptance for reduced PCI-DSS scope.

The iSC Touch 250 is also seamlessly integrated with the CardPointe Virtual Terminal for simple and secure payment acceptance.

$500
Monthly Rental Fee: $25 per device
iPP320/350
iPP320iPP350
The iPP 320/350 is optimized for fast checkout with a large keypad, LCD display and function keys that allow for comfortable and convenient interactions. The plug-and-play device is equipped with a Cat 5 ethernet cable and power supply. Powered by Bolt to protect transactions with point-to-point encryption (P2PE), the iPP 320/350 is integrated with the CardPointe Virtual Terminal, so running transactions is simple and secure. iPP320: $310
iPP350 (color display): $360
Monthly Rental Fee: $15 per device
Point of Sale Terminals Available Under STMS Contract
Effective February 1, 2015
Description Purchase Fee Monthly Rental Fee Monthly Lease Fee
Clover Station 2 with or without Cash Drawer Clover Station 2 w/Accessory Kit
(TransArmor Required)
$849 / $764
plus monthly licensing
N/A N/A
Clover Station Printer Clover Station
(TransArmor Required)
$499 N/A N/A
Clover Flex WIFI and 4G Clover Flex*
(TransArmor Required)
$679 + $15 wireless fee
plus monthly licensing
$35 + $15 wireless fee
plus monthly licensin
N/A
Clover Mini – LTE (4G) Clover Mini
(TransArmor Required)
$649
plus monthly licensing
N/A $30.93
plus monthly licensing
V400M VeriFone ENGAGE V400M* $538.60 + $15 wireless fee N/A N/A

* Wireless Fee is applicable even if not using the wireless feature.

TouchNet is the University’s preferred gateway. This service is centrally funded and provided to University departments. Departments are encouraged to contract with TouchNet Ready Partners, develop landing pages internally, or use Event Registration.
TouchNet Contact Information
Issue Contact Name Contact Email Contact Phone Number
Deposits Kim Orr kimorr@email.unc.edu 919-962-5846
Technical Issues Cynthia O’Daniel odaniel@email.unc.edu 919-843-2089
General Merchant Questions Brooke O’Neal brooke_oneal@unc.edu 919-843-0420

TouchNet Exemption Request

To request an exemption, under the signature of the Dean, Director, or Department Head, submit a letter to certifi@unc.edu detailing the business necessity.

Current Self Assessment Questionnaire (SAQ) Preparers
Contact Name Department Name
Suzanne Rucker Ackland Art Museum
Keilayn Skutvik Ackland Art Museum Store
Allison Legge Admissions
Renee Ellis Applied Physical Sciences
Stratos Pagiavlas Athletic Ticket Office
Atephen Boyd/Tom Livers Athletics Business Office
Craig Hyatt Auxiliary Services
Kimberly McCown Campus Health Services
Will Rickman Campus Recreation
Jana Jackson / Idalis Payne Carolina Performing Arts
Destiny Lee Carolina Public Humanities
Laura Yurco Chemistry
Elsabet Fisseha College of Arts and Sciences – Music
Shavon Carey College of Arts and Sciences – Romance Studies
Missy Wood Computer Science
Sandra (Sandy) Staley Department of Philosophy
Patricia Harris/Leah Cox Diversity and Inclusion
Kimberly Campbell Earth Marine Environment
Robin Samuels English and Comp Literature
Matt Rivenbark Eshelman School of Pharmacy
Kelly Hair Exercise and Sport Science
Robert Costa Finley Golf Course
Amy Crume Frank Porter Graham Child Development Institute
David Elkin Friday Center
Tiffany Farina Gillings School of Global Public Health
Neil Batson Highway Safety Research
Karen Edwards Human Resources – Benefits and Leave Administration
Joe Canady Kenan-Flagler Business School
Richard Watt Morehead Planetarium and Science Center
Lisa Hicks North Carolina Botanical Garden
Michael Mackin Nutrition Research Institute
Beth Mellott Office of New Student & Carolina Parent Programs
Melinda Bakken One Card Office
Paige Tingen Physics and Astronomy
Thomas Porter (Box Office Manager)/Rob Noel (IT) Playmakers Theater
Chase Debnam Psychology and Neuroscience
Kristi Andrews Renaissance Computing Inst
David Rankin School of Dentistry
Deedra Donley / Carol Bailey School of Dentistry – Continuing Education
JC Underwood School of Dentistry – Craniofacial and Surgical Care
Karren Crawford School of Education
Lauren Partin School of Government
Michelle Taylor School of Information and Library Science
Eric Helms School of Law
Mark Richardson School of Media and Journalism
Valerie Tan School of Medicine
Amy Burdette/Cynthia Fain/Taylor McDaniel School of Nursing
John Anderson School of Social Work
Christine Keat Statistics and Operations Res
Bonita Brown/Amber Ali/Victoria Boykin Student Affairs Carolina Union
Beth Mellott Student Housing and Residential Education
Beverly Wyrick The Graduate School
Ross Babinec The Odom Institute
Laurie Trumbo Transportation and Parking
JT Walker UNC Police
Teresa Holt/Roderick Lewis /Amanda Savas University Career Services
Kristy Nash University Cashier
Lisa Avinger/Mark Ingram University Development
Ellen Bowman/Dan Comeskey University Library
Kimberly Denise Johnson Vice Chancellor for Research – Commercialization and Economic Development
Mitch Spence Vice Chancellor for Research
Daniel McNeal World View

CERTIFI will not approve Stripe, PayPal, Venmo, or other software that has the following characteristics:

  1. An employee has to provide their personal information to set up the account.
  2. The software serves as the payment gateway and processor. The State of North Carolina has a contract with Fiserv to serve as the University’s processor. The use of any other processor requires an exemption from the State. In addition, the University’s preferred gateway is TouchNet.
  3. The software does not allow University Counsel to insert the appropriate PCI terms and conditions into the contract.

The University strictly prohibits the use of the University network to transact payment card/credit card transactions by third parties and any party per the Information Technology Acceptable Use Policy.

Please note especially:

UNC Guest WiFi Acceptable Use Policy and Terms and Conditions

The University of North Carolina at Chapel Hill (“UNC”) offers you use of its guest WiFi wireless Internet service (the “Service”) according to UNC’s Acceptable Use Policy and this WiFi Wireless Network Acceptable Use Policy (the “Policy”) as a free, non-public service to its visitors for the duration of their visit. All users of this Service must agree to the terms of this Policy by clicking the ACCEPT button or signing before use. UNC does not guarantee the Service or specific rates of speed. UNC also has no control over information obtained through the Internet and cannot be held responsible for its content or accuracy. Use of the Service is subject to the user’s own risk. UNC reserves the right to remove, block, filter, or restrict by any other means any material that, in our sole discretion, may be illegal, may subject us to liability, or may violate this Policy. UNC may cooperate with legal authorities and/or third parties in the investigation of any suspected or alleged crime or civil wrong. Violations of this Policy may result in the suspension or termination of access to the Service or other resources, or other actions as detailed below.

Responsibilities of Service Users

Users are responsible for the security of their devices, including ensuring they are running up-to-date anti-virus software on their wireless devices. Users must be aware that, as they connect their devices to the Internet through the Service, they expose their devices to: worms, viruses, Trojan horses, denial-of-service attacks, intrusions, packet-sniffing, and other abuses by third-parties. Users must respect all copyrights. Downloading or sharing copyrighted materials is strictly prohibited. The running of programs, services, systems, processes, or servers by a single user or group of users that may substantially degrade network performance or accessibility will not be allowed. Electronic chain letters and mail bombs are prohibited. Connecting to “Peer to Peer” file sharing networks or downloading large files, such as CD ISO images, is also prohibited. Accessing another person’s computer, computer account, files, or data without permission is prohibited. Attempting to circumvent or subvert system or network security measures is prohibited. Creating or running programs that are designed to identify security loopholes, to decrypt intentionally secured data, or to gain unauthorized access to any system is prohibited. Using any means to decode or otherwise obtain restricted passwords or access control information is prohibited. Forging the identity of a user or machine in an electronic communication is prohibited. Saturating network or computer resources to the exclusion of another’s use, for example, by overloading the network with traffic such as emails or legitimate (file backup or archive) or malicious (denial of service attack) activity, is prohibited. Users understand that wireless Internet access is inherently not secure, and users should adopt appropriate security measures when using the Service.

Merchant accounts can accept the following payment brands upon CERTIFI approval: Discover, Mastercard, and Visa. American Express (Amex) is not generally available for the following reasons:
1. Departments do not process enough transactions to warrant the additional administrative burden of accepting Amex.
2. Amex processes on a 1-day deposit lag in comparison to other card brands. They process through Amex’s system and are passed through Fiserv. In the past, this caused reconciliation problems for the University due to departmental inattentiveness to this difference.
3. Amex has a separate merchant account number and must be applied for through The Office of State Controller.
4. Amex bills the departments directly. There were issues, in the past, with merchants not paying the bills promptly. This resulted in late fees for the University.
CERTIFI will review requests to accept Amex on a case-by-case basis. Departments that do not accept Amex can ask payers to send a wire to the University or use a different payment method.
As a new or existing merchant you are inherently accepting responsibility for the security of consumer cardholder data.

What is the Payment Card Industry Security Standards Council?
Founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa, the Payment Card Industry Security Standards Council’s (PCI SSC) provides guidelines to protect cardholder data. The industry standard (Payment Card Industry Data Security Standards – PCI DSS) for maintaining security are communicated via six goals. By completing this form, you are attesting adherence to these goals.

  1. Build and maintain a secure network
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy

The University created the Compliant Electronic Receipt Transactions through Innovation and Financial Integrity (CERTIFI) Committee to direct, manage, maintain, and ensure merchants’ compliance with these goals.

What is the Compliant Electronic Receipt Transactions through Innovation and Financial Integrity (CERTIFI) Committee?
The CERTIFI Committee is the clearinghouse for all compliance issues related to University credit card security. This cross-departmental Committee monitors PCI regulatory statutes and contractual obligations on behalf of campus merchants. The Committee is sponsored in partnership by Finance and Information Technology Security. CERTIFI is not responsible for student organizations.
What is the Merchant Services Office?
The Merchant Services Office provides support to CERTIFI and University merchants. The PCI Compliance Manager directs the University’s compliance efforts while the Merchant Services Manager monitors merchants’ daily activity.
How do departments become merchants?
Becoming a merchant is a multi-step process and relies heavily on each department. Applications are reviewed by a CERTIFI subcommittee within two-weeks of receipt. Once an application has met CERTIFI’s approval criteria, an approval memo is issued, and a second application is submitted to the Office of State Controller and the University’s processing bank, Fiserv. This process requires an additional 10 business days. Note: submission of an application does not imply approval.
How does a department accept payments – in-person, via telephone or via fax?
Accepting in-person payments, telephone payments and fax payments requires use of a point-of-sale (POS) terminal. Typically, unless a vendor specific solution is involved, POS terminals are ordered through the State’s contract with Fiserv.
How does a department accept online payments?
The University’s online payment gateway is TouchNet. Departments have the option of creating a website, utilizing Event Registration, or selecting a TouchNet Ready Partner to interface with TouchNet.

CERTIFI, in some cases, will approve vendors requiring a payment gateway other than TouchNet. However, there must be a demonstrated business need. To use a gateway other than TouchNet requires the submission of an exemption request. The department must submit a letter detailing the business need, the desired gateway, and provide a current Attestation of Compliance (AOC).

It is important to note; University employees are prohibited from entering payment card information into University owned devices with the exception of point-of-sale terminals.

What is the process for vetting an outside vendor for payment services?
There are a number of technical, security, and contractual issues to address when vetting outside vendors. It is best practice to include CERTIFI from the beginning.
What are the department’s responsibilities as a merchant?
PCI compliance is an ongoing and evolving endeavor. Below is a list of some of the merchant department’s responsibilities:

  • Daily deposits, as mandated by the State of North Carolina, must be submitted unless an exemption has been obtained
  • Submission of an updated Merchant Agreement and Renewal (MAR) document whenever changes are made or at least annually
  • Completion of an annual Self-Assessment Questionnaire (SAQ) attesting to compliance (AOC) with PCI DSS
  • Confirmation that staff have completed their annual PCI and ITS Security training
  • Maintenance of an updated department Policy and Procedure manual for staff to review and reference
  • Assurance that point-of-sale credit card number transmissions occur only across analog phone lines, cellular terminals, or PCI validated Point-2-Point Encrypted devices

PCI DSS Compliance is critical to safeguarding your customers’ payment card information. If you have any questions, email CERTIFI at certifi@unc.edu.

Analog Phone Line
Analog electrical signal; A compliant method for transmitting cardholder data
Attestation of Compliance
AOC; Declaration of a merchant’s compliance status with the Payment Card Industry Data Security Standard (PCI DSS); Typically signed by a Qualified Security Assessor
Cardholder Data
Full magnetic stripe or the primary account number including cardholder name, expiration date, and service code
CDE
Cardholder Data Environment, for IP-connected devices that process credit cards, and devices that affect the security of said devices
Chip
EMV Chip located on the front of most credit cards
ClientLine
Fiserv’s merchant transaction reporting tool
Fiserv
Acquirer; University’s processor and merchant bank
Gateway
Service provider responsible for communicating payment information from the front end software to the acquiring bank
Merchant Identification
MID; Merchant Account Number assigned by Fiserv
Payment Card Industry
PCI; Payment card data security standard
Point-of-Sale Terminal
POS; Credit card machine used to accept credit card payments
Qualified Security Assessor
QSA; A company approved by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS
requirements.
Qualys Scans
Identity Finder; Scanning tool used to locate sensitive data; devices should be scanned quarterly using this tool
Self-Assessment Questionnaire
SAQ; Form completed annually by merchants to attest to compliance
Service Provider
Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access – such as a telecommunications company providing just the communication link – the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).
Front-end Software
Software; program used to collect data or communicate a set amount of information; Software if virtual
Validated Point-to-Point Encryption
Validated P2PE; The only encryption devices qualified to complete a SAQ P2PE
Voice Over Internet Protocol (VOIP)
A non-compliant method of transmitting cardholder data at the University

For more definitions, see the official PCI SSC Glossary.

Service Owned By: