Merchant Services supports the acceptance of credit cards in a compliant manner as payment for goods and services, to improve customer service, to bring efficiencies to UNC-Chapel Hill’s cash management process, and to increase volume of certain types of transactions. These activities are all performed under the guidance of Payment Card Industry Data Security Standards (PCI DSS), University policies and procedures, and state/federal law.
Protecting the privacy and personal data of our customers is very important. The University of North Carolina at Chapel Hill has taken numerous steps to protect the personal information of those who transact business with us. Personal information that you provide to us is not used, shared or sold to third parties except to the extent required by law. NO credit cardholder or bank account data is processed, transmitted or stored on our website, but rather is collected, transmitted and processed by a Payment Card Industry (PCI) compliant third party service provider.
Merchant Services Manager
(Compliant Electronic Receipt Transactions through Innovation and Financial Integrity)
In order to implement and manage the directives of the Payment Card Industry Security Standards Council, NACHA and the electronic commerce requirements set forth by the North Carolina Office of the State Controller and North Carolina State legislature, the University has established the CERTIFI (Compliant Electronic Receipt Transactions through Innovation and Financial Integrity) Committee.
- 308.1 – Establishing a New Credit Card Merchant Account
- 308.2 – Changing an Existing Credit Card Merchant Account
- 308.3 – Disposal of Point-of-Sale Terminals
- 308.4 – Reconciliation, Refunds, Chargebacks and Transaction Posting
- 308.5 – Assuming Credit Card Merchant Account Cost and Fiscal Responsibility
- 308.6 – Truncation and Retention of Cardholder Account Numbers
- 308.7 – The University’s Payment Gateway
Self Assessment Questionnaires
Several self-assessment questionnaires (SAQs) can be found at the PCI Security Standards Council’s Document Library.
- Select SAQ A if the department accepts online payments.
- Select SAQ B if the department uses an analog or cellular terminal.
- Select SAQ P2PE if the department utilizes Point-to-Point Encrypted technology.
Email email@example.com with questions.
Setup and Maintenance of Merchant Card Accounts
Departments interested in establishing a merchant card account should send an email to firstname.lastname@example.org requesting a meeting so that we can discuss the business need and provide guidance on next steps.
Reporting of Abuse, Misuse or IncidentsPOS Terminal Skimmers
Incidents involving cardholder data should be reported to ITS by calling the Help Desk at 919-962-HELP.
First Data Contact Numbers
|ClientLine Login Issues||800-285-3978 (option 3)|
|Terminal Supplies||800-654-8819 (follow prompts)|
|Chargebacks||800-654-8819 (follow prompts)|
MSA Exemption Request
To request an exemption, under the signature of the Dean, Director, or Department Head, submit a letter to email@example.com detailing the business necessity. Within six months, the North Carolina Office of the State Controller, The University of North Carolina System, and the North Carolina Department of State Treasurer will issue a determination.
TouchNet Contact Information
|Issue||Contact Name||Contact Email||Contact Phone Number|
|Technical Issues||Lon Thomasfirstname.lastname@example.org||919-445-9319|
|General Merchant Questions||Brooke O’Nealemail@example.com||919-843-0420|
TouchNet Exemption Request
To request an exemption, under the signature of the Dean, Director, or Department Head, submit a letter to firstname.lastname@example.org detailing the business necessity.
Schedule of Fees
Merchant Card Processing Services
State of North Carolina and Suntrust Merchant Services
Contract Number 14-008474
Effective February 1, 2015
Interchange & Assessment Fees “Pass Through Cost”
Visa and MasterCard Interchange fees are Pass-through. These fees are based upon the clearing of Visa and MasterCard transaction submitted by Customer. All Bankcard transactions will be subject to the applicable Visa and MasterCard interchange fees and Assessments in effect. The interchange fees, assessments and qualifying criteria set forth in “Visa and MasterCard’s Interchange Qualification Data Requirements” Non-Qualified Interchange will be passed through to the Client.
- Visa and MasterCard Assessments Fees – “Pass through Cost”
- Debit Network Charges for Debit Cards – “Pass through Cost”
|Processing Fee All Card Types “Vendor Levied Cost”||Unit Cost|
|Visa/MasterCard||$0.0185 per transaction|
|American Express/Discover||$0.0185 per transaction|
|Debit||$0.0185 per transaction|
|Additional Services “Vendor Levied Cost”||Unit Cost|
|PayPoint Gateway Fees for Card Transactions||$.08|
|PayPoint Gateway Fees for ACH Transactions||$.10|
|AVS (Address Verification Service)||$0.02|
|Supplies: (Shipping costs passed through)||No charge|
|Reporting, Client Line, Hard Copy||No Charge|
|Voice Authorizing and VRU Authorization||$0.25|
|On-site PayPoint Training||$2,000|
|Payment email notification||$.01|
|Global Gateway e4||$.0175|
|Hosted recurring payments||$.05|
Point of Sale Terminals Available Under STMS Contract
Effective February 1, 2015
A PIN pad is required for all debit transactions
|Purchase Fee||Monthly Rental Fee||Monthly Lease Fee
All leases are for a 48 month period only. A lease agreement must be signed
|FD 130 Duo WiFi Terminal & FD 35 Pin Pad||First Data FD130 Duo*||$649||$44.94||$34.94|
|FD 130 WiFi Terminal||First Data FD130*||$499||$34.94||$29.94|
|FD 200 WiFi Terminal||First Data FD200||$549||$32.94||$25.94|
|FD 300 WiFi Terminal||First Data FD300||$549||$32.94||$25.94|
|FD 400GT CDMA Terminal||First Data FD400*||$739 + $15 cellular fee||$34.94 + $15 cellular fee||$29.94 + $15 cellular fee|
|FD 35 Pin Pad with Countertop Stand||First Data FD35*||$224||$14.94||$9.94|
|FD 410 Terminal||First Data FD410*||$729 + $15 cellular fee||$54.94 + $15 cellular fee||$49.94 + $15 cellular fee|
|Vx520 Terminal||Verifone Vx520||$499||$34.94||$29.94|
|Clover with or without Cash Drawer||Clover Station||$824 / $774 +29.95 monthly licensing||$99 / $99 +$29.95 monthly licensing||$79 / $79 +$29.95 monthly licensing|
|Clover Mini||Clover Mini||$649 + $29.95 monthly licensing||n/a||$30.93 + $29.95 monthly licensing|
|Clover Mini w/ Keypad||Clover Mini||$699 + $29.95 monthly licensing||n/a||$32.93 + $29.95 monthly licensing|
|Clover Mobile Go||Clover Go||$29.95 + $4.95 monthly fee||n/a||n/a|
* indicates EMV capability
As a new or existing merchant you are inherently accepting responsibility for the security of consumer cardholder data.
Frequently Asked Questions
- What is the Payment Card Industry Security Standards Council?
- Founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa, the Payment Card Industry Security Standards Council’s (PCI SSC) provides guidelines to protect cardholder data. The industry standard (Payment Card Industry Data Security Standards – PCI DSS) for maintaining security are communicated via six goals. By completing this form, you are attesting adherence to these goals.
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
The University created the Compliant Electronic Receipt Transactions through Innovation and Financial Integrity (CERTIFI) Committee to direct, manage, maintain, and ensure merchants’ compliance with these goals.
- What is the Compliant Electronic Receipt Transactions through Innovation and Financial Integrity (CERTIFI) Committee?
- The CERTIFI Committee is the clearinghouse for all compliance issues related to University credit card security. This cross-departmental Committee monitors PCI regulatory statutes and contractual obligations on behalf of campus merchants. The Committee is sponsored in partnership by Finance and Information Technology Security. CERTIFI is not responsible for student organizations.
- What is the Merchant Services Office?
- The Merchant Services Office provides support to CERTIFI and University merchants. The PCI Compliance Manager directs the University’s compliance efforts while the Merchant Services Manager monitors merchants’ daily activity.
- How do departments become merchants?
- Becoming a merchant is a multi-step process and relies heavily on each department. Applications are reviewed by a CERTIFI subcommittee within two-weeks of receipt. Once an application has met CERTIFI’s approval criteria, an approval memo is issued, and a second application is submitted to the Office of State Controller and the University’s processing bank, FirstData. This process requires an additional 10 business days. Note: submission of an application does not imply approval.
- How does a department accept payments – in-person, via telephone or via fax?
- Accepting in-person payments, telephone payments and fax payments requires use of a point-of-sale (POS) terminal. Typically, unless a vendor specific solution is involved, POS terminals are ordered through the State’s contract with FirstData.
- How does a department accept online payments?
- The University’s online payment gateway is TouchNet. Departments have the option of creating a website, utilizing Event Registration, or selecting a TouchNet Ready Partner to interface with TouchNet.
CERTIFI, in some cases, will approve vendors requiring a payment gateway other than TouchNet. However, there must be a demonstrated business need. To use a gateway other than TouchNet requires the submission of an exemption request. The department must submit a letter detailing the business need, the desired gateway, and provide a current Attestation of Compliance (AOC).
It is important to note; University employees are prohibited from entering payment card information into University owned devices with the exception of point-of-sale terminals.
- What is the process for vetting an outside vendor for payment services?
- There are a number of technical, security, and contractual issues to address when vetting outside vendors. It is best practice to include CERTIFI from the beginning.
- What are the department’s responsibilities as a merchant?
- PCI compliance is an ongoing and evolving endeavor. Below is a list of some of the merchant department’s responsibilities:
- Daily deposits, as mandated by the State of North Carolina, must be submitted unless an exemption has been obtained
- Submission of an updated Merchant Agreement and Renewal (MAR) document whenever changes are made or at least annually
- Completion of an annual Self-Assessment Questionnaire (SAQ) attesting to compliance (AOC) with PCI DSS
- Confirmation that staff have completed their annual PCI and ITS Security training
- Maintenance of an updated department Policy and Procedure manual for staff to review and reference
- Assurance that point-of-sale credit card number transmissions occur only across analog phone lines, cellular terminals, or PCI validated Point-2-Point Encrypted devices
PCI DSS Compliance is critical to safeguarding your customers’ payment card information. If you have any questions, email CERTIFI at email@example.com.
- Analog Phone Line
- Analog electrical signal; A compliant method for transmitting cardholder data
- Attestation of Compliance
- AOC; Declaration of a merchant’s compliance status with the Payment Card Industry Data Security Standard (PCI DSS); Typically signed by a Qualified Security Assessor
- Cardholder Data
- Full magnetic stripe or the primary account number including cardholder name, expiration date, and service code
- Cardholder Data Environment, for IP-connected devices that process credit cards, and devices that affect the security of said devices
- EMV Chip located on the front of most credit cards
- FirstData’s merchant transaction reporting tool
- First Data
- Acquirer; University’s processor and merchant bank
- Service provider responsible for communicating payment information from the front end software to the acquiring bank
- Merchant Identification
- MID; Merchant Account Number assigned by FirstData
- Payment Card Industry
- PCI; Payment card data security standard
- Point-of-Sale Terminal
- POS; Credit card machine used to accept credit card payments
- Qualified Security Assessor
- QSA; A company approved by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS
- Qualys Scans
- Identity Finder; Scanning tool used to locate sensitive data; devices should be scanned quarterly using this tool
- Self-Assessment Questionnaire
- SAQ; Form completed annually by merchants to attest to compliance
- Service Provider
- Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access – such as a telecommunications company providing just the communication link – the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).
- Front-end Software
- Software; program used to collect data or communicate a set amount of information; Software if virtual
- Validated Point-to-Point Encryption
- Validated P2PE; The only encryption devices qualified to complete a SAQ P2PE
- Voice Over Internet Protocol (VOIP)
- A non-compliant method of transmitting cardholder data at the University
For more definitions, see the official PCI SSC Glossary.