University issues new regulation for Payment Card Merchant Services

Effective March 1, 2011, the university has issued a new regulation for Payment Card Merchant Services that outlines procedures for campus entities to obtain and manage merchant accounts and to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS).

Payment cards including credit, debit, prepaid, stored value, gift and chip cards are widely used at the university as compensation for many goods and services.

The North Carolina Office of the State Controller (OSC) is statutorily charged with administering the Statewide Electronic Commerce Program (SECP), which includes merchant payment card services. All university payment card processing will use a merchant account associated with the OSC SECP Master Service Agreement (MSA), unless specific written exemption is given by the Vice Chancellor for Finance and Business and the Vice Chancellor for Information Technology. 

All campus entities that accept payment cards must comply with the PCI DSS program as indicated in the regulation. Failure to meet all requirements outlined in the new Payment Card Merchant Services Regulation will result in the suspension of physical and/or electronic payment capability for participating campus entities. Additionally, the affected payment card company may impose fines, ranging from $50,000 to a maximum of $500,000 for each violation. Any fines or costs incurred by the university, as a result of PCI DSS non-compliance, will be charged to the responsible campus entity. 

Payment card use at the university will be administered and controlled jointly by the University Controller’s Office and the Office of Information Technology Security and Compliance unit. Details regarding this administration can be found on the University Controller’s Office Web site.

For more information, see the Payment Card Merchant Services Regulation Web page.