Payment Card Industry (PCI) compliance is essential and mandatory for NC State. The costs of non-compliance for the university are substantial and can result in:
- millions of dollars in fines if the university has a breach or a non-compliant event.
- remediation of a breach or non-compliant event that can be higher than the fines, depending on the number of credit cards involved.
Due to this elevated risk and the new external regulated financial standards associated with accepting payment cards/credit cards, each college dean or division head (or their approved delegate) must positively affirm the following:
- The college’s or division’s primary owner for each merchant account.
- The business manager who will be the key PCI leader for the college or division and who will ensure that the merchant account owners are fulfilling their responsibilities.
- The key employee who will provide technical assistance for each merchant account in the college or division.
The University Controller’s Office will be contacting each dean or division Head (or their approved delegate) in the next month for the positive affirmations and for any other items required for PCI compliance.
All NC State units accepting payment cards or credit cards must be approved by the Merchant Services unit within the Controller’s Office. Unauthorized websites or unauthorized acceptances of payment cards or credit cards are explicitly disallowed.
All websites within the NC State set of Web domains that collect payments must be authorized by Merchant Services and be in compliance of PCI standards with approval from OIT Security and Compliance.
NC State reserves the right to take appropriate action to assure PCI compliance, including but not limited to shutting down a website and confiscating funds.