Before Getting Started

 

Accepting payment (credit/debit) cards is convenient for both customers and departments. Merchant Services will assist you with all aspects of card acceptance. Before deciding to accept payment cards, be prepared to follow policies and procedures that will ensure:

  • Financial Integrity: Revenue and expenses are properly recorded and accounted for
  • Security & Risk: The method of card acceptance is secure and does not put undue risk on the university or its constituents
  • Compliance: The method of card acceptance is compliant with the PCI DSS (Payment Card Industry Data Security Standard)

There are multiple ways to accept payment cards. Which method(s) to use depends on the business purpose/event and how your customers will interact with you.

  • Will your customers present their payment cards in-person, over the phone, via US mail, or online?
  • Are you selling goods or services, or registering attendees for a conference/event?
  • Is this a one-time or ongoing need to accept payment cards?

In order to be compliant with NC State policy regarding acceptance of credit cards, there needs to be a PCI steward, signed merchant agreement, and a current PCI self-assessment questionnaire (SAQ) on regardless of method(s) used.

Any requests made through Merchant Services will need time for processing and implementation, the time will vary based on the method selected.

You can review the allowable methods below or download the information.

Overview: Why the process method matters

A Unit that accepts payment cards (credit or debit cards) is defined as a Merchant and must comply with the NC State Merchant Services Policy and all the applicable Payment Card Industry Data Security Standard (PCI DSS) requirements. All people, processes, systems, solutions, devices, and applications that are involved in processing payment cards are included in the scope of what needs to be compliant.

Compliance is easier and less costly to achieve and maintain when the processing method chosen is one which meets the business needs with the minimal scope. This approach will also reduce the University’s overall risk and effort to maintain compliance. Furthermore, compliance is evaluated at the University level such that noncompliance by one University location causes the entire University to be noncompliant.

Allowable methods of accepting payment cards

  1. Wired network or phone lines are allowed. Wi-Fi is not allowed.
  2. Centrally Supported Application – HigherOne (CASHNet)
    1. Storefront – Customer transaction and payment page are both hosted on the CASHNet server.
  3. Card Swipe Terminal (Land line)
    1. Stand-alone dial-out swipe device attached to an analog phone line. This is the preferred method when the card is present.
    2. Also appropriate for Merchants that process orders received via US mail, over the phone, or by fax. Note that the fax machine must connect via a dedicated phone line; it cannot be on a network that is connected to the Internet
  4. Ethernet Card Swipe Terminal (IP-Ethernet)
    1. Must have a properly configured hardware firewall.
    2. Contact the Merchant Services for acceptable models.
  5. Card Swipe Terminal (Loaner)
    1. Standard, land-line dial-out swipe device available to Merchants with intermittent, short-term volume. Merchant must provide an analog phone line.
    2. Available on first-come, first-serve basis for a small monthly fee.

Methods not allowed

  1. Wireless (Wi-Fi)
  2. Smartphones, tablets, or any similar digital device.
  3. Any solution in which payment card data is entered by an NC State representative (employee, volunteer, etc.) on behalf of a customer/donor into an NC State-owned device connected to the Internet.
  4. NC State-owned device connected to the Internet that is offered to customers for the purpose of entering their own payment card data (e.g., kiosk).
  5. Any application/solution/service/device that is not specifically validated as being PCI compliant.
  6. Any other application/solution/service/device that has not been approved for general campus use by the NC State Controller’s Office or that is not listed in this document under Allowable Methods.