The University of North Carolina at Charlotte
Credit/Debit Card Processing Regulation
(Supplemental to Policy Statement #102, Data and Information Security)

I. Executive Summary and Purpose

This regulation provides requirements and guidance for all credit and debit card processing activities for UNC Charlotte.

At the initial publication of this regulation the following sources were consulted and provide the basis for this program: ISO 17799 and Visa CISP.

This regulation deals with access to the UNC Charlotte’s computing and network resources. All relevant provisions included in Policy Statements #10, #66, #102, are applicable and included by reference in this document. This regulation replaces and supersedes all other campus policies and procedures for all issues within the scope of this regulation.

II. Scope

This regulation applies to:

A. All academic and administrative units, organizations, affiliates, and employees of UNC Charlotte who accept credit/debit card payments for University business.

B. All external organizations contracted by the parties described in II. A., above, to provide outsourced services for Credit/Debit Card Processing for University business.

C. All academic and administrative units, organizations, affiliates, and employees of UNC Charlotte who provide Credit/Debit Card Processing services for third parties.

III. Definitions

Account Number: The unique number identifying the cardholder’s account which is used in financial transactions.

Application Server: The computer hosting the application with which the general end-user or the point-of-sale (POS) terminal connects.

Cardholder Data: Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc.

Cardholder Information Security Program (CISP): CISP defines a standard of due care for securing Visa cardholder data, wherever it is located. CISP compliance has been required of all entities storing, processing, or transmitting Visa cardholder data.

Credit/Debit Card Processing: Act of storing, processing, or transmitting credit/debit cardholder data.

Credit Card Number: Any part or all of the unique number identifying the account for a financial transaction.

Database Servers: The computer storing the sales and/or credit card numbers.

e-Commerce Application: Any internet-enabled financial transaction application, whether a buying application or selling application.

Employee: Any employee (as defined by the Employee Handbook): faculty, student employee, or contractor employed by a third party and providing services to UNC Charlotte.

Encryption: Scrambling data in a recoverable format.

ISO 17799: The International Standards Organization document defining computer security standards.

POS Device: Point-of-sale (POS) computer or credit card terminals either running as standalone systems or connecting to a server either at UNC Charlotte or at a remote off-site location.

Sensitive Cardholder Data: This is defined as the account number, expiration date, CVC2/CVV2 (a three-digit number imprinted on the signature panel of the card), and data stored on track 1 and track 2 of the magnetic stripe of the card.

Swipe Terminal: POS credit card terminals

Web Development: The design, development, implementation and management of the user interface of the e-Commerce application.

IV. Regulation

A. The approval process for all Credit/Debit Card Processing activities will be as follows:

1. The VCBA or delegate(s) must approve all Credit/Debit Card Processing activities at UNC Charlotte before a unit enters into any contracts or purchases software and/or equipment. This requirement applies regardless of the transaction method used (e.g. e-commerce, POS device, or e-commerce outsourced to a third party). Approved units must register their Credit/Debit Card Processing information with the Business Affairs Division.

2. All technology implementation (including approval of authorized payment gateways) associated with the Credit/Debit Card Processing must be in accordance with the Credit Card Processing Procedures and approved by the VCBA, CIO or delegate(s) prior to entering into any contracts or purchasing of software and/or equipment.

3. Sensitive cardholder data may not be stored on any UNC Charlotte computer device or network. Any exceptions to this must be in writing and signed by both the VCBA and CIO. Anyone who is granted an exception must contact ITS Information Security for assistance with interpretation and implementation.

B. Units approved for Credit/Debit Card Processing activities must maintain the following standards:

1. All employees (business managers, operations personnel, and technical staff) involved in e-Commerce or POS transactions must attend appropriate training.

2. All employees (business managers, operations personnel, and technical staff) involved in e-Commerce or POS transactions must have appropriate background checks, as determined in accordance with PCI standards and University policies.

3. All units must create, maintain and test annually, business continuity and disaster recovery plans as well as incident response capabilities.

4. All servers and POS Devices must be administered in accordance with the requirements of the Credit/Debit Card Processing Procedures.

5. Access to Credit/Debit Card Processing systems and related information must be restricted to personnel who are trained and certified to do so in accordance with University policies and procedures.

6. All outsourcing agreements must meet the standards set forth in the Credit/Debit Card Processing Procedures.

7. All servers that have been granted an exception to store credit card numbers or that process or link to a server that handles Credit Card Numbers will be located with Information and Technology Services. All servers and POS Terminals will be administered in accordance with the requirements of the Credit Card/Debit Processing Procedures.

8. If Sensitive Cardholder data has to be electronically retained and where proper exceptions have been granted, it may only be held for a maximum of 90 days. All electronically retained Credit Card Numbers must be stored in an Encrypted format and in a physically secure location in accordance with the Credit/Debit Card Processing Procedures. All electronic media used for storing Credit Card Numbers must be destroyed when retired from this use.

9. If Credit Card Numbers have to be physically retained, they may only be held in accordance with University Policy #37. All physically retained Credit Card Numbers must be stored in a physically secure location in accordance with the Credit/Debit Card Processing Procedures. All media used for storing Credit Card Numbers must be destroyed when retired from this use. All hardcopy must be shredded by at least a cross-cut shredder prior to disposal.

10. Access to Credit Card Numbers must be restricted to the minimum number of people possible. No employee may have access to Credit Card Numbers until he or she has attended the Credit/Debit Card Processing Regulation training, had a completed background check, has tendered written acknowledgement of receipt of a copy of this regulation, the Credit/Debit Card Processing Procedures and other appropriate policies (e.g., Policy Statements #66, #10, #102 and service and unit level security regulation). After completion of these requirements, the unit head may issue, in writing, authorization for the employee's access. No employee will have access to Credit Card Numbers without such written authorization.

11. Each unit responsible for Credit/Debit Card Processing must complete a self assessment annually on all systems processing cardholder data to ensure compliance with this regulation and the associated procedures. The University IT Information Security Officer and the Business Affair’s Office will, at the request of the unit, assist in the initial self assessment. Audits will be performed periodically by the Internal Auditing Division to confirm the results of the self assessments. On a quarterly basis, the ITS, Information Security department will conduct a vulnerability assessment on machines involved in the processing of credit/debit cards.

C. On a regular basis, the University IT Information Security Officer, Business Affair’s Office and Internal Auditing Department will provide appropriate training to all employees associated with Credit/Debit Card Processing.

V. Procedures

The Credit/Debit Card Processing Procedures document provides details for implementation of this regulation. This separate document carries the full force of this regulation. This separation allows for easier modifications to the procedures due to the changing nature of business, technology and security.

VI. Revisions and Exceptions

This regulation may be revised only with the approval of the VCBA of UNC Charlotte. The VCBA and the CIO may grant exceptions to this regulation or revise the Credit/Debit Card Processing Procedures document by mutual agreement.

VII. Compliance

Failure to comply with this regulation and the associated required procedures will be deemed a violation and subject to disciplinary action up under appropriate University disciplinary procedures (Policy Statement #25: Violation of University Policy).

Technology that does not comply with this regulation and the associated required procedures is subject to immediate disconnection from the University’s network.

VIII. Communication

Upon approval, this regulation shall be published on the appropriate UNC Charlotte web site(s). The following offices and individuals shall be notified in writing with any subsequent revisions or amendments made to this regulation:

• Vice Chancellors 
• Associate Provosts
• Deans, Directors and Department Heads