To: Deans, Directors, and Department Heads

Charles D. Leffler
Vice Chancellor for Finance and Business

Marc Hoit
Vice Chancellor for Information Technology and Chief Information Officer

Subject: Accepting Credit Card Payment over the Internet
Date: June 16, 2014

As more NC State websites accept credit card payments, this growth is complicated by changing and increasingly complex compliance standards issued by the Payment Card Industry (PCI). Recently, this has been emphasized by breaches of security at UNC-Wilmington, Target®, Michaels®, and others. The university must become PCI compliant within the next year or face large fines and/or enforcement actions.

NC State has acquired an eStore solution that the University Controller’s Office is implementing. The new eStore will essentially be NC State’s version of an® or Yahoo® storefront for campus merchants (hereafter “merchants”) and will: 1) bring NC State into compliance with current PCI standards for merchants using the eStore, and 2) provide an easy-to-use, improved business process.

The eStore will streamline current processes for accepting credit card payments over the internet and allow merchants to be quickly up and running “live credit card accepting websites” within one to two weeks. The eStore solution will also allow merchants to more easily manage and grow events, conferences and miscellaneous sales via the internet. After implementation and training, a merchant will have the ability to complete credit card transactions online for allowable tangible and intangible products and services as well as manage products in that merchant’s eStore instantaneously.

Due to PCI compliance requirements, use of the eStore will be required no later than January 1, 2015 for all merchants accepting credit card payments over the internet. Since the eStore is designed for smaller, less complex merchants, please note that larger, more complicated merchants, such as Dining, the Bookstore, Transportation, Ticket Central, Athletics, or Advancement, may apply for an exception and work with the Controller’s Office on a different PCI-compliant solution. However, any exceptions need to be approved as outlined in Procedure Number: GA-CM-MS-10 issued by the Controller’s Office.

Accepting Credit Card Payment over the Internet

June 16, 2014

Page 2

Attached please find this guideline and the associated memorandum from the Controller’s Office. The Controller’s Office will also be in touch with each current merchant’s primary contact person. Please contact Amanda Richardson in the Controller’s Office at 513-4464 or with any questions.

cc: Steve Keto, Associate Vice Chancellor for Finance and Resource Management

Gwen Hazlehurst, Assistant Vice Chancellor for Enterprise Application Services

Charles Cansler, University Controller

Mardecia Bell, Director, Security and Compliance