Memorandum

PCI compliance is essential and mandatory.  The university is at risk for hundreds of thousands to millions of dollars in fines if we have a breach or a non-compliant event.  In addition to the fines, remediation of a breach or non-compliant event can be much larger than the fines depending on the number of credit cards involved.  The costs of non-compliance are substantive.

Due to this elevated risk and the new external regulated financial standards associated with accepting payment cards/credit cards, each Dean or Division Head (or their approved delegate) must positively affirm the following:

• The college’s or division’s primary owner for each merchant account.  This merchant account owner is the primary contact for that specific merchant account and is responsible for PCI compliance related to that merchant account including but not limited to completing the annual PCI SAQ (self assessment questionnaire).  Note: Colleges or divisions typically have many merchant accounts.  Each specific merchant account must have an identified owner.
• Identify the business manager (normally an Assistant Dean of Finance or a similar position) who will be the key PCI leader for the college or division.  Accepting credit cards is a financial transaction just as accepting cash or checks is a financial transaction.  Transaction processing on campus is managed and led by business managers in the colleges and divisions.  The business manager identified as the key PCI leader for the college or division is responsible for and will insure that the merchant account owners are fulfilling their responsibilities.  Further, the business manager must fully understand PCI requirements and procedures.
• Identify the key employee who will provide technical assistance for each merchant account at the college or division.

The University Controller’s Office will be contacting each Dean or Division Head (or their approved delegate) in the next month for the positive affirmations and or changes to the three items above as well as any other items required for PCI compliance.  A current list of active merchant accounts along with the related department, college and division contacts for each merchant account will also be provided to each Dean or Division Head by the Controller’s Office.

All websites within the NC State set of web domains that collect payments must be authorized by the Merchant Services unit within the Controller’s Office and be in compliance of PCI standards with approval from OIT’s Security and Compliance Unit.  Further, all NC State units accepting payment cards or credit cards must be approved by the Merchant Services unit within the Controller’s Office.  Unauthorized websites or unauthorized acceptances of payment cards or credit cards are explicitly disallowed.  NC State reserves the right to take whatever action is required to assure PCI compliance including but not limited to shutting down the website, confiscation of funds, etc.

The existing Merchant Services mailing list will be expanded to include the personnel identified above by Deans or Division Heads and will be used to further disseminate payment card/credit card information to merchant account owners, technical employees working on merchant accounts, business managers responsible for PCI and any other interested stakeholders.

If you have any questions, please contact Amanda Richardson, Merchant Services Manager in the Controller’s Office, at 513-4464 or aarichar@ncsu.edu .

cc: Steve Keto, Associate Vice Chancellor for Finance and Resource Management

Charles Cansler, University Controller

Mardecia Bell, Director, Security and Compliance

Susan West, Director, Technology Support Services

Campus IT Directors