Merchant Services

TouchNet Contact Information

Issue	Contact Name	Contact Email	Contact Phone Number
Deposits	Kim Orr	[email protected]	919-962-5846
Technical Issues	Cynthia O’Daniel	[email protected]	919-843-2089
General Merchant Questions	Brooke O’Neal	[email protected]	919-843-0420

TouchNet Exemption Request

To request an exemption, under the signature of the Dean, Director, or Department Head, submit a letter to [email protected] detailing the business necessity.

Current Self Assessment Questionnaire (SAQ) Preparers

Contact Name	Department Name
David Elkin	Ackland Art Museum
Keilayn Skutvik	Ackland Art Museum Store
Allison Legge	Admissions
Renee Ellis	Applied Physical Sciences
Stratos Pagiavlas	Athletic Ticket Office
Stavonna Petty	Athletics Business Office
Craig Hyatt	Auxiliary Services
Kimberly McCown	Campus Health Services
Lauren Mangili	Campus Recreation
Mya Nguyen	Carolina Performing Arts
Shagufta Hakeem	Carolina Public Humanities
Laura Yurco	Chemistry
Elsabet Fisseha	College of Arts and Sciences – Music
Lola Tasar	College of Arts and Sciences – Romance Studies
Krisha Ellis	Computer Science
Sandra (Sandy) Staley	Department of Philosophy
Patricia Harris	Diversity and Inclusion
Deanna Good	Earth Marine Environment
Robin Samuels	English and Comp Literature
Matt Rivenbark	Eshelman School of Pharmacy
Kelly Hair	Exercise and Sport Science
Robert Costa	Finley Golf Course
Amy Crume	Frank Porter Graham Child Development Institute
Tyler Ritter	Friday Center
Tiffany Farina	Gillings School of Global Public Health
Beverly Wyrick	The Graduate School
Jonathan Weisenfeld	Highway Safety Research
Brandi Flikinger	Human Resources – Benefits and Leave Administration
Shannon Taylor	Kenan-Flagler Business School
Richard Watt	Morehead Planetarium and Science Center
Beth Mellott	Office of New Student & Carolina Parent Programs
Lisa Hicks	North Carolina Botanical Garden
Leslie Heal	Nutrition Research Institute
Leslie Heal	The Odom Institute
Melinda Bakken	One Card Office
Paige Tingen	Physics and Astronomy
Thomas Porter (Box Office Manager)/Rob Noel (IT)	Playmakers Theater
Chase Debnam	Psychology and Neuroscience
Kristi Andrews	Renaissance Computing Inst
Lewis Hiett / Amanda Taylor	School of Dentistry
Lewis Hiett / Amanda Taylor	School of Dentistry – Continuing Education
Lewis Hiett / Amanda Taylor	School of Dentistry – Craniofacial and Surgical Care
Yulia Nikiforov	School of Education
Lauren Partin	School of Government
Wendy Andrews	School of Information and Library Science
Eric Helms	School of Law
Mark Richardson	School of Media and Journalism
Valerie Tan	School of Medicine
Lily Aussieker	School of Nursing
John Anderson	School of Social Work
Christine Keat	Statistics and Operations Res
Victoria Boykin	Student Affairs Carolina Union
Beth Mellott	Student Housing and Residential Education
Laurie Trumbo	Transportation and Parking
JT Walker	UNC Police
James Baricelli	University Career Services
Kristy Nash	University Cashier
Tahnee Lucero/Mark Ingram	University Development
Ellen Bowman/Dan Comeskey	University Library
Leslie Heal	Vice Chancellor for Research – Commercialization and Economic Development
Leslie Heal	Vice Chancellor for Research
Charlie LaMonica	World View
Last updated March 28, 2024

CERTIFI will not approve Stripe, PayPal, Venmo, or other software that has the following characteristics:

1. An employee has to provide their personal information to set up the account.
2. The software serves as the payment gateway and processor. The State of North Carolina has a contract with Fiserv to serve as the University’s processor. The use of any other processor requires an exemption from the State. In addition, the University’s preferred gateway is TouchNet.
3. The software does not allow University Counsel to insert the appropriate PCI terms and conditions into the contract.

The University strictly prohibits the use of the University network to transact payment card/credit card transactions by third parties and any party per the Information Technology Acceptable Use Policy.

Please note especially:

UNC Guest WiFi Acceptable Use Policy and Terms and Conditions

The University of North Carolina at Chapel Hill (“UNC”) offers you use of its guest WiFi wireless Internet service (the “Service”) according to UNC’s Acceptable Use Policy and this WiFi Wireless Network Acceptable Use Policy (the “Policy”) as a free, non-public service to its visitors for the duration of their visit. All users of this Service must agree to the terms of this Policy by clicking the ACCEPT button or signing before use. UNC does not guarantee the Service or specific rates of speed. UNC also has no control over information obtained through the Internet and cannot be held responsible for its content or accuracy. Use of the Service is subject to the user’s own risk. UNC reserves the right to remove, block, filter, or restrict by any other means any material that, in our sole discretion, may be illegal, may subject us to liability, or may violate this Policy. UNC may cooperate with legal authorities and/or third parties in the investigation of any suspected or alleged crime or civil wrong. Violations of this Policy may result in the suspension or termination of access to the Service or other resources, or other actions as detailed below.

Responsibilities of Service Users

Users are responsible for the security of their devices, including ensuring they are running up-to-date anti-virus software on their wireless devices. Users must be aware that, as they connect their devices to the Internet through the Service, they expose their devices to: worms, viruses, Trojan horses, denial-of-service attacks, intrusions, packet-sniffing, and other abuses by third-parties. Users must respect all copyrights. Downloading or sharing copyrighted materials is strictly prohibited. The running of programs, services, systems, processes, or servers by a single user or group of users that may substantially degrade network performance or accessibility will not be allowed. Electronic chain letters and mail bombs are prohibited. Connecting to “Peer to Peer” file sharing networks or downloading large files, such as CD ISO images, is also prohibited. Accessing another person’s computer, computer account, files, or data without permission is prohibited. Attempting to circumvent or subvert system or network security measures is prohibited. Creating or running programs that are designed to identify security loopholes, to decrypt intentionally secured data, or to gain unauthorized access to any system is prohibited. Using any means to decode or otherwise obtain restricted passwords or access control information is prohibited. Forging the identity of a user or machine in an electronic communication is prohibited. Saturating network or computer resources to the exclusion of another’s use, for example, by overloading the network with traffic such as emails or legitimate (file backup or archive) or malicious (denial of service attack) activity, is prohibited. Users understand that wireless Internet access is inherently not secure, and users should adopt appropriate security measures when using the Service.

Merchant accounts can accept the following payment brands upon CERTIFI approval: Discover, Mastercard, and Visa. American Express (Amex) is not generally available for the following reasons:
1. Departments do not process enough transactions to warrant the additional administrative burden of accepting Amex.
2. Amex processes on a 1-day deposit lag in comparison to other card brands. They process through Amex’s system and are passed through Fiserv. In the past, this caused reconciliation problems for the University due to departmental inattentiveness to this difference.
3. Amex has a separate merchant account number and must be applied for through The Office of State Controller.
4. Amex bills the departments directly. There were issues, in the past, with merchants not paying the bills promptly. This resulted in late fees for the University.
CERTIFI will review requests to accept Amex on a case-by-case basis. Departments that do not accept Amex can ask payers to send a wire to the University or use a different payment method.

As a new or existing merchant you are inherently accepting responsibility for the security of consumer cardholder data.

What is the Payment Card Industry Security Standards Council?

Founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa, the Payment Card Industry Security Standards Council’s (PCI SSC) provides guidelines to protect cardholder data. The industry standard (Payment Card Industry Data Security Standards – PCI DSS) for maintaining security are communicated via six goals. By completing this form, you are attesting adherence to these goals.

1. Build and maintain a secure network
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy

The University created the Compliant Electronic Receipt Transactions through Innovation and Financial Integrity (CERTIFI) Committee to direct, manage, maintain, and ensure merchants’ compliance with these goals.

What is the Compliant Electronic Receipt Transactions through Innovation and Financial Integrity (CERTIFI) Committee?

The CERTIFI Committee is the clearinghouse for all compliance issues related to University credit card security. This cross-departmental Committee monitors PCI regulatory statutes and contractual obligations on behalf of campus merchants. The Committee is sponsored in partnership by Finance and Information Technology Security. CERTIFI is not responsible for student organizations.

What is the Merchant Services Office?

The Merchant Services Office provides support to CERTIFI and University merchants. The PCI Compliance Manager directs the University’s compliance efforts while the Merchant Services Manager monitors merchants’ daily activity.

How do departments become merchants?

Becoming a merchant is a multi-step process and relies heavily on each department. Applications are reviewed by a CERTIFI subcommittee within two-weeks of receipt. Once an application has met CERTIFI’s approval criteria, an approval memo is issued, and a second application is submitted to the Office of State Controller and the University’s processing bank, Fiserv. This process requires an additional 10 business days. Note: submission of an application does not imply approval.

How does a department accept payments – in-person, via telephone or via fax?

Accepting in-person payments, telephone payments and fax payments requires use of a point-of-sale (POS) terminal. Typically, unless a vendor specific solution is involved, POS terminals are ordered through the State’s contract with Fiserv.

How does a department accept online payments?

The University’s online payment gateway is TouchNet. Departments have the option of creating a website, utilizing Event Registration, or selecting a TouchNet Ready Partner to interface with TouchNet.

CERTIFI, in some cases, will approve vendors requiring a payment gateway other than TouchNet. However, there must be a demonstrated business need. To use a gateway other than TouchNet requires the submission of an exemption request. The department must submit a letter detailing the business need, the desired gateway, and provide a current Attestation of Compliance (AOC).

It is important to note; University employees are prohibited from entering payment card information into University owned devices with the exception of point-of-sale terminals.

What is the process for vetting an outside vendor for payment services?

There are a number of technical, security, and contractual issues to address when vetting outside vendors. It is best practice to include CERTIFI from the beginning.

What are the department’s responsibilities as a merchant?

PCI compliance is an ongoing and evolving endeavor. Below is a list of some of the merchant department’s responsibilities:

• Daily deposits, as mandated by the State of North Carolina, must be submitted unless an exemption has been obtained
• Submission of an updated Merchant Agreement and Renewal (MAR) document whenever changes are made or at least annually
• Completion of an annual Self-Assessment Questionnaire (SAQ) attesting to compliance (AOC) with PCI DSS
• Confirmation that staff have completed their annual PCI and ITS Security training
• Maintenance of an updated department Policy and Procedure manual for staff to review and reference
• Assurance that point-of-sale credit card number transmissions occur only across analog phone lines, cellular terminals, or PCI validated Point-2-Point Encrypted devices

PCI DSS Compliance is critical to safeguarding your customers’ payment card information. If you have any questions, email CERTIFI at [email protected].