Merchant Operations

University departments units approved to accept payment cards, must establish and maintain a proper security environment to safeguard a customer's payment information at all times.

Payment card processing can be broken down into two general methods (channels) of Card Present and Card NOT Present, using three kinds of technologies:

• Terminal
• Point of Sale (POS)
• e-Commerce

Regardless of the channel or technology used, the customer trusts that the unit accepting his/her payment card information will protect that information as if the customer were handing over cash. Payment card information, therefore, should be treated as carefully as any other confidential information (e.g., social security number or a stack of $100 dollar bills). It is the responsibility of the unit to follow the policies and procedures below to ensure transactions are processed safely and in accordance with the agreements established by the University and the University's payment acquirer.

A unit must comply with the Payment Card Industry Data Security Standard (PCI DSS). A unit must undergo periodic reviews of its processing environment by Merchant Card Services to ensure that all policies and procedures are being followed. As always, any business operation is subject to formal review by the Office of University Audits.

If at any time a unit experiences a breach or compromise of payment information or related data, that unit must report the event immediately to Merchant Card Services. Merchant Card Services will assess the situation and invoke the necessary incident response plan. A unit must also notify its respective campus Information Security office of the possible breach. Units found to be non-compliant with processing requirements, are subject to immediate suspension of card processing capability.

If you have questions, please contact us and visit our Training Resources.

Last Updated: February 24, 2011