Merchant Contact Responsibilities

Merchant Contact Responsibilities

The merchant contact is responsible for the following items:

  • Serve as the coordinator of merchant activities in the department and as point person for the Treasurer's Office.
  • Always contact [email protected] immediately if you suspect or locate a credit card data loss/breach.
  • Serve as the person who:
    • completes the annual self-assessment questionnaire (SAQ) for PCI (Payment Card Industry) compliance through U-M's ​3rd party company, CampusGuard
    • obtains required PCI documentation from supplier(s) each year
    • ensures PCI compliance at all times.
  • Successful completion of U-M My LINC Merchant Certification TME102 Course annually by:
    • you
    • all applicable staff
      • new and existing staff who are authorized to process credit cards or refunds.
      • any staff who do not process credit cards but come into contact with credit card data (i.e., full 16 digits of credit cards).  For example, a person who opens the mail where credit card data is present.
  • Annually read and follow the SPG policies and Merchant policies (e.g. University of Michigan Merchant Requirements) which govern credit card activities.
  • Prepare (and update when necessary) departmental Internal Controls Written Procedures which also includes:
    • Segregation of Duties
    • Review of Daily Transaction Activity
    • Controlled Access to Resources
    • Supervision
    • Verification
    • Documentation
  • Recommended to complete the Internal Controls Gap Analysis annually.
  • Train all departmental staff on processing credit card transactions and refunds if applicable.
  • Update the "Authorized Users" in the Merchant Information page of MPathway's Financial & Physical Resources System (FINPROD) whenever authorized user staff changes.
    • An authorized user is anyone who does any of the following: handles cardholder data (i.e. the full 16 digit card number), processes credit card transactions or processes credit card refunds. Merchant contacts are also authorized users and are listed by default on this page.
    • You will receive an ITS email when you have been granted this MPathway’s access.
    • Adding/Updating Authorized Users instructions are listed on the lower portion of this web page.
    • Please also review and update the Processing Locale field for each user on this page, as applicable.
  • Notify [email protected] of any relevant changes that impact the merchant account (e.g., personnel changes such as the merchant contact or IT Contact [if applicable], processing/equipment/supplier changes, etc.).
  • Contact [email protected] if your staff will be processing credit card transactions outside of a U-M facility to confirm PCI DSS compliance is maintained.  (This relates to staff considered to be working remotely; it does not relate to staff working at annual or one-time events like conferences or trade shows.)  In addition, see and adhere to Off Campus Use of U-M Property.  

If the merchant account has credit card terminals, then the merchant contact is also responsible for:

  • Maintaining a list of your terminal make(s), model(s), serial number(s), and location(s) with addresses.
    • Each business day, verify your credit card terminal info (above) and keep a record of the verification along with the name of person performing that task.
    • List must be updated when terminal is replaced or relocated. The serial number is located on the underside of the terminal.
  • Ensuring that all staff processing credit cards are trained on "terminal tampering."
  • Informing staff that anyone who requests access to evaluate or repair the terminal(s) must provide identification that verifies their affiliation with U-M Treasurer's Office or with your appropriate terminal supplier/provider.  Staff must deny terminal access to inappropriate individuals and notify the merchant contact and Treasurer's office immediately.
  • Following the guidance provided in the relevant P2PE Instruction Manual ("PIM") for your terminal(s).  Annually verify that you have the latest version of the PIM from your supplier/P2PE vendor.
  • Using an approved communication system if credit card data is being conveyed via the phone. See here for more information:  https://finance.umich.edu/resource/approved-phones-taking-credit-card-processing.

 

» Print Friendly

Got a question?

We're here to help.

Resources