Any department accepting credit card and/or electronic payments on behalf of Middlebury for gifts, goods or services (“Merchant Department”) must designate an individual within that department who will have primary authority and responsibility for eCommerce and credit card transaction processing within that department. This individual will be referred to in the remainder of this policy statement as the Merchant Department Responsible
Person or “MDRP”.
All MDRPs must:
- Execute on behalf of the relevant Merchant Department the Process to Implement Acceptance of Credit Cards for Payment detailed below.
- Ensure that all employees (including the MDRP), contractors and agents with access to payment card data (within the relevant Merchant Department) complete the PCI Security Awareness Training & Agreement, at http://go.middlebury.edu/pcidss. The training consists of a security awareness video, review of Middlebury PCI Policy for Accepting Credit Card and eCommerce Payments and electronically sign the PCI Confidentiality Statement. Training must be completed upon hire and at least annually. The MDRP should forward the PCI Confidentiality Statement to PCI Compliance Team upon request.
- Ensure that all credit card data collected by the relevant Merchant Department in the course of performing Middlebury business, regardless of how the payment card data is secured.
- Ensure all Point of Sales (POS) devices, including cellular based VeriFone terminals and point of sale systems, are maintained under a state of consistent control and supervision. **The Cashiers Office has a cellular card swipe terminal for loan to staff/departments that have completed the PCI Training & Confidentiality Agreement.
- Ensure Point of Sale devices/terminals (cash registers, stand-alone swipe terminals etc.) are physically secured. Complete a Terminal Characteristics form, Monthly Physical Inspection checklist, for tampering or substitution. Systems not in use must be secured in a locked facility and regularly inventoried. Retain inspection log for a minimum of one year. **Please see Physical Inspection of PoS-Skimming Prevention.
- Ensure all Point of Sale (POS) devices have updated patches and anti-virus with up to date logging. Retain logging and audit trail history for a minimum of one year.
- Verify and collect PCI DSS Compliance Certificate or PA-DSS Validation certificate (POS systems) on all service providers within the relevant Merchant Department on an annual basis. The MDRP should retain a copy of the certificates and submit a copy to the PCI DSS Compliance Operations Team upon receipt.
- Ensure user access to cardholder data environment, within the relevant Merchant Department, is revoked when the individual’s job no longer requires access to the CDE. Maintain an audit log of user access to cardholder data environment for a minimum of one year.
Please read the PCI Policy for additional responsibilities.