Any department accepting credit card and/or electronic payments on behalf of Middlebury for gifts, goods or services (“Merchant Department”) must designate an individual within that department who will have primary authority and responsibility for eCommerce and credit card transaction processing within that department. This individual will be referred to in the remainder of this policy statement as the Merchant Department Responsible
Person or “MDRP”.
All MDRPs must:
- Execute on behalf of the relevant Merchant Department the Process to Implement Acceptance of Credit Cards for Payment detailed below.
- Ensure that all employees (including the MDRP), contractors and agents with access to payment card data within the relevant Merchant Department complete the CBT PCI Security Awareness Training & Agreement, at http://go.middlebury.edu/pcidss, to acknowledge on hire and on an annual basis and to sign the PCI Confidentiality Statement electronically that they have read and understand this Policy for Accepting Credit Card and eCommerce Payments. The MDRP should forward the PCI Confidentiality Statement to HR to be filed in the personnel or student file and keep a copy on file to submit upon request to the PCI Compliance Team.
- Ensure that all credit card data collected by the relevant Merchant Department in the course of performing Middlebury business, regardless of how the payment card data is secured.
- Ensure all Point of Sales (POS) devices, including cellular based VeriFone terminals and point of sale systems, are maintained under a state of consistent control and supervision. Approval from the PCI Compliance Team must be obtained and additional instruction may be provided before an MDRP or functional area may grant another functional area or organization access to their payment system. **Please see Physical Inspection of PoS-Skimming Prevention.
- Ensure all Point of Sale (POS) devices have updated patches and anti-virus with up to date logging. Retain logging and audit trail history for a minimum of one year.
- Ensure Point of Sale devices (cash registers, VeriFone terminals etc.) are physically secured. Inspect Point of Sale devices on a weekly basis, for tampering or substitution. Systems not in use must be secured in a locked facility and regularly inventoried. Retain inspection log for a minimum of one year. **Please see Physical Inspection of PoS-Skimming Prevention.
- Verify and collect PCI DSS Compliance Certificate or PA-DSS Validation certificate (POS systems) on all service providers within the relevant Merchant Department on an annual basis. The MDRP should retain a copy of the certificates and submit a copy to the PCI DSS Compliance Operations Team upon receipt.
- Ensure user access to cardholder data environment, within the relevant Merchant Department, is revoked when the individual’s job no longer requires access to the CDE. Maintain an audit log of user access to cardholder data environment for a minimum of one year.
Please read the PCI Policy for additional responsibilities.