Any department accepting credit card and/or electronic payments on behalf of Middlebury for gifts, goods or services (“Merchant Department”) must designate an individual (staff or faculty member) within that department who will have primary authority and responsibility for eCommerce and credit card transaction processing within that department. This individual will be referred to in the remainder of this policy statement as the Merchant Department Responsible Person or “MDRP”.
All MDRPs must:
- Execute on behalf of the relevant Merchant Department the Process to Implement Acceptance of Credit Cards for Payment detailed below.
- Ensure that all employees (including the MDRP), contractors and agents with access to payment card data (within the relevant Merchant Department) complete the PCI Security Awareness Training & Agreement, at http://go.middlebury.edu/pcidss. The training consists of a security awareness video, review of Middlebury PCI Policy and electronically sign the PCI Security Awareness and Confidentiality Statement. Training must be completed upon hire and at least annually. The MDRP should forward the PCI Security Awareness and Confidentiality Statement to PCI Compliance Team upon request.
- Ensure that all credit card data collected by the relevant Merchant Department, in the course of performing Middlebury business, is secured.
- Ensure all Point of Sales (POS) devices, including cellular based stand-alone swipe terminals and point of sale systems, are maintained under a state of consistent control and supervision. **The Cashiers Office has a cellular card swipe terminal for loan to staff/departments that have completed the PCI Security Awareness and Confidentiality Statement.
- Ensure Point of Sale devices/terminals (cash registers, stand-alone swipe terminals etc.) are physically secured. Complete a Terminal Characteristics form, Monthly Physical Inspection checklist, for tampering or substitution. Systems not in use must be secured in a locked facility and regularly inventoried. Retain inspection log for a minimum of one year. **Please see Physical Inspection of PoS-Skimming Prevention.
- Ensure all Point of Sale (POS) devices have updated patches and anti-virus with up to date logging. Retain logging and audit trail history for a minimum of one year.
- Service Provider Management - verify and collect PCI DSS Compliance Certificates or PA-DSS Validation certificate (POS systems) on all service providers within the relevant Merchant Department on an annual basis. The MDRP should retain a copy of the certificates and submit a copy to the PCI DSS Compliance Team upon receipt.
- Ensure user access to cardholder data environment, within the relevant Merchant Department, is revoked when the individual’s job no longer requires access to the CDE. Maintain an audit log of user access to cardholder data environment for a minimum of one year.
Please read the PCI Policy for additional responsibilities.