Any department accepting payment cards on behalf of Middlebury for gifts, goods or services (“Merchant Department”) must designate an individual (staff or faculty member) within that department who will have primary authority and responsibility for eCommerce and payment card transaction processing within that department.

This individual will be referred to in the remainder of this policy statement as the Merchant Department Responsible Person or “MDRP”.

MDRP Responsibilities Checklist

All MDRPs must do the following:

  • Ensure that all staff, contractors, student workers, volunteers, hereinafter referred to as agents of the College, complete the PCI Security Awareness Training and Agreement (new link) upon hire and annually.
  • Verify and collect PCI DSS Compliance documentation, in accordance with the Service Provider Management (new link), for Service Providers on an annual basis or upon major changes. The MDRP should retain a copy of the Attestation of Compliance (AOC) and submit a copy to upon receipt.
  • Validate compliance for the merchant department on an annual basis, by completing the Self- Assessment Questionnaire in collaboration with the PCI Compliance Team.
  • Ensure user access to cardholder data environment is revoked (notify when the individual’s job no longer requires access to the cardholder data environment. Maintain an audit log of user access to cardholder data environment for a minimum of one year.
  • Be aware of all payment processes and practices within your merchant department. It is the responsibility of the MDRP to ensure Standard Operating Practices are known by all in your department, are adhered to, are in accordance with the PCI DSS and are approved by the PCI Compliance Team.
  • Initiate the process in the event of a security incident or breach, see Security Breach Response (new link).

For Payment Card Terminals and Point of Sale (PoS) Devices:

  • Ensure all devices accepting payment card data are maintained under a state of consistent control and supervision.
  • Ensure Point of Sale devices/terminals (cash registers, stand-alone swipe terminals etc.) are physically secured.
  • Complete a Terminal Characteristics form and Monthly Physical Inspections for tampering or substitution. Systems not in use must be secured in a locked facility and regularly inventoried. Monthly Physical Inspection forms must be forwarded to upon completion of monthly inspections.
  • Ensure that all agents of the College are trained on tampering and skimming prevention upon hire and at least annually. Please see Physical Security and Skimming Prevention (new link).

Please read the Middlebury PCI Policy for Credit Card and eCommerce Payments for additional responsibilities. Individuals found to have violated the Middlebury PCI Policy for Accepting Credit Card and eCommerce Payments and the PCI WISP, whether intentionally or unintentionally, may be subject to disciplinary action including termination and could limit a department’s payment card acceptance privileges.

MDRP by Department

Department MRDP Contact
Admissions John Nordmeyer
Advancement Jami Black
Athletics Suzanne Cota
Bookstore Erin Jones-Poppe
Box Office Debby Anderson
Bread Loaf Writers’ Conferences Jason Lamb
Dining Ken Pierce
Golf Course Derrick Cram
Health Center Megan Smith
ITS Chis Norris
Language Schools Kara Donor
Library Kim Gurney
Mailing Services Patty Murray
MIIS PCI Lead Cheryl Rowe
MIIS Admissions Marci Fitzurka
MIIS CACS Emily Weidner
MIIS Cashier’s Office Cheryl Rowe
MIIS Office Services Naomi Braswell
MIIS SFS Regina Garner
Museum of Art Mikki Lane
New England Review Carolyn Kuebler
Outdoor Programs Maria Farnsworth
Public Safety Fawn Torrey
Registrar Jennifer Thompson
Rikert/Snow Bowl Mike Hussey
Schools Abroad Bill Mayers
Student Financial Services Kim Downs-Burns