Business units are responsible for compliance with the Card Acceptance Policy. Internal Audit or Treasury Services may audit for compliance at any time. Each business unit will identify the business manager, or equivalent, who will be the responsible party for ensuring compliance. Compliance requires business units to:
- Obtain merchant IDs (MIDs) only from the Treasury Services department
- Set up electronic commerce capabilities with solutions that have been approved by the Controller’s office only
- Not authorize the use of convenience fees unless approval is obtained from Treasury Services
- Understand and enforce all requirements of the PCI DSS, including securing credit card data within the department. Formally document the credit card process in the department including a network diagram if using e-commerce
- Merchants utilizing Point of Sale or Wireless terminals will be required to complete the monthly Credit Card Terminal Inspection Log
- Complete required Annual Self-Assessment Questionnaire (SAQ)
- Review current processing practices and create a remediation plan for any areas where the department is not PCI DSS compliant
- Complete annual training in Learn@Work for staff who process or have access to credit cards
- Annually review and collect all third party Attestation of Compliance for PCI DSS Compliance
- Immediately report any security breach or potential security breach according to the Incident Response Plan
- In the event a merchant does not comply with the PCI DSS Compliance requirements, the merchant’s right to accept credit cards for payment can be suspended until compliance is obtained. In the event compliance has been determined as unachievable the merchant’s right to accept credit card payments will be revoked