Card Acceptance

Business units are responsible for compliance with the Card Acceptance Policy. Internal Audit or Cash & Credit Operations may audit for compliance at any time. Each business unit will identify the business manager, or equivalent, who will be the responsible party for ensuring compliance. Compliance requires business units to:

  • Obtain merchant IDs (MIDs) only from the Cash and Credit Operations department
  • Set up electronic commerce capabilities with solutions that have been approved by the Controller’s office only
  • Not authorize the use of convenience fees unless approval is obtained from the Controller’s office via the Cash & Credit Operations department
  • Understand and enforce all requirements of the PCI DSS, including securing card data within the department. Formally document the credit card process in the department including a network diagram if using e-commerce
  • Complete required Annual Self-Assessment Questionnaire (SAQ)
  • Review current processing practices and create a remediation plan for any areas where the department is not PCI DSS compliant
  • Complete annual training for staff who process or have access to credit cards
  • Annually review and collect all third party Attestation of Compliance for PCI DSS Compliance
  • Immediately report any security breach or potential security breach according to the Incident Response Plan
  • In the event a merchant does not comply with the PCI DSS Compliance requirements, the merchant’s right to accept credit cards for payment can be suspended until compliance is obtained. In the event compliance has been determined as unachievable the merchant’s right to accept credit card payments will be revoked