OMS Standard: Merchant Responsibilities

Applicability: University of Washington

Standard Title: OMS Standard - Merchant Responsibilities

PDF Version: oms-standard-merchant-responsibilities.pdf

Purpose

This standard establishes the responsibilities required of all UW Merchants accepting payment cards. All University merchants are required to comply with this standard, and applicable Payment Card Industry Data Security Standards (PCI-DSS), in accordance with Administrative Policy Statement APS 35.1.

Scope

This standard applies to any University merchant accepting payment cards.

Requirements

General

  • Merchants must document, maintain, and train employees on Payment Card operations procedures for their area.
  • Merchants must define and document a departmental policy for processing customer refunds.
  • Merchants must ensure that Merchant ID (MID) information maintained by OMS is current and accurate at all times (e.g. contact information changes, Workday Finance Worktag changes, device location changes, etc.).
  • Merchants must participate in annual PCI assessments conducted by OMS
  • Merchants must notify OMS if their Merchant Account is seasonal (one-time or date specific events). All Merchant Accounts will be closed after 12 months of inactivity.

Breach And Incident Notifications

  • Merchants must notify OMS immediately when made aware of any possible breach involving cardholder data, either internally, or through a Third-Party Service Provider (TPSP).
  • Merchants must notify OMS immediately of suspicious activity on any e-commerce site. For example, numerous repeated low-cost transactions (card testing attack).
  • Merchants must notify OMS immediately of any theft of or suspected tampering of credit card terminals or devices.

Employee/User Access

  • All employees who will process payment cards must complete UW PCI Training before being given access to process payment cards. This training must be renewed annually.
  • Access to payment card data, equipment, and/or other devices in scope for PCI DSS must only be given to employees designated and trained in handling payment cards.
  • Employees using POS devices for payment card processing must use their own unique ID and password to access the equipment. Sharing passwords or accounts is forbidden.
  • When an employee is terminated or is no longer involved with payment card acceptance, the merchant must ensure access is removed immediately from all payment card areas including, but not limited to:
    • TouchNet MarketPlace (uStores & uPay) (To Be Implemented) or other e-Commerce Web Portal
    • Elavon Merchant Connect
    • 3rd Party Software or Point of Sale Device
  • A current and accurate list of employees that store, process, or transmit payment card data must be kept by the primary Merchant Contact including hire/termination dates, training history, and the employee’s roles (e.g., cashier, manager, supervisor, accountant, etc.) and responsibilities regarding payment card processing.

Devices

  • An inventory of all payment card devices must be maintained by the merchant, to include serial number, location of the device, and other identifiers.
    • The inventory must be updated when adding, relocating, or decommissioning any payment card devices
    • The inventory must be reported to OMS annually.
  • New or replacement payment card terminals must be requested through OMS or through the applicable 3rd Party vendor.
    • If through the applicable 3rd party, OMS must be notified
  • All default passwords on payment card devices must be changed upon implementation
  • Device Inspections
    • Payment card devices must be regularly inspected for skimming devices and/or other physical tampering.
      • Recommended – at the start of each shift using the device.
    • Inspections must be logged on the OMS inspection form at least monthly

Data Retention

  • The security code (CAV2, CID, CVC2, and CVV2) and the expiration date must never be stored on paper or electronically after authorization.
  • Only the last four digits of the payment card number may be retained after authorization.
  • All paper forms used to collect payment card data must be formatted so that the data can be easily redacted or removed for cross-cut shredding.
  • Forms that are appropriately redacted or truncated may be retained according to the appropriate retention schedule. Contact Records Management Services for information pertaining to your particular department (website in the links section at the end of the document).
  • Payment terminal inspection logs should be kept for the last full calendar year plus the current year.
  • Secure storage
    • Physical Payment Card Data may only be stored temporarily (not to exceed one business day). Authorization should occur as soon as possible.
    • Un-redacted Payment Card Data may only be stored in a secured, locked area, with limited access, prior to authorization. Payment Card data must never be stored in any form following authorization.
    • Un-redacted payment card data must never be sent to records storage facilities.
    • All payment card receipts may be kept for up to one year, unless otherwise specified by law for longer storage (e.g., grants, donations, research, etc.). Contact records management services for information pertaining to your particular department.
    • Electronic Payment Card Data may only be stored through an OMS approved TPSP utilizing tokenization.
    • electronic Payment Card Data must not be stored on any University device or network including but not limited to the following:
      • Applications or programs that run on a desktop workstation
      • Jump Drives, Flash Drives, or other removable media
      • Electronic documents (e.g., email, spreadsheets, databases, etc.)

Merchant Responsibilities

The merchant will:

  • Keep OMS up to date on any changes to personnel in positions that can have an impact on PCI.
    • New and leaving employees.
    • Enrollment of new employees into PCI training.
  • Keep OMS up to date on any changes to device inventory to include:
    • Make and model.
    • Serial number.
    • Device location.
  • Perform periodic inspections of the device to detect tampering or substitution of the device:
    • Verify the serial number matches inventory.
    • Appearance of device has not changed since last inspection.
    • Devices in less secure areas should be inspected more frequently.
      • The device should be visually inspected before and after daily use. The documented inspection should be completed and logged at least monthly.
    • Contact OMS (pcihelp@uw.edu) if any devices appear to have been tampered with.
  • Keep OMS up to date on changes to Merchant and TPSP contacts.
    • Any change to name, email, or phone number of primary and secondary contacts should be communicated to OMS.
  • Notify OMS of and verify TPSP continuing compliance with PCI DSS:
    • Annually – Merchant will obtain a new or updated Attestation of Compliance (AOC) from the TPSP.
    • Notice of upcoming contract expiration or renewals.

OMS Responsibilities

OMS will:

  • Record the initial merchant information, TPSP, and device inventory into the OMS database to include:
    • MID.
    • Attestation of Compliance (AOC) information, including expiration
    • Contract information, including expiration.
    • Device inventory.
    • Register devices on campus wi-fi as necessary.
  • Assist Merchant and TPSP with implementation:
    • Provide implementation information from our payment processor – FiServ.
    • Order necessary payment card terminals from contracted vendors if applicable.
  • Provide notices of upcoming deadlines and events:
    • AOC expiration.
    • Annual compliance assessment.
  • Conduct regular compliance assessments and advise Merchants on results.
  • Communicate changes to PCI-DSS and related issues to Merchants through Merchant Services Digest.

Links

Administrative Information

Version: 1.4

Date Established: September 9, 2019 

Date Effective: April 5, 2022 

Next Review Date: April 1, 2026

Contact: Office of Merchant Services – pcihelp@uw.edu