Merchant Roles and Responsibilities

Senior Business Officers have overall responsibility for the merchant environment and Merchant accounts (MIDs) under their purview. The suggested roles below are designed to provide guidance to the SBO in managing all the tasks and recordkeeping required to meet PCI Data Security Standards.

 

Senior Business Officer

Operational ResponsibilitiesPCI Compliance Responsibilities

• Ensure merchants with MIDs under his/her purview have departmental procedures in place to comply with CU Credit Card Acceptance and Processing Policy (CU Policy)

• Ensure merchants with MIDs under his/her purview assign roles and responsibilities to ensure proper internal controls and compliance with CU Policy.

• Review and approve all requests from merchants under his/her purview related to CU Merchant environments.

• Ensure merchants with MIDs under his/her purview review diagrams illustrating the Cardholder Data Environment (CDE) and that diagrams are validated by the CUIT-PCI Security Group.

• Ensure merchants with MIDs under his/her purview maintain current copies of required third party service provider (TPSP) documentation and proof of PCI compliance.

• Conduct reviews at least annually to review open MIDs and close unnecessary MIDs.

• Complete all required training.

• Ensure all individuals with access to Merchant environments complete all required training.

• Review annual Self-Assessment Questionnaires (SAQs) for all open MIDs and sign Attestations of Compliance (AOCs) for each SAQ.

• Take immediate action to respond to a suspected or confirmed security compromise.

Merchant Account Coordinator

Operational ResponsibilitiesPCI Compliance Responsibilities

• Coordinate all Merchant related requests with SBO and submit requests using instructions on Finance Gateway.

• Receive new equipment/decommission equipment no longer needed.

• Maintain chain of custody records for all equipment that has direct physical interaction with Cardholder Data (CHD) from the time such equipment is delivered to when it is properly decommissioned.

• Maintain current list and location of MIDs.

• Maintain inventory list of all terminals/devices. 

• Maintain up to date list of all authorized users.

• Promptly advise Treasury of changes to user list. 

• Ensure operating procedures, data flow diagrams, third party service provider documentation and staff training & equipment inspection logs are up to date at all times.

• Perform annual review with SBO to close unnecessary MIDs.

• Complete all required training.

• Complete Monthly PCI DSS Checklist.

• Complete Monthly Device Inspection Form and Device Inventory Log for all terminals/devices used in Merchant environment.

• Complete annual SAQs for all open MIDs.

• Independently verify identity of service/repair personnel who need access to credit card processing equipment; maintain access log.

• Maintain list of TPSPs that affect the Merchant environment, including PCI requirements and provider role.  Ensure proof of TPSP’s PCI DSS compliance is updated annually.

• Alert SBO if a suspected or confirmed security compromise occurs.

Financial Coordinator

Operational ResponsibilitiesPCI Compliance Responsibilities

• Provide a valid chartstring for both revenues & expenses/fees.

• Ensure a budget is setup on the expense account upon MID opening and prior to each fiscal year for as long as the MID is active.

• Complete reconciliations of all MID activity, including fees, at least monthly.

• Monitor and respond to chargeback disputes and retrieval requests.

• Retain access to all online reconciliation and dispute management tools.

• Complete required training.

• Assist Merchant Account Coordinator in completing Monthly PCI DSS Checklist, as needed.

• Alert SBO if a suspected or confirmed security compromise occurs.

Merchant IT Coordinator

Operational ResponsibilitiesPCI Compliance Responsibilities

• Coordinate completion of a Merchant Security Review Form with Merchant Coordinator prior to setting up any new Merchant environments or making any changes to an existing Merchant environment.

• Setup and configure all transaction processing equipment, software and/or systems in accordance with the Credit Card Acceptance and Processing Policy.

• Ensure any web development activity is disclosed on the Merchant Security Review Form and approved by CUIT.

• Disclose any access or control of third party payment processing pages, systems or servers and obtain approval from CUIT.

• Complete required training.

• Maintain a current diagram illustrating the CDE. The diagram must include all data flows, POS devices, network devices, servers, computing devices, applications, and any other component or device located within or connected to the CU Merchant’s CDE.

• Assist Merchant Account Coordinator in completing Monthly PCI DSS Checklist as needed.

• Alert SBO if a suspected or confirmed security compromise occurs.

Authorized User

Operational ResponsibilitiesPCI Compliance Responsibilities

Validate and process credit card transactions, including authorized refunds.

Review transactions prior to settlement and ensure all open batches are settled daily.

Retain Merchant copies of all signed card-present transaction receipts and submit to Financial Coordinator on a monthly basis, or as needed for retrieval requests or chargeback disputes.

Perform daily physical inspections of transaction processing equipment and immediately report any suspected tampering.

Assist Financial Coordinator with chargeback disputes and retrieval requests as necessary. Retain Merchant copies of all signed card-present transaction receipts and submit to Financial Coordinator on a monthly basis, or as needed for retrieval requests or chargeback disputes.

• Complete required training.

• Assist Merchant Account Coordinator in completing Monthly PCI DSS Checklist, as needed.

• Alert SBO if a suspected or confirmed security compromise occurs.

 

* Although individuals may perform more than one role, it is important that the authorized user who processes the payments is not the same individual who performs or reviews the monthly account reconciliation.