Merchant Roles and Responsibilities

Senior Business Officers have overall responsibility for the merchant environment and Merchant accounts (MIDs) under their purview. The suggested roles below are designed to provide guidance to the SBO in managing all the tasks and recordkeeping required to meet PCI Data Security Standards.

 

Senior Business Officer

Operational ResponsibilitiesPCI Compliance Responsibilities

• Responsible for ensuring all subsequent responsibilities listed here are fulfilled for each MID under his/her purview.

• Review and approve all requests relating to Merchants under his/her authority.

• Ensure Merchant Security Review Forms have been submitted for each new or changed Merchant environment.

• Ensure departmental procedures are in place to protect CHD and restrict access to Merchant environments to only authorized users with the roles shown below. 

• Perform annual review with Merchant Account Coordinator to close unnecessary MIDs.

• Assign at least one authorized user who can process refunds. 

• Responsible for security and PCI compliance of each Merchant environment under his/her authority.

• Complete all required training.

• Ensure all individuals with access to Merchant environments complete all required training.

• Review annual Self-Assessment Questionnaires (SAQs) for all open MIDs and sign Attestations of Compliance (AOCs) for each.

Merchant Account Coordinator

Operational ResponsibilitiesPCI Compliance Responsibilities

• Coordinate all Merchant related requests with SBO and submit requests using instructions on Finance Gateway.

• Receive new equipment/decommission equipment no longer needed.

• Maintain chain of custody records for all equipment that has direct physical interaction with CHD from the time such equipment is delivered to when it is properly decommissioned. 

• Maintain current list and location of MIDs.

• Maintain inventory list of all terminals/devices. 

• Maintain up to date list of all authorized users. Promptly advise Treasury of changes to user list. 

• Ensure operating procedures, data flow diagrams, third party service provider documentation and staff training & equipment inspection logs are up to date at all times.

• Perform annual review with SBO to close unnecessary MIDs.

• Complete all required training.

• Complete Monthly PCI DSS Checklist.

• Complete Monthly Device Inspection Form and Device Inventory Log for all terminals/devices used in Merchant environment.

• Complete annual Self-Assessment Questionnaires (SAQs) for all open MIDs.

• Independently verify identity of service/repair personnel who need access to credit card processing equipment; maintain access log.

• Maintain copies of Third Party Service Provider (TPSP) documentation indicating which PCI DSS requirements will be met by the TPSP and which will be the responsibility of the CU Merchant.

Financial Coordinator

Operational ResponsibilitiesPCI Compliance Responsibilities

• Provide a valid chartstring for both revenues & expenses/fees.

• Ensure a budget is setup on the expense account upon MID opening and prior to each fiscal year for as long as the MID is active.

• Complete reconciliations of all MID activity, including fees, at least monthly.

• Monitor and respond to chargeback disputes and retrieval requests.

• Retain access to all online reconciliation and dispute management tools.

• Complete required training.

• Assist Merchant Account Coordinator in completing Monthly PCI DSS Checklist, as needed.

Merchant IT Coordinator

Operational ResponsibilitiesPCI Compliance Responsibilities

• Coordinate completion of a Merchant Security Review Form with Merchant Coordinator prior to setting up any new Merchant environments or making any changes to an existing Merchant environment.

• Setup and configure all transaction processing equipment, software and/or systems in accordance with the Credit Card Acceptance and Processing Policy. 

• Ensure any web development activity is disclosed on the Merchant Security Review Form and approved by CUIT.

• Disclose any access or control of third party payment processing pages, systems or servers and obtain approval from CUIT.

• Complete required training.

• Document and maintain a current diagram illustrating the Cardholder Data Environment (CDE). The diagram must include all data flows, POS devices, network devices, servers, computing devices, applications, and any other component or device located within or connected to the CU Merchant’s CDE. 

• Assist Merchant Account Coordinator in completing Monthly PCI DSS Checklist as needed.

Authorized User

Operational ResponsibilitiesPCI Compliance Responsibilities

Validate and process credit card transactions, including authorized refunds.

Review transactions prior to settlement and ensure all open batches are settled daily.

Retain Merchant copies of all signed card-present transaction receipts and submit to Financial Coordinator on a monthly basis, or as needed for retrieval requests or chargeback disputes.

Perform daily physical inspections of transaction processing equipment and immediately report any suspected tampering.

Assist Financial Coordinator with chargeback disputes and retrieval requests as necessary. Retain Merchant copies of all signed card-present transaction receipts and submit to Financial Coordinator on a monthly basis, or as needed for retrieval requests or chargeback disputes.

• Complete required training.

• Assist Merchant Account Coordinator in completing Monthly PCI DSS Checklist, as needed.

 

* Although individuals may perform more than one role, it is important that the authorized user who processes the payments is not the same individual who performs or reviews the monthly account reconciliation.