Notre Dame merchant accounts will be issued only to particular Notre Dame entities for a specific use and must be obtained through the Merchant Account Acquisition Procedure.
Roles and Responsibilities
Each merchant must identify individual(s) to fill the following roles for each merchant account. (An individual may fulfill multiple roles)
The Director of the area is responsible for ensuring that employees are familiar with and adhere to all payment card policies, standards, and procedures. The Director may need to approve change requests made through the Payment Environment Change Approval Process.
The Account Owner is the primary contact for merchant account communications issued by the Merchant Bank and the CCSP. To facilitate the annual completion of the industry required Self-Assessment Questionnaire (SAQ), the Account Owner is responsible for maintaining and providing certain information to the CCSP upon request. Specifically, the Account Owner must:
- complete the Business Process Assessment (a brief, yes-no-N/A questionnaire)
- maintain the Registry of Card Processing Personnel
- report position changes (as described below)
- assist in identifying other departmental resources, as necessary to complete the SAQ
- act as the merchants Business Continuity Coordinator
- Business Manager
The Business Manager is responsible for reconciliation of all operating accounts where payment card revenue is deposited. Where revenue is credited to an unearned revenue account, the Business Manager is responsible for transferring funds to the appropriate operating ledger account(s). Detailed reconciliations are to be maintained by the business manager. The Controller's Office should be contacted for assistance or questions regarding reconciliation. (See Payment Card Reconciliation Procedures)
- IT Contact
The IT Contact will maintain the Registry of Card Processing Devices for all merchant equipment attached to the card processing environment. The registry must be available to the CCSP upon request. The IT Contact will assist in completing the technical sections of the annual Self-Assessment Questionnaire, if necessary.
Changes to contact information for these roles will be reported using the Merchant Contact Information Form, immediately upon changing.
Observe the following data handling requirements:
- Keep cardholder data storage to a minimum by complying with the requirements detailed in the Payment Card Data Handling Procedures.
- Never store the card security code (three-digit or four-digit number printed on the front or back of a payment card).
- Do not store the personal identification number (PIN) or the encrypted PIN block.
- Only the first six and the last four digits of a payment card may be displayed.
- Never send or request card numbers by any end-user technologies (e.g. email, voicemail, instant messaging, or text messaging)
Procurement of Payment Systems or Services
The addition of new payment systems or services is considered a change in the University’s payment environment and must follow either the Payment Environment Change Approval Process or the Merchant Account Acquisition Procedure. The CCSP will work with OIT, Procurement Services, and the Merchant to assist in selecting and implementing any new payment system.
For employees with privileged access (i.e., employees with access to more than one instance of cardholder data), merchants must follow the Position Modification Procedure when filling or terminating the position.
Reconciliation and Disputes
Observe the Payment Card Procedures to protect the integrity of fiscal data and to reduce the risk of fraud.
The Account Owner, Business Manager and all other individuals who process or have access to cardholder data are required to complete the CCSP Security Awareness Training, upon hire (before handling or having access to cardholder data) and annually. Additionally, these individuals must sign and submit the Policy Attestation Form annually after reviewing all payment card policies.
Observe the following system management requirements:
- Manage all computer systems according to the Technical Standard for Payment Card Processing Systems
- Limit access to computing resources (e.g., computers, network jacks, wireless access points, gateways, and handheld devices) and cardholder information only to those individuals whose jobs require such access.
Business Continuity Planning
It is required that all merchants have a business continuity plan and that they provide that plan to the CCSP office annually. Merchants must be aware that in the case where the CCSP has been breached or in the event of a disaster the environment may be unavailable for a time period no shorter than 48 hours and may be unavailable for a time period greater than one month while investigations are being conducted or recovery efforts are under way. For those merchants that are using third party service providers, it is the responsibility of the merchant to be aware of their service provider’s business continuity plan and also to be able to provide that information to the CCSP office.
This standard applies to all University of Notre Dame employees or students.