Merchant Contact Responsibilities
The merchant contact is responsible for the following items:
- Serve as department merchant activities coordinator and as point person for the Treasurer's Office.
- Always contact merchantservices@umich.edu immediately if you suspect or locate a credit card data loss/breach.
- Serve as the person who: completes the annual self-assessment questionnaire for PCI (Payment Card Industry) compliance through the 3rd party company, CampusGuard; obtains required PCI documentation from vendor(s) each year; and ensures PCI compliance at all times.
- Successful completion of UM My LINC Merchant Certification TME102 Course annually by:
- you
- all applicable staff
- new and existing staff who are authorized to process credit cards or refunds.
- any staff who do not process credit cards but come into contact with credit card data (i.e., full 16 digits of credit cards). For example, a person who opens the mail where credit card data is present.
- Read and follow the SPG policies and Merchant policies (e.g. University of Michigan Merchant Requirements) which govern credit card activities. Review annually.
- Prepare (and update when necessary) departmental Internal Controls Written Procedures which also includes:
- Segregation of Duties
- Review of Daily Transaction Activity
- Controlled Access to Resources
- Supervision
- Verification
- Documentation
- Annually complete the Internal Controls Gap Analysis.
- Train all departmental staff on processing credit card transactions and refunds if applicable.
- Update the "Authorized Users" in the Merchant Information page of MPathway's Financial & Physical Resources System (FINPROD) whenever authorized user staff changes. An authorized user is anyone who handles cardholder data (i.e. the full '16 digit' credit card number) or issues credit card refunds. You will receive an ITS email when you have been granted this MPathway’s access. Updating Authorized Users instructions are listed on the lower portion of this web page.
- Notify Merchant Services of any relevant changes that impact the account (e.g., personnel changes such as the merchant contact or IT Contact [if applicable], processing/equipment/vendor changes, etc.).
- Contact the Treasurer's Office if your merchant will be processing credit card transactions outside of a U-M facility to confirm PCI DSS compliance is maintained. In addition, see Off Campus Use of U-M Property and adhere to the guidance within. (This bullet point relates to staff considered to be working remotely; it does not relate to staff working at annual or one-time events like conferences or trade shows.)
If the merchant account is using credit card terminals, then the merchant contact is also responsible for:
- Maintain a list of your terminal make(s), model(s), serial number(s), and location(s).
- Each business day, verify your credit card terminal info (above) and keep a record of the verification along with the name of person performing that task.
- List must be updated when terminal is replaced or relocated. The serial number is located on the underside of the terminal.
- Terminal data is maintained in MPathways - FINPROD. Required list can be verified here and printed instead of manually creating a list. FINPROD descrepancies are reported to merchantservices@umich.edu.
- Ensure that all staff processing credit cards be trained on "terminal tampering."
- Inform staff that anyone who requests access to evaluate or repair the terminal must provide identification that verifies their affiliation with U-M Treasurer's Office. Notify merchant contact and Treasurer's office immediately if someone without proper identification attempts to access your terminal.
- Follow the guidance provided in your terminals P2PE Instruction Manual ("PIM"). The latest version should be obtained from your P2PE vendor.
- Use an approved communication system if credit card data is being conveyed via the phone. See here for more information: https://finance.umich.edu/resource/approved-phones-taking-credit-card-processing