Merchant Contact Responsibilities

The merchant contact is responsible for the following items:

• Serve as department merchant activities coordinator and as point person for the Treasurer's Office. 
• Always contact [email protected] immediately if you suspect or locate a credit card data loss/breach. 
• Serve as the person who: 
  • completes the annual self-assessment questionnaire (SAQ) for PCI (Payment Card Industry) compliance through U-M's ​3rd party company, CampusGuard 
  • obtains required PCI documentation from supplier(s) each year 
  • ensures PCI compliance at all times. 
• Successful completion of U-M My LINC Merchant Certification TME102 Course annually by:
  • you
  • all applicable staff
    • new and existing staff who are authorized to process credit cards or refunds.
    • any staff who do not process credit cards but come into contact with credit card data (i.e., full 16 digits of credit cards).  For example, a person who opens the mail where credit card data is present.
• Annually read and follow the SPG policies and Merchant policies (e.g. University of Michigan Merchant Requirements) which govern credit card activities. 
• Prepare (and update when necessary) departmental Internal Controls Written Procedures which also includes: 
  • Segregation of Duties
  • Review of Daily Transaction Activity
  • Controlled Access to Resources
  • Supervision
  • Verification
  • Documentation 
• Recommended to complete the Internal Controls Gap Analysis annually.
• Train all departmental staff on processing credit card transactions and refunds if applicable.
• Update the "Authorized Users" in the Merchant Information page of MPathway's Financial & Physical Resources System (FINPROD) whenever authorized user staff changes. 
  • An authorized user is anyone who handles cardholder data (i.e. the full '16 digit' credit card number) or issues credit card refunds.  
  • You will receive an ITS email when you have been granted this MPathway’s access.  
  • Adding/Updating Authorized Users instructions are listed on the lower portion of this web page.
• Notify [email protected] of any relevant changes that impact the merchant account (e.g., personnel changes such as the merchant contact or IT Contact [if applicable], processing/equipment/supplier changes, etc.).
• Contact [email protected] if your staff will be processing credit card transactions outside of a U-M facility to confirm PCI DSS compliance is maintained.  This relates to staff considered to be working remotely; it does not relate to staff working at annual or one-time events like conferences or trade shows.)  In addition, see and adhere to Off Campus Use of U-M Property.  

If the merchant account has credit card terminals, then the merchant contact is also responsible for:

• Maintaining a list of your terminal make(s), model(s), serial number(s), and location(s) with addresses.
  • Each business day, verify your credit card terminal info (above) and keep a record of the verification along with the name of person performing that task.
  • List must be updated when terminal is replaced or relocated. The serial number is located on the underside of the terminal.
• Ensuring that all staff processing credit cards are trained on "terminal tampering."
• Informing staff that anyone who requests access to evaluate or repair the terminal(s) must provide identification that verifies their affiliation with U-M Treasurer's Office or terminal supplier/provider.  Staff must deny terminal access to inappropriate individuals and notify the merchant contact and Treasurer's office immediately.
• Following the guidance provided in your terminals P2PE Instruction Manual (PIM).  Annually verify that you have the latest version from your supplier/P2PE vendor.
• Using an approved communication system if credit card data is being conveyed via the phone. See here for more information:  https://finance.umich.edu/resource/approved-phones-taking-credit-card-processing.