VI. Established Merchant Accounts

A.  Card Processing Requirements

Merchants must meet the following on-going requirements to retain their merchant status:

  1. All persons involved with the processing, accounting and reconciliation of credit card transactions must ANNUALLY complete the following Self-Service ICON training courses:
    1. WCCARD - Credit Card Policy Training
    2. WSANS1 – UIOWA Security Awareness Training
  2. Annual renewal of SAQ in Trustwave
    1. Make sure the SAQ completed is appropriate for the merchant’s method of processing credit card transactions.  (Guide to SAQ selection located in Appendix C)
    2. Attestation of compliance, which is the last requirement of the SAQ, must be signed by the merchant’s departmental budget officer
  3. If applicable, monitor monthly scan reports in Trustwave to ensure no vulnerabilities are discovered.
  4. Non-compliant merchant accounts in Trustwave or merchants who are required to complete SAQ A_EP, B_IP, C or D and systems not on the PCI network will be given a reasonable amount of time, not to exceed 30 days, to resolve the issues that have caused the non-compliance.  Merchants that have not corrected problems resulting in the non-compliant status within the allowed timeframe will be reported to the following individuals with the recommendation that merchant card processing privileges be terminated:
    1. University Chief Information Security Officer
    2. University Controller
    3. Departmental Budget Officer

B.  Changes to an Established Merchant Account

Any changes to an established merchant account must be requested using the Merchant Card Request Application: https://edeposit.bo.uiowa.edu/merchacct/

Examples of changes include:

  • Termination of account
  • Change of MFK for credit card accounts receivable
  • Change of MFK for credit card debits (fees, chargebacks, negative net sales)
  • Change of merchant primary contact
  • Change of technology used to process credit cards, such as:
  • A new or different method of accepting cards
  • Purchasing new software or hardware
  • Selecting a new gateway service provider

ALL merchant technology changes must be approved in advance, before purchase or use.    


 

  1. Policy
  2. Purpose
  3. General Responsibilities
  4. Merchant Responsibilities
  5. New Merchant Accounts
  6. Established Merchant Accounts
  7. Universal Compliance Requirements
  8. Important Links for Merchants

APPENDIX A:  12 PRIMARY REQUIREMENTS OF PCI DATA SECURITY STANDARDS
APPENDIX B:  MERCHANT LEVELS DEFINED - COMPLIANCE VALIDATION REQUIREMENTS
APPENDIX C:  SAQ & TRUSTWAVE SCAN REQUIREMENTS