Asking for forgiveness, not permission, does not apply when it comes to PCI.
As part of your organization’s PCI compliance program, you must have a defined process for establishing a new merchant account or a new payment process.
The institution’s overarching payment card policy should state that any department that is considering taking payment cards must undergo a thorough review before being allowed to accept card payments. This process will help to ensure that all components of payment card handling at the institution remain PCI compliant.
Prospective merchants should first complete an application for a new merchant account. Along with locations and contact information, the application should outline the business case and description of proposed payment activity, the estimated frequency and volume of transactions, the types of processing requested (online, in-person, mobile, etc.), as well the staff members who will be handling payment card information (request a copy of our template from your Customer Advocate Team). The requesting departments should also review the organization’s PCI compliance policies and procedures to ensure they will be able to fulfill all requirements.
The necessary review and approval process must be completed prior to entering into any third-party contracts, or purchasing software or equipment to process card payments. Remind all merchants that it is against policy to purchase any payment card equipment or sign any third-party agreements without approval from the PCI Team or other appropriate parties. This allows your organization to carefully evaluate all new merchant areas for potential security and compliance risks before they deploy a new payment solution and undiscovered security gaps escalate into larger issues for the institution.
Determine who will be responsible for approving new merchants. Typically, the finance team manages the banking relationship and holds the responsibility for setting up any new merchant accounts, but the review process may be a collaborative effort between the PCI Team, Finance (Controller or Treasury), and Information Technology. Depending on the complexity of the requested payment methods, you may also need to involve Procurement and other, specific departments to make sure all perspectives are covered.
Many organizations have standardized on a select list of payment processing solutions and equipment that have previously been reviewed and approved for use within their environments. Departments that are considering taking payments should consider those options first. Your organization may have a contract with a merchant services provider or a preferred payment gateway. If that is the case then merchants may be required to use their specified equipment or online web applications. If a new merchant has a business case that justifies the use of an alternate process or vendor, this must then be put through the review process and the merchant must understand that they may not be able to deploy the new solution as quickly as one that has already been vetted.
The final step in bringing a new merchant “live” and ready to accept card payments is, of course, ensuring all of their documentation is in-place. Prior to processing that first payment, and then on an ongoing basis, all merchants are required to create and maintain the following:
- Merchant/Device inventory
- Inspection logs of all payment card processing equipment
- Payment card data flow diagram
- Departmental payment card procedures (to include incident response procedures, procedures regarding the physical security of point of sale equipment, etc.)
- Listing of all staff involved with accepting or handling payment cards
- Documented awareness training for all staff members
- Documented staff acknowledgements of the Payment Card Security Policy
- Third-party service provider compliance review
By educating your community on the requirements for obtaining approval prior to their request for a new merchant or payment process, they will hopefully be better prepared to partner with you and understand what their role will be. Clear communications ahead of time will help to avoid the discovery of “rogue” departments who have set up their own merchant accounts or signed contracts with third-party vendors. Once a contract or process is in place it is much more difficult to remediate the situation. It only takes one non-compliant merchant to throw the entire organization out of compliance, or even worse, be the cause of a payment card breach. Asking for forgiveness, not permission, does not apply when it comes to PCI.
Some additional guidance from the CampusGuard Customer Advocate team:
[Rivkin]: Especially during these unprecedented times, with departments operating remotely and in different ways than they may have previously, it is more important than ever to ensure your PCI team is staying connected with merchants and ensuring any new requests or changes are reviewed and in line with your institution’s requirements. CampusGuard usually works with the PCI team very early into our partnership to develop a documented process with a new merchant account application and annual merchant survey. This helps to establish an environment of open communication between the PCI team and all merchant areas across campus. We have seen great success when implementing and enforcing processes and procedures such as these, allowing teams to ensure ongoing PCI compliance efforts are consistent across even the largest organizations.