Merchant Operations

Units that are approved to accept payment cards must establish and maintain a proper security environment to safeguard a customer's payment information at all times.

Payment cards can be processed with a payment card present or not present, using terminal, point of sale (POS), and online e-Commerce technologies.

Regardless of the payment method and technology used, a customer trusts that the unit accepting his or her card will protect that information as if the customer were handing over cash. Therefore, you should treat payment card information as carefully as any other confidential or valuable information (such as a Social Security number or a stack of hundred-dollar bills). It is the unit's responsibility to follow payment card policies and procedures to ensure that transactions are processed safely and in accordance with the agreements established by the University of Illinois and its payment acquirer.

A unit must comply with the Payment Card Industry Data Security Standard. A unit must undergo periodic reviews of its processing environment by Merchant Card Services to ensure that all policies and procedures are being followed. As always, any business operation is subject to formal review by the Office of University Audits.

If at any time a unit experiences a breach or compromise of payment information or related data, that unit must report the event immediately to Merchant Card Services. We will assess the situation and invoke the necessary incident response plan. A unit must also notify its respective campus Information Security office of the possible breach. Units found to be non-compliant with processing requirements are subject to immediate suspension of card processing capability.