Clickable staff directory icon.
Clickable forms icon.
Clickable org chart icon.
Clickable about us icon.

Credit Card Merchant Onboarding Process | Text View

Credit Card Merchant Onboarding Process

When merchantsupport@ucdavis.edu receives an email request for information regarding credit card acceptance, the requestor will be sent an explanatory email with detailed information on PCI compliance requirements and associated fees. If the requestor wishes to proceed in establishing a merchant account a formal email request should be submitted.

The email request should include:

  • Business justification
  • Transaction volume $ dollars expected to receive
  • Acceptance channel, I.E In-person or E-commerce
  • Request must come from department head

Moving Forward

Once the formal email request has been submitted and the department has received approval from the PCI Team stating they may move forward with credit card acceptance, the type of merchant account requested (see list above) will determine next steps. SAQ A and SAQ B do not require prior approval from the PCI Team as these are established processes, however, SAQ A may require a scan of environment prior to going live. All other acceptance types require consultation with PCI team to establish the feasibility, next steps, and timeline for implementation:

  • Discussion of requested acceptance type, feasibility (technical/fiscal)
  • RFP review if applicable
  • Contract review to ensure PCI language and DS are included
  • Cost analysis
  • Timeline and assessment prior to implementation

All departments/merchants who have received approval from the PCI Team and completed the steps to establish a credit card merchant must complete the following before becoming operational (this also applies to existing merchants who are changing acceptance type, I.e. SAQ B to SAQ P2PE):

Merchant PCI Compliance Contact must complete the appropriate SAQ in Coalfire One and provide/upload all required evidence of compliance to include:

  • Security Policy
  • Credit Card acceptance procedure
  • Training Logs
  • Device tampering log/inventory
  • Pictures of devices and shredders if applicable
  • Contract and policies if applicable (vendor management)