Point of Sale (POS) marks the location of the transaction. The customer will come to your place of business in person to make a purchase. The customer’s credit card will be physically swiped, dipped or held next to a terminal. An example of this type of transaction is making a purchase in person at a retail store and checking out using your credit card. Please note a percentage of point of sale transactions can be accepted over the phone or by mail order. Due to data security issues, mail order transactions are discouraged.

  • PCI DSS Responsibilities after receiving the POS Terminal

    Once you are doing business with the POS Terminal you are responsible to continuously assess your operations and fix any vulnerability which could potentially cause a credit card data breach. This is part of the PCI compliance requirements.

    The best way to keep track of these ever-changing requirements is to go through the most up to date Payment Card Industry Data Security Standard Self-Assessment Questionnaire (PCI DSS SAQ) for P2PE and make sure that the merchant is compliant with each requirement listed. You, the merchant manager, are responsible for on-going compliance with all of these requirements. This document has to be submitted to Business Affairs annually and within 30 days of receiving the merchant ID. Some of these requirements are:

    • Regular inspection of POS devices for tampering. Click here for best practices.
    • Create and maintain an inventory of POS devices. Include device type (POS), brand, model, serial number, location of device (including room number), jack number, and IP address (if applicable). This will be submitted as evidence with your yearly PCI DSS SAQ document.
    • Do not accept credit card numbers sent via end-user messaging technologies, such as email. If you receive a credit card number via email, let the customer know you cannot accept the order that way and offer an alternative. Then, delete the email, delete the email from your deleted items folder, and contact CN to delete the email from the server.
    • Do not store cardholder data, either on paper or electronically.
    • Shred any written cardholder data using a cross-cut or micro-cut shredder.
    • Do not leave device passwords in plain sight.
    • Provide training for new employees before use of POS device and provide annual training for all employees who use the POS device. This requirement can be met by watching the PCI Awareness Training online or by attending the annual PCI Overview Training in person.
    • Maintain and update policies and procedures related to PCI DSS SAQ compliance. These will be submitted as evidence with your yearly PCI DSS SAQ document.
    • Complete the SAQ P2PE annually, including Expected Testing and submission of supporting documents, as evidence of PCI DSS compliance.

    For more information on what you have to do throughout the year to stay PCI compliant please visit the PCI Compliance for OSU Credit Card Merchants website.

Point of Sale Frequently Asked Questions:

Q1. Who answers questions about your Point of Sale transactions (products, orders, payments, credit card transactions, refunds)?

  • You, as the merchant, are responsible for answering all questions coming from the customer. If you cannot answer the question or if there is a technical issue, eCommerce Support can assist with troubleshooting.

Q2. Who makes the merchant’s deposits?

  • You, as the merchant, are responsible for submitting your deposits to the cashiers.