University of Wisconsin-Madison

Policy: 404-Becoming a Credit Card Merchant
Date:12/11/06

---

This Policy and Procedure DOES NOT include information on Purchasing Cards. For information on P-Cards or Purchasing Cards, please refer to http://www.bussvc.wisc.edu/acct/purchcd/

Merchant Credit Card Policies and Procedures:
The following guidelines must be used by departments when accepting credit card information in order to process payments for services, purchases, registration, etc.

Card Merchant Sites :

• Credit card merchant sites must be established and maintained through UW Madison Cash Management .
• Each campus merchant site must keep current a contact person for Cash Management.
• Reconciliation of credit card merchant activity must be performed at least monthly.
• There must be adequate separation of duty between the person issuing the refund and the individual reconciling the account.
• Credit card merchants cannot store credit card information on a local computer or server unless the system is secure.  See your IT staff for details on how to accomplish this. The secure system must be reviewed by either Internal Audit or DoIT.  Prior to being reviewed the department must review the following web site:  Cardholder Information Security Program Self-assessment Questionnaire  and fill out this questionnaire - PCI (Payment Card Industry) Data Self-assessment Questionnaire  https://www.pcisecuritystandards.org/tech/supporting_documents.htm 
• Credit card information can be accepted by telephone, mail, or in person only.  Credit card information cannot be accepted via email and should never be emailed from the department.
• Credit card receipts may only show the last five digits of the credit card number.  If more then the last 5 digits are printed on the receipt, contact Cash Management or Janet Hamm at 265-2909.
• Under no circumstances should the Card Identification Number (CID) be stored electronically or on paper.  The CID number is the three digit security code on the back of the credit card.
• If it is absolutely necessary to record the entire credit card number to process the transaction, all but the last 4 digits of the credit card number must be blacked out as soon as refunds and disputes are no longer likely.  Preferably this will be completed within 60 days and should not exceed 180 days.
• Paper records must be stored in a locked room or file cabinet.  Access to the storage area(s) must be limited to authorize personnel only.

Retain the original receipts, which show last 4 digits of the credit card number, for all transactions and any original, signed documentation in a secure location for a minimum of 6 years plus current year per university record retention guidelines.  The guidelines can be found at http://www.uwsa.edu/fadmin/records.htm and also at http://archives.library.wisc.edu/RM/rechome.htm

E-commerce:

• E-commerce sites require the prior approval of the appropriate Dean or Director’s Office and Cash Management.
• E-commerce sites can be established by DoIT.  These sites provide tested security and use an approved third party service provider for processing transactions.  Instructions for establishing an e-commerce site can be found http://www.bussvc.wisc.edu/acct/ccinter.html
• E-commerce sites established by DoIT must provide adequate separations of duties between the individual issuing the refund and the person reconciling the account.  On a daily basis, there should be a reconciliation performed between the DoIT interfaces and the third party service provider.
• If the e-commerce site is not set up by DoIT, a UW System or UW Madison contracted vendor must be used for processing and storage of data. The department must provide assurance to Cash Management the vendor meets all of the VISA Security requirements by sending to Cash Management the most current copy of vendor’s completed Cardholder Information Security Program questionnaire.  In addition, there must be adequate separation of duties between the individual issuing a refund and the person reconciling the account.
• No other e-commerce site can be established without prior approval from Cash Management and the appropriate Dean’s or Director’s Office.  Prior approval will require confirmation that the e-commerce sites, and all third party service providers, meet the security requirements provide by the VISA Cardholder Information Security Program and can provide proof of liability insurance.  This requires a formal contract approved by an individual with designated signature authority by the Purchasing Services agent or a delegated purchasing agent on campus.

UW Madison Purchasing Card:
Record retention requirements for the UW Madison Purchasing Card Program documentation can be found on the Purchasing Card Website under the Site Manager information at http://www.bussvc.wisc.edu/acct/purchcd/siteman.html

Related Procedure(s):
Becoming a Credit Card Merchant
Cardholder Information Security Program (CISP)/Payment Card Industry (PCI) Information

Who should know this policy?
Deans, Directors, and staff dealing with revenue.

Related Documents:
Setting Up a Regular Account (For Over-the-Counter, Mail and Phone Sales)
Setting Up an Internet Account (For Sales through an E-Commerce Site)
Critical Security Notice:  Immediate Attention Required
Payment Card Industry Self Assessment Questionnaire
Industry Letter:  Merchant Requirement for Securing Cardholder Information

Contacts:
Janet Hamm | Cash Management | Sharon Hughes

Policy and Procedure Index

Menu

• Search:
  Business Services 'How-To' Pages Accounting Bursar Internal Audit MDS Purchasing Risk Management SWAP UW-Madison
  
• Accounting Services
• Campus Groups
  Coding
  Dates and Deadlines
  Forms
  Policies and Procedures
  Related Links
  Staff Directory
  Training
  
  Areas:
  Accounts Payable
  Cash Management
  File Room
  Non-Sponsored Projects
  Property Control
  Purchasing Card
  Records Retention
  Shared Financial System
  Tax
  Travel