Policy/Procedure: 404-Becoming a Credit Card Merchant
Date:
12/04/2013


This Policy and Procedure DOES NOT include information on Purchasing Cards (P‑Cards). See information about P-Cards at http://www.bussvc.wisc.edu/acct/purchcd/.

Overview

UW Madison outlines policies and procedures for the proper handling of credit card transactions, including system requirements and the responsibilities of University employees that process credit card transactions or maintain card holder information.  These policies and procedures are intended to assure timely handling of credit card transactions and aid in the safeguarding and proper disposal of credit card information.  Failure to follow this policy will result in the loss of credit card processing privileges.

Compliance requirements within this policy are derived from the following regulations or credit card association rules:

Credit card payments may be accepted either via the:

  • Secure website (https, email not acceptable)
  • Over the counter (In person, Telephone, US Mail, email not acceptable)

All credit card web applications, service providers, and point of sale equipment used by UW Madison must be validated and approved by the PCI DSS https://www.pcisecuritystandards.org/security_standards/index.php or found on the Visa Service Level Provider list http://www.visa.com/splisting/ as a Level One Service Provider.  There must be a contract signed by proper University of Wisconsin authority and must contain appropriate PCI Contract Language.

Cardholder Data (CHD) is identified as the 16 digit primary account number, cardholder name, service code, expiry date, full magnetic stripe, CVC2/CVV2/CID, and PIN.  Specific data which must never be written down or stored includes the full magnetic stripe, CVC2/CVV2/CID, and PIN.

return to policy contents

Statement of Policy

Any University of Wisconsin Madison department that wishes to accept payment cards as a method of payment for goods and/or services must meet University policy, state and federal laws, and contractual obligations to the University’s bank and credit card Acquirer. All merchant requests must be approved by the Controller’s office.  A review of processes and business plans will be conducted prior to any merchant account activity and annually thereafter.  The review will be performed by members of the Payment Card Industry Campus Assistance Team (PCI-CAT).  The sale of goods and services must be consistent with the University's mission and the normal activities associated with the organization.
University of Wisconsin Madison departments that accept revenue via payment cards must adhere to the PCI DSS standards and Requirements:

Build and Maintain a Secure Network

  • 1. Install and maintain a firewall configuration to protect cardholder data
  • 2. Do not use vendor-supplied defaults for system passwords and or security parameters

Protect Cardholder Data

  • 3. Protect stored cardholder data
  • 4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  • 5. Use and regularly update anti-virus software or programs
  • 6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • 7. Restrict access to cardholder data by business need to know
  • 8. Assign a unique ID to each person with computer access
  • 9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  • 10. Track and monitor all access to network resources and cardholder data
  • 11. Regularly test security systems and processes

Maintain and Information Security Policy

  • 12. Maintain a policy that addresses information security for all personnel

This policy will create a consistent, cost-effective and secure environment for the University community to accept revenue via payment cards that provide protection of customer's private data and protection for the University from fines, liability, and loss of reputation.

return to policy contents

Operating Principles

The following operating principles and responsibilities must be used by departments when accepting payment card information in order to process payments for services, purchases, registrations, etc.

  • All UW-Madison electronic payment merchant sites must be authorized in accordance with UW-Madison Revenue Producing Activity policies (see Policy 403-Revenue Producing Activities)to sell goods or services.
    • All Merchant sites must be authorized by the Division Business Representative and PCI Site Manager before submitting the merchant request.
    • All Merchant ID’s must be Payment Card Industry (PCI) Compliant. see https://www.pcisecuritystandards.org.
    • All Merchants must annually complete the appropriate Self-Assessment Questionnaire (SAQ), and establish the policies and processes that are required by the SAQ. see https://www.pcisecuritystandards.org.
  • All electronic payment services offered by the University must be delivered using software, systems, and procedures that are Payment Card Industry (PCI) standard-compliant (see https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml for more information).
  • A dedicated terminal (PC or Hypercom device) with restricted access is required if credit card data is entered into the website on behalf of a customer.
  • The following electronic payment services are authorized for use by UW-Madison units:
    • CashNet
    • Services offered by a provider of primary line-of-business software, provided the Office of Campus Information Security in the CIO’s office validates the service to be PCI compliant.

NOTE: UW-Madison RPA’s are NOT authorized to use Paypal or other types of payment services over the web to collect money from customers. If you are using these services, please contact CashNet-Help@bussvc.wisc.edu for assistance in converting to EPay.

  • There should be a certain level of uniformity/branding in the look and feel of UW storefronts (VISA has recommended standards). This uniformity not only gives institutional identity to UW-Madison, but can be used to avoid phishing.
  • UW-Madison units must coordinate the delivery of goods and services with the timing of charging electronic payments to customers.
  • The unit selling the goods or services must develop processes for handling credit card and bank account information provided by customers on paper in a safe way.  Paper documents showing this information must be shredded or the information must be blacked out on retained documents.
  • UW-Madison units must reconcile electronic payments with goods and services provided and with funds deposited by the electronic payment processor into university bank accounts and into the Shared Financial System ledger.
  • Schools and Colleges are responsible for arranging periodic audits of revenue producing units to assure that they are in compliance with these principles.

Return to Policy Contents.

Merchant Responsibilities

  • Credit card merchant sites must be established and maintained through UW-Madison Controller's Office, Cash Management Unit.
  • Each campus merchant site must provide current contact information to Cash Management.
  • Merchants who wish to process credit cards using an online storefront will be required to have their website and storefront scanned quarterly for vulnerabilities. These scan reports will be provided to the campus merchant.  Merchants will have 30 days to remedy identified vulnerabilities or the website could be subject to suspension.  For new web sites, the scan must be completed and any vulnerabilities be remedied before the storefront goes live.
  • All persons who handle credit card information are required to annually complete PCI –Operator training, at https://charge.wisc.edu/pci/
  • Credit card information can be accepted by telephone, mail, or in person only. All Merchants who take orders via phone, mail or in person will use a Hypercom T-4220 terminal or PCI compliant device and preferably a dial up line. A dedicated line is not required.
  • Fax machines which receive documents with credit card numbers must use an analog connection, and must be located in a secure office area which can be locked when not in use.
  • Credit card information cannot be accepted via email and should never be e-mailed from the department. Emails containing credit card information should be immediately deleted from the computer.
  • Credit card merchants cannot store credit card information on a local computer or server.
  • Under no circumstances should the Card Identification Number (CID) be stored electronically or on paper. The CID number is the three digit security code on the back of the credit card.
  • Credit card receipts may only show the last four digits of the credit card number.
  • If it is absolutely necessary to record the entire credit card number to process the transaction, all but the last four digits of the credit card number must be blacked out as soon as refunds and disputes are no longer likely. Preferably this will be completed within 60 days and should not exceed 180 days.
  • Chargeback documents from Elavon containing cardholder data must be locked up until processed and must be destroyed (cross cut shredded) after processing.
  • Full 16 digit cardholder data must NOT be displayed on any computer terminal.  When using Hypercom devices, the last 4 digits can be displayed only.  When using CASHNet, the last 4 digits can be displayed only.  When using Merchant Connect, the first six and the last 4 digits can be displayed only.
  • All paper transactions containing credit card numbers should be processed as soon as possible.  The storage of paper records containing credit card information should be limited to that needed to conduct business.  These records shall be stored in a locked filing cabinet or safe in a locked room.  After the transaction is processed, the portion of the paper containing the credit card number shall be destroyed (cross cut shredded), unless a longer retention time period is required by contract or law. 
  • After the retention time period, records must be destroyed confidentially per university record retention guidelines. The guidelines can be found at http://www.uwsa.edu/fadmin/records.htm and also at http://archives.library.wisc.edu/RM/rechome.htm.
  • Merchants must have Approval of the Payment Card Industry Compliance Assistance Team (PCI-CAT) before entering into any contracts or purchases of software and/or equipment related to credit card processing. This requirement applies regardless of the transaction method or technology used (e.g. e-commerce, POS device)
  • All contracted third parties with access to cardholder data must adhere to PCI security requirements and provide proof of PCI certification to the merchant department.
  • Merchants may assign an individual to administer the control of log-in privileges with unique user ID’s, with no shared or generic ID’s.
  • All operators with computer access must be assigned a unique ID, and the ID’s must never be shared.
  • Limit software access to secure locations, delete access to software for terminated employees, and do not use vendor-supplied defaults for system passwords.
  • In order to reduce the risk of the unauthorized release of card holder data that may be contained on equipment leaving the Payment Card Industry environment, all media connected to equipment processing or storing card holder data must be securely wiped before leaving the environment.  This media includes, but is not limited to, hard drives, tapes, usb drives, etc.  The official University "Media and Device Disposal and Reuse" policy is documented at http://www.cio.wisc.edu/IDisposePolicy.pdf
  • A change record must be generated when Payment Card Industry equipment leaves the Payment Card Industry environment and must be processed by RaDS or approved Payment Card Industry support staff.  These staff must identify the media that will need to be wiped as well as the most effective method of wiping the media, e.g. using "Darik's Boot and Nuke" on hard drives etc. and subsequently implement the wiping before the media leaves.
  • Reconciliation of credit card merchant activity must be performed at least monthly.
  • There must be adequate separation of duty between any person authorized to issue a refund and the individual reconciling the account.
  • It is the responsibility of each UW-Madison credit card merchant to identify the location of their customers and reference the list of OFAC sanctioned countries, before the product or service is delivered.
    The Office of Foreign Assets Control (OFAC) of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries.
    http://www.treasury.gov/resource-center/sanctions/Pages/default.aspx
    Each merchant shall:
    • Review customer addresses before delivery of the product or service, and issue refunds or void transactions from customers located in OFAC sanctioned countries.
    • Prohibit immediate auto delivery of products at time of sale.

    Although sanctions vary by country, the countries currently on the OFAC embargo list include Balkans, Belarus, Burma, Cote d'Ivoire, Cuba, Congo, Iran, Iraq, Lebanon, Liberia, Libya, North Korea, Somalia, Sudan, Syria, Yemen and Zimbabwe.

Return to Policy Contents.

Procedures

There are two types of credit card merchant operations:
(1) Face-to-Face/Counter Swipe/Telephone Sales
Complete the following forms:

  • E-mail the Face-to-Face Operations Set Up form to Janet Hamm at Cash Management.
  • Cash Management will work with Elavon to obtain a merchant ID number.
  • Equipment and/ or information material will be mailed from Elavon to the merchant.

For questions, contact the Cash Management office; Janet Hamm, 265-2909.

(2) Web-based/Internet Storefront
Complete the following forms:

  • E-mail Web-based Internet Operations Set Up form to CashNet-Help@bussvc.wisc.edu
  • Cash Management will work with Elavon and American Express to obtain a merchant ID number.
  • Cash management will work with CashNet to set up the store and an operator account.
  • Cash Management will train merchants on using CashNet, including how to run periodic reports.

For questions, contact the Cash Management office; Janet Hamm, 265-2909.

(3) CashNet

Storefront Options for Web-based Revenue Producing Account (RPA):
The following are four options the Revenue Producing Account (RPA) can choose from when setting up a storefront for web-based operations:

    1. Storefront created for the RPA by DoIT.
    2. The RPA creates their storefront.
    3. The RPA purchases storefront software from a vendor and wishes to use CashNet as the payment processor.
    4. The RPA purchases storefront software from a vendor and wishes to use the CASHNet processor that is offered by the purchased software vendor.

1. Storefront created for the RPA by DoIT.

Return to list of options for the Revenue Producing Account (RPA).

2. The RPA creates their storefront.

Return to list of options for the Revenue Producing Account (RPA).

3. The Revenue Producing Account (RPA) purchases storefront software from a vendor and wishes to use CashNet as the payment processor.

  • The RPA will work with Purchasing Services to create a contract for software/hardware purchases relating to the storefront.
  • The selected software vendor will have to meet the Payment Card Industry standards with respect to security over customer personal information. This should be specified as part of the bidding process to select the vendor. If required, Cash Management will work with the RPA to arrange a determination whether the PCI standards are met (see Credit Card Merchant above).
  • Cash Management will contact the RPA with Credit Card Merchant ID information.
  • Cash Management will arrange for technical assistance from CashNet to work with the software vendor to connect the two services. Any costs associated with this service from CashNet will be passed on to the RPA.
  • Cash Management will provide RPA staff with training about how to use control reports.

Return to list of options for the Revenue Producing Account (RPA).

4. The Revenue Producing Account (RPA) purchases storefront software from a vendor and wishes to use the payment processor that is offered by the purchased software vendor.

  • The RPA will work with Purchasing Services, create a contract for software/hardware purchases relating to the storefront.
  • The selected software vendor will have to meet the Payment Card Industry standards with respect to security over customer personal information. This should be specified as part of the bidding process to select the vendor. If required, Cash Management will work with the RPA to arrange a determination whether the PCI standards are met (see Credit Card Merchant above).
  • Cash Management will contact the RPA with Credit Card Merchant ID information.

Return to list of options for the Revenue Producing Account (RPA).

Return to Policy Contents.

Cost of Services

  • For Face-to-Face and Web-based (Internet) operations:
  • Elavon and American Express charge a fee or, "merchant discount," for the processing of credit card payments. The VISA, Mastercard, and Discover rate is approximately 2.00 percent and the American Express rate is approximately 2.25 percent. Elavon charges .05 (5 cents) per refund transaction and also charges a $5.00 monthly maintenance fee for the Merchant ID.  Chargebacks are $7.50.  Discover charges an additional .05 (5 cents) per transaction. These charges are passed through by Cash Management to the RPA.

Return to Policy Contents.

PCI Compliance Training

Each role in the PCI Compliance process has its own level of responsibility. Training of Division Business Representatives, site managers and operators is an important part of PCI compliance.

PCI Division Business Representative

The highest level of responsibility belongs to the Division Business Representatives (DBR). The DBR is responsible for all credit card merchant activities in his or her Division or Dean's Office. Each DBR must attend an annual PCI training session, which is offered and tracked by the Office of Human Resource Development (OHRD). The training sessions are listed at the OHRD website, www.ohrd.wisc.edu, under Business Services Topics in the Catalog.

PCI Site Manager

The next level of responsibility belongs to the PCI Site Manager. All credit card merchant operations have at least one PCI site manager, who is responsible for the day to day operations of the merchant activity. PCI Site Managers must attend an annual PCI training session, which is tracked by the Office of Human Resource Development (OHRD). PCI Site Managers will learn about the University's initiative for becoming PCI compliant in systems, infrastructure and processes. In this interactive discussion, attendees will learn about the PCI compliance process, how this compliance initiative will affect their business practices and processes, and how they can help their department/division avoid serious financial exposure by meeting and adhering to the PCI Data Security Standard. The training sessions are listed at the OHRD website, www.ohrd.wisc.edu, under Business Services Topics in the Catalog.

Responsibilities of the PCI Site Manager include ensuring that PCI Operators have been appropriately trained in the PCI Data Security Standard, and are thus PCI Compliant.

PCI Operator

The third role and level of responsibility belongs to the PCI Operator. Operator training is required on an annual basis.

A PCI Operator is anyone in the business process who handles credit card information. Examples of operators include:

  • Anyone who handles a customer credit card at a point-of-sale device.
  • Anyone who processes faxed or mailed forms that contain credit card information.
  • Anyone who accesses a web application that processes credit card information (such as CashNet).

Online Training Modules
To assist with achieving this compliance, UW Madison's PCI Compliance Assistance Team (PCI-CAT) has developed three on-line training modules for the university's credit card operators.

  • The first module addresses general PCI Compliance with regards to basic credit card transactions.
  • The second module focuses on situations where the card is present (over the counter transactions).
  • The third module focuses on situations where the card is not present (telephone, fax or mail order transactions).

All PCI Operators must complete the first module; the second and third modules will be assigned by the PCI site manager, according to the business process for the merchant. For example, operators who handle credit cards for over the counter transactions should complete modules 1 and 2; operators who handle credit cards for telephone, fax or mail orders should complete modules 1 and 3. In some cases, operators may need to complete all 3 modules. For assistance in making this determination, please contact PCI-Help@bussvc.wisc.edu.

Here is the link to access the Operator Training Modules:  https://charge.wisc.edu/pci/

Training Confirmation and Tracking

PCI Compliance requires all operators to be trained on an annual basis, which must be tracked by the PCI site manager. To assist you in meeting this requirement, the on-line training tool will produce a certificate of completion, which includes the operator's name, date, and expiration date. Upon completion of the training modules, the system will email the certificate to the PCI Operator who will then print and deliver a copy to the PCI site manager. The PCI site manager must retain a copy of the certificate for each operator, to document that they have been trained according to PCI requirements.

Elavon Equipment and Training Information:
The Hypercom will cost $440.00 and show up directly against the merchant ID on the merchant monthly statement. Hypercom machines are programmed for dial out and need a regular analog phone line.

When the equipment arrives, verify that the machine has the correct address, name and MID on the machine when plugged in. Call Elavon training at 866-451-4007. Schedule a 20 minute training on how to use the Hypercom and transaction settlement. Note: terminal will not auto settle unless the machine is plugged in. Auto settle occurs at 12:30 am unless otherwise specified.

To report equipment problems call Relationship Services National Account at 800-725-1245 Option 1. Document these equipment problem calls; request the first and last name of the relationship person you are working with.

To order supplies such as thermal paper call Customer Service Center at 800-725-1243 Option 3.

Ethernet connection must be approved by PCI-CAT. The Hypercom machine must be dedicated to a specified data port and must not be moved. For approved Ethernet use only (PCI-CAT), you MUST contact RADS to ensure that the IP will go through the PCI Datacenter. Please schedule this with RADS at 263-RADS (7237) or email repair@doit.wisc.edu and let RADS know this is a PCI issue.

Return to Policy Contents.

Contacts

  • Credit Card Security and Payment Card Industry (PCI) Questions:
  • Web-based/Internet Storefront:
  • Face to Face/Counter Swipe/Telephone Sales:
    • Janet Hamm; (Phone) 608-265-2909
    • (FAX) 608-262-5060
  • General financial questions related to credit card processing:
  • Cash Management Supervisor:
    • Sharon Hughes; (Phone) 608-262-1305
    • (FAX) 608-262-5060

Return to Policy Contents.

Forms

Related Documents

Return to Table of Contents.

Policy and Procedure Index