Policy: 404-Becoming a Credit Card Merchant
Date: 12/11/06
Updated for E-Pay: 07/13/09

This Policy and Procedure DOES NOT include information on Purchasing Cards. For information on P-Cards (Purchasing Cards), please refer to http://www.bussvc.wisc.edu/acct/purchcd/.

Overview

E-Payment Processing Service (E-Pay) is a service offered by the Business Services, Controller’s Office, Cash Management section which provides services for Revenue Producing Accounts (RPA) at UW–Madison to record their face to face and/or web sales made via credit cards. The University contracts with Elavon, a subsidiary of US Bank, to provide card processing services and with CashNet (Informed Decisions Group) to provide e-payment services for web-based sales.

Statement of Policy:

There is growing risk and a legal regulatory environment surrounding the responsibilities of organizations which collect charge card numbers and bank account numbers from customers as part of payment transactions, whether automated or manual. 

Operating Principles:

The following operating principles and responsibilities must be used by departments when accepting credit card information in order to process payments for services, purchases, registration, etc.

  1. All UW-Madison e-Payment merchant sites must be authorized in accordance with UW-Madison Revenue Producing Activity policies (see http://www.bussvc.wisc.edu/acct/policy/rpa/rpapol.html ) to sell goods or services.
  2. All e-Payment services offered by the University must be delivered using software, systems, and procedures that are Payment Card Industry (PCI) standard-compliant (see https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml for more information).
  3. The following e-Payment services are authorized for use by UW-Madison units: (a) e-Pay via CashNet or (b) services offered by a provider of a primary line-of-business software provided the Office of Campus Information Security in the CIO’s office validates that service to be PCI compliant.
  4. There should be a certain level of uniformity/branding in the look and feel of UW storefronts (VISA has recommended standards). This uniformity not only gives institutional identity to UW-Madison, but can be used to avoid phishing.
  5. UW-Madison units must coordinate the delivery of goods and services with the timing of charging e-Payments to customers. For example, backordered goods should not be billed until the goods are shipped or delivered to customers.
  6. The unit selling the goods or services must develop processes for handling charge card and bank account information provided by customers on paper in a safe way. Paper documents showing this information must be shredded or the information must be blacked out on retained documents.
  7. UW-Madison units must reconcile e-Payments with goods and services provided and with funds deposited by the e-Payment processor into University bank accounts and into the Shared Financial System ledger.
  8. Schools and Colleges are responsible for arranging periodic audits of revenue producing units to assure that they are in compliance with these principles.

Credit Card Merchant Responsibilities:

  • Credit card merchant sites must be established and maintained through UW-Madison Controller's Office Cash Management Unit.
  • Each campus merchant site must keep current, a contact person for Cash Management.
  • Credit card information can be accepted by telephone, mail, or in person only.
  • Credit card information cannot be accepted via email and should never be e-mailed from the department.
  • Credit card merchants cannot store credit card information on a local computer or server.
  • Under no circumstances should the Card Identification Number (CID) be stored electronically or on paper. The CID number is the three digit security code on the back of the credit card.
  • Credit card receipts may only show the last five digits of the credit card number.
  • If it is absolutely necessary to record the entire credit card number to process the transaction, all but the last four digits of the credit card number must be blacked out as soon as refunds and disputes are no longer likely. Preferably this will be completed within 60 days and should not exceed 180 days.
  • Reconciliation of credit card merchant activity must be performed at least monthly.
  • There must be adequate separation of duty between any person authorized to issue a refund and the individual reconciling the account.
  • Paper records must be stored in a locked room or file cabinet. Access to the storage area(s) must be limited to authorize personnel only.
  • Retain the original receipts, which show last four digits of the credit card number, for all transactions and any original, signed documentation in a secure location for a minimum of six years plus current year per university record retention guidelines. The guidelines can be found at http://www.uwsa.edu/fadmin/records.htm and also at http://archives.library.wisc.edu/RM/rechome.htm.

Who should know this policy?

  • Deans, Directors, and staff dealing with revenue.

Contacts

Related Documents

Set Up Forms:

Related Procedure

Policy and Procedure Index


Business Services Home | 'How-To' Pages | Acronym Index | Administrative Services News