Policy/Procedure: 404-Credit Card Merchant Services and PCI Compliance
UW-Madison departments which accept credit cards as a form of payment for goods and services are required to comply with Payment Card Industry Data Security Standards (PCI-DSS). The purpose of the PCI DSS standard is to ensure credit card data is protected. The PCI Compliance Team will validate the department’s PCI Compliance. Failure to comply with the PCI DSS requirements will result in the loss of credit card processing privileges.
This policy applies to all UW Madison departments which accept credit cards as a form of payment for goods and services.
The University of Wisconsin – Madison processes over $100 million dollars in credit card transactions per year. In fiscal year 2014 this includes 2.82 million transactions from 215 merchant accounts. The University is contractually responsible for protecting the credit card data used to process these transactions per the guidance provided by the PCI Data Security Standard (PCI-DSS).
A credit card breach may result in fines starting at $200,000. However, the actual costs of a credit card breach are estimated around $204 per credit card. More importantly, the UW-Madison’s image would be tarnished. This could result in fewer donors willing to support the University or business partners willing to acquire University resources.
UW-Madison can reduce the risk of compromised credit card data by securing the network, hardware, applications, processes and meeting PCI Compliance requirements.
Statement of Policy
UW-Madison departments which accept credit cards as a form of payment for goods and services are required to comply with Payment Card Industry Data Security Standards (PCI-DSS). The purpose of the PCI DSS standard is to ensure credit card data is protected. The most current version of the compliance requirements can be found at https://www.pcisecuritystandards.org/security_standards/index.php
The department’s compliance will be validated through the process of completing and submitting an annual PCI Self-Assessment Questionnaire (SAQ) for each merchant account. This provides the department the opportunity to review their credit card acceptance procedures and ensure compliance is maintained. The PCI Compliance Team reserves the right to validate responses provided by merchants to ensure compliance is maintained for the entire campus. Failure to validate the department’s compliance through the SAQ submission process will result in merchant account termination.
Each department accepting credit cards is required to designate a PCI Site Manager for each merchant account. The PCI Site Manager serves as the point of contact for their merchant accounts, and should have influence to establish procedures for the day-to-day handling of credit cards to ensure compliance.
The highest level of PCI responsibility belongs to the Divisional Financial Officer. This individual is responsible for approving the initial merchant account request and annually signing the PCI-SAQ as the executive officer. The Financial Officer may choose not to sign the PCI-SAQ if he/she does not approve of the merchant’s credit card processing procedures; in which case the merchant account will be closed.
Both the PCI Site Manager and Financial Officer are required to attend an initial PCI Training session. Subsequently, each year both the PCI Site Manager and the Financial Officer are required to complete annual online security awareness training. Finally, any employee or volunteer that handles a credit card on behalf of the University is required to complete PCI Operator training annually. The PCI Site Manager needs to annually track the completion of all PCI Operator trainings. The PCI Operator training can be found at https://charge.wisc.edu/pci/.
All revenue producing activities which receive payments via credit card must be approved by the Division of Business Services, Accounting Services Unit, Cash Management area, firstname.lastname@example.org. This includes any third party vendors which process credit cards on behalf of the University and submit payment via ACH or paper check. All revenue must be deposited into a UW Madison bank account which posts to WISDM. Gift/donation merchant accounts can only be processed through the University of Wisconsin Foundation http://www.supportuw.org/how-to-give.. To open a merchant account to accept credit cards follow these procedures.
PCI requires that certain policies and procedures be maintained and documented.
- The PCI Compliance Team must approve the storage, transmission, or processing of credit card data in an electronic format. All network locations and devices must be specifically approved for processing credit cards. (PCI DSS 12.3)
- The PCI Compliance Team must approve any third party vendors which process credit card payments on behalf of the University. CASHNet is the preferred vendor on campus. There is a process and procedure for contracting with third party vendors. (PCI DSS 12.8). Recommendations for contracts are summarized here.
- The University will provide or approve any device that is allowed to process credit cards. The costs of acquiring or implementing those devices will be charged to the department. (PCI DSS 12.3)
- Securing credit card data is everyone’s responsibility. Should there be a data security breach, the department responsible for the merchant account will be responsible for the costs of the breach. (PCI DSS 12.4)
- The department is responsible for conducting background checks for all employees with access to credit card data. (PCI DSS 12.7) These background checks should align with the campus policy.
- Departments are responsible for providing physical security and inventory of all devices that process credit cards. (PCI DSS 9.9)
- Credit card information cannot be accepted as a form of payment via any end user technology such as email, instant messaging, text message, or via the campus voicemail system. Emails containing credit card information should be immediately deleted and purged from the system. (PCI DSS 4.2)
- Any person that handles credit cards on behalf of UW Madison must complete annual training. Campus wide training is provided at https://charge.wisc.edu/pci/. (PCI DSS 12.6)
- All computers on the PCI Network must be returned to DoIT Departmental Support for sanitization http://www.doit.wisc.edu/services/departmental-support/. The computer can be returned to the department after the sanitization process is completed. This media includes, but is not limited to, hard drives, tapes, usb drives, etc. The official University "Media and Device Disposal and Reuse" policy is documented at https://kb.wisc.edu/itpolicy/cio-disposal-and-reuse-policy.
- All merchants are required to include a refund policy. Departments are responsible for establishing and communicating this policy to customers. Refunds must be processed with the same credit card account which was used in the original transaction.
- The PCI Site Manager must provide business procedures and develop a business continuity plan for taking credit card payments. The merchant may contact Cash Management for sample business procedures. Written PCI Policies and procedures must be submitted with the annual SAQ to Cash Management. If stated business practices change, all changes must be submitted to email@example.com(PCI DSS 12.10)
Per PCI DSS guidance, credit card data is defined as anything more than the first six digits and last four digits of the sixteen-digit primary account number (PAN) printed or engraved on the front of a credit card. Credit card data at a minimum consists of the full PAN and may also appear in the form of the full PAN plus any of the following: cardholder name, card expiration date, and card verification number. In addition, any information on the magnetic stripe or chip on the credit card is considered credit card data.
The cardholder name with only the last 4 digits of the PAN is not considered credit card data and does not need to be protected.
The following are required to ensure campus merchants provide adequate transaction integrity.
- A reconciliation of credit card activity should be completed to the accounting ledgers at least monthly. E-commerce orders should be reconciled to the CASHNet reporting portal before any merchandise is shipped.
- There should be adequate separation of duties between sales transaction processing and the physical goods being sold. In addition, there should be separation of duties between the person issuing refunds and the individual reconciling the account. For additional segregation of duties guidance contact firstname.lastname@example.org.
- All users are required to have their own CASHNet login and/or Merchant Connect login for access to transactions, settlements, and monthly fees.
- We recommend all merchant storefronts or shopping carts complete quarterly vulnerability scans. Merchants should remediate any vulnerability within 30 days. Campus scans can be coordinated through the Office of Cybersecurity at https://www.cio.wisc.edu/security/
- The merchant should periodically perform transaction walk-throughs to ensure the payment page redirects to CASHNet. After reaching the CASHNet page the browser can be closed without entering any credit card data.
- It is the responsibility of each UW-Madison credit card merchant to identify the location of their customers and reference the list of Office of Foreign Assets Control (OFAC) sanctioned countries, before the product or service is delivered. OFAC of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries (http://www.treasury.gov/resource-center/sanctions/Pages/default.aspx ).
- Each merchant is required to:
- Review customer addresses before delivery of the product or service, and issue refunds or void transactions from customers located in OFAC sanctioned countries.
- Prohibit immediate auto delivery of products at time of sale.
Policy to Close a Merchant Account
Failure to comply with this policy can result inyour department losing the privilege of accepting credit cards as a form payment. In addition, a merchant account can be closed:
- By the merchant choosing to close the merchant account and contacting Cash Management at email@example.com.
- If there is no activity for twelve consecutive months.
- If the department fails to comply with PCI DSS requirements. This includes maintaining a site manager, completing the required annual training and/or submitting the appropriate documentation (SAQ).
- CHD - Card Holder Data
- DSS - Data Security Standard
- MID - Merchant ID Number
- PAN - Primary Account Number
- PCI - Payment Card Industry
- QSA - Qualified Security Assessor
- SAQ - Self-Assessment Questionnaire
- Site - Business Operation
PCI CT Member – To provide guidance and monitor PCI Compliance requirements
Merchant Department – Manage the daily operations and maintain PCI Compliance?