Policy/Procedure: 404-Becoming a Credit Card Merchant
Date: 3/23/2011

This Policy and Procedure DOES NOT include information on Purchasing Cards (P‑Cards). See information about P-Cards at http://www.bussvc.wisc.edu/acct/purchcd/.

Overview

Managers of Revenue Producing Accounts (RPA) at UW Madison need to obtain approval from the UW-Madison Business Services, Controller’s Office, Cash Management section prior to initiating or engaging in any payment card activity. Electronic Payments (E-Pay) is a service offered by Business Services to provide services for RPA’s to record face to face and/or web sales transactions via credit cards. The University contracts with Elavon, a subsidiary of US Bank, to provide card processing services and with CashNet (Informed Decisions Group) to provide E-Pay services for web-based sales.

return to policy contents

Statement of Policy

There is growing risk and a legal regulatory environment surrounding the responsibilities of organizations which collect payment card numbers from customers as part of payment transactions, whether automated or manual.  University units that accept payment cards as a method of payment must meet University policy, state and federal laws, and contractual obligations to the University's banks and financial institutions. The sale of goods and services must be consistent with the University's mission and the normal activities of the college or unit associated with the organization. Units that accept revenue via payment cards must:

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

This policy will create a consistent, cost-effective and secure environment for the University community to accept revenue via payment cards that provides the following:

  • Compliance with University policy, state and federal laws, and Payment Card Industry Data Security Standards (PCI DSS)
  • Protection of customer's private data
  • Protection for the University from fines, liability, and loss of reputation.

The campus goal is to be Payment Card Industry (PCI) compliant, including systems, infrastructure and processes, by December 31, 2011.

return to policy contents

Operating Principles

The following operating principles and responsibilities must be used by departments when accepting payment card information in order to process payments for services, purchases, registrations, etc.

  • All UW-Madison electronic payment merchant sites must be authorized in accordance with UW-Madison Revenue Producing Activity policies (see Policy 403-Revenue Producing Activities)to sell goods or services.
    • All Merchant sites must be authorized by the Division Business Representative and PCI Site Manager before submitting the merchant request.
    • All Merchant ID’s must be Payment Card Industry (PCI) Compliant. see https://www.pcisecuritystandards.org.
    • All Merchants must annually complete the appropriate Self-Assessment Questionnaire (SAQ), and establish the policies and processes that are required by the SAQ. see https://www.pcisecuritystandards.org.
  • All electronic payment services offered by the University must be delivered using software, systems, and procedures that are Payment Card Industry (PCI) standard-compliant (see https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml for more information).
  • A dedicated terminal (PC or Hypercom device) with restricted access is required if credit card data is entered into the website on behalf of a customer.
  • The following electronic payment services are authorized for use by UW-Madison units:
    • E-Pay via CashNet
    • Services offered by a provider of primary line-of-business software, provided the Office of Campus Information Security in the CIO’s office validates the service to be PCI compliant.

NOTE: UW-Madison RPA’s are NOT authorized to use Paypal or other types of payment services over the web to collect money from customers. If you are using these services, please contact CashNet-Help@bussvc.wisc.edu for assistance in converting to EPay.

  • There should be a certain level of uniformity/branding in the look and feel of UW storefronts (VISA has recommended standards). This uniformity not only gives institutional identity to UW-Madison, but can be used to avoid phishing.
  • UW-Madison units must coordinate the delivery of goods and services with the timing of charging electronic payments to customers.
  • The unit selling the goods or services must develop processes for handling credit card and bank account information provided by customers on paper in a safe way.  Paper documents showing this information must be shredded or the information must be blacked out on retained documents.
  • UW-Madison units must reconcile electronic payments with goods and services provided and with funds deposited by the electronic payment processor into university bank accounts and into the Shared Financial System ledger.
  • Schools and Colleges are responsible for arranging periodic audits of revenue producing units to assure that they are in compliance with these principles.

Return to Policy Contents.

Merchant Responsibilities

  • Credit card merchant sites must be established and maintained through UW-Madison Controller's Office, Cash Management Unit.
  • Each campus merchant site must provide current contact information to Cash Management.
  • Merchants who wish to process credit cards using an online storefront will be required to have their website and storefront scanned quarterly for vulnerabilities. These scan reports will be provided to the campus merchant.  Merchants will have 30 days to remedy identified vulnerabilities or the website could be subject to suspension.  For new web sites, the scan must be completed and any vulnerabilities be remedied before the storefront goes live.
  • All persons who handle credit card information are required to annually complete PCI –Operator training, at https://charge.wisc.edu/pci/
  • Credit card information can be accepted by telephone, mail, or in person only. All Merchants who take orders via phone, mail or in person will use a Hypercom T-4220 terminal or PCI compliant device and preferably a dial up line. A dedicated line is not required.
  • Fax machines which receive documents with credit card numbers must use an analog connection, and must be located in a secure office area which can be locked when not in use.
  • Credit card information cannot be accepted via email and should never be e-mailed from the department. Emails containing credit card information should be immediately deleted from the computer.
  • Credit card merchants cannot store credit card information on a local computer or server.
  • Under no circumstances should the Card Identification Number (CID) be stored electronically or on paper. The CID number is the three digit security code on the back of the credit card.
  • Credit card receipts may only show the last four digits of the credit card number.
  • If it is absolutely necessary to record the entire credit card number to process the transaction, all but the last four digits of the credit card number must be blacked out as soon as refunds and disputes are no longer likely. Preferably this will be completed within 60 days and should not exceed 180 days.
  • Chargeback documents from Elavon containing cardholder data must be locked up until processed and must be destroyed (cross cut shredded) after processing.
  • Full 16 digit cardholder data must NOT be displayed on any computer terminal.  When using Hypercom devices, the last 4 digits can be displayed only.  When using CASHNet, the last 4 digits can be displayed only.  When using Merchant Connect, the first six and the last 4 digits can be displayed only.
  • All paper transactions containing credit card numbers should be processed as soon as possible.  The storage of paper records containing credit card information should be limited to that needed to conduct business.  These records shall be stored in a locked filing cabinet or safe in a locked room.  After the transaction is processed, the portion of the paper containing the credit card number shall be destroyed (cross cut shredded), unless a longer retention time period is required by contract or law. 
  • After the retention time period, records must be destroyed confidentially per university record retention guidelines. The guidelines can be found at http://www.uwsa.edu/fadmin/records.htm and also at http://archives.library.wisc.edu/RM/rechome.htm.
  • Merchants must have Approval of the Payment Card Industry Compliance Assistance Team (PCI-CAT) before entering into any contracts or purchases of software and/or equipment related to credit card processing. This requirement applies regardless of the transaction method or technology used (e.g. e-commerce, POS device)
  • All contracted third parties with access to cardholder data must adhere to PCI security requirements and provide proof of PCI certification to the merchant department.
  • Merchants may assign an individual to administer the control of log-in privileges with unique user ID’s, with no shared or generic ID’s.
  • All operators with computer access must be assigned a unique ID, and the ID’s must never be shared.
  • Limit software access to secure locations, delete access to software for terminated employees, and do not use vendor-supplied defaults for system passwords.
  • In order to reduce the risk of the unauthorized release of card holder data that may be contained on equipment leaving the Payment Card Industry environment, all media connected to equipment processing or storing card holder data must be securely wiped before leaving the environment.  This media includes, but is not limited to, hard drives, tapes, usb drives, etc.  The official University "Media and Device Disposal and Reuse" policy is documented at http://www.cio.wisc.edu/IDisposePolicy.pdf
  • A change record must be generated when Payment Card Industry equipment leaves the Payment Card Industry environment and must be processed by RaDS or approved Payment Card Industry support staff.  These staff must identify the media that will need to be wiped as well as the most effective method of wiping the media, e.g. using "Darik's Boot and Nuke" on hard drives etc. and subsequently implement the wiping before the media leaves.
  • Reconciliation of credit card merchant activity must be performed at least monthly.
  • There must be adequate separation of duty between any person authorized to issue a refund and the individual reconciling the account.

Return to Policy Contents.

Procedures

There are two types of credit card merchant operations:
(1) Face-to-Face/Counter Swipe/Telephone Sales
Complete the following forms:

  • E-mail the Face-to-Face Operations Set Up form to Janet Hamm at Cash Management.
  • Cash Management will work with Elavon to obtain a merchant ID number.
  • Equipment and/ or information material will be mailed from Elavon to the merchant.

For questions, contact the Cash Management office; Janet Hamm, 265-2909.

(2) Web-based/Internet Storefront
Complete the following forms:

  • E-mail Web-based Internet Operations Set Up form to CashNet-Help@bussvc.wisc.edu
  • Cash Management will work with Elavon and American Express to obtain a merchant ID number.
  • Cash management will work with CashNet to set up the store and an operator account.
  • Cash Management will train merchants on using CashNet, including how to run periodic reports.

For questions, contact the Cash Management office; Janet Hamm, 265-2909.

(3) E-Pay (CashNet) Storefront

Storefront Options for Web-based Revenue Producing Account (RPA):
The following are four options the Revenue Producing Account (RPA) can choose from when setting up a storefront for web-based operations:

    1. Storefront created for the RPA by DoIT.
    2. The RPA creates their storefront.
    3. The RPA purchases storefront software from a vendor and wishes to use CashNet as the e-payment processor.
    4. The RPA purchases storefront software from a vendor and wishes to use the e-payment processor that is offered by the purchased software vendor.

1. Storefront created for the RPA by DoIT.

Return to list of options for the Revenue Producing Account (RPA).

2. The RPA creates their storefront.

Return to list of options for the Revenue Producing Account (RPA).
3. The Revenue Producing Account (RPA) purchases storefront software from a vendor and wishes to use CashNet as the e-payment processor.

  • The RPA will work with Purchasing Services to create a contract for software/hardware purchases relating to the storefront.
  • The selected software vendor will have to meet the Payment Card Industry standards with respect to security over customer personal information. This should be specified as part of the bidding process to select the vendor. If required, Cash Management will work with the RPA to arrange a determination whether the PCI standards are met (see Credit Card Merchant above).
  • Cash Management will contact the RPA with Credit Card Merchant ID information.
  • Cash Management will arrange for technical assistance from CashNet to work with the software vendor to connect the two services. Any costs associated with this service from CashNet will be passed on to the RPA.
  • Cash Management will provide RPA staff with training about how to use control reports.

Return to list of options for the Revenue Producing Account (RPA).

4. The Revenue Producing Account (RPA) purchases storefront software from a vendor and wishes to use the e-payment processor that is offered by the purchased software vendor.

  • The RPA will work with Purchasing Services, create a contract for software/hardware purchases relating to the storefront.
  • The selected software vendor will have to meet the Payment Card Industry standards with respect to security over customer personal information. This should be specified as part of the bidding process to select the vendor. If required, Cash Management will work with the RPA to arrange a determination whether the PCI standards are met (see Credit Card Merchant above).
  • Cash Management will contact the RPA with Credit Card Merchant ID information.

Return to list of options for the Revenue Producing Account (RPA).

Return to Policy Contents.

Cost of Services

  • For Face-to-Face and Web-based (Internet) operations:
  • Elavon and American Express charge a fee or, "merchant discount," for the processing of credit card payments. The VISA, Mastercard, and Discover rate is approximately 2.00 percent and the American Express rate is approximately 2.25 percent. Elavon also charges .05 (5 cents) per refund transaction. These charges are passed thru by Cash Management to the RPA.

Return to Policy Contents.

PCI Compliance Training

Each role in the PCI Compliance process has its own level of responsibility. Training of Division Business Representatives, site managers and operators is an important part of PCI compliance.

PCI Division Business Representative

The highest level of responsibility belongs to the Division Business Representatives (DBR). The DBR is responsible for all credit card merchant activities in his or her Division or Dean's Office. Each DBR must attend an annual PCI training session, which is offered and tracked by the Office of Human Resource Development (OHRD). The training sessions are listed at the OHRD website, www.ohrd.wisc.edu, under Business Services Topics in the Catalog.

PCI Site Manager

The next level of responsibility belongs to the PCI Site Manager. All credit card merchant operations have at least one PCI site manager, who is responsible for the day to day operations of the merchant activity. PCI Site Managers must attend an annual PCI training session, which is tracked by the Office of Human Resource Development (OHRD). PCI Site Managers will learn about the University's initiative for becoming PCI compliant in systems, infrastructure and processes. In this interactive discussion, attendees will learn about the PCI compliance process, how this compliance initiative will affect their business practices and processes, and how they can help their department/division avoid serious financial exposure by meeting and adhering to the PCI Data Security Standard. The training sessions are listed at the OHRD website, www.ohrd.wisc.edu, under Business Services Topics in the Catalog.

Responsibilities of the PCI Site Manager include ensuring that PCI Operators have been appropriately trained in the PCI Data Security Standard, and are thus PCI Compliant.

PCI Operator

The third role and level of responsibility belongs to the PCI Operator. Operator training is required on an annual basis.

A PCI Operator is anyone in the business process who handles credit card information. Examples of operators include:

  • Anyone who handles a customer credit card at a point-of-sale device.
  • Anyone who processes faxed or mailed forms that contain credit card information.
  • Anyone who accesses a web application that processes credit card information (such as CashNet).

Online Training Modules
To assist with achieving this compliance, UW Madison's PCI Compliance Assistance Team (PCI-CAT) has developed three on-line training modules for the university's credit card operators.

  • The first module addresses general PCI Compliance with regards to basic credit card transactions.
  • The second module focuses on situations where the card is present (over the counter transactions).
  • The third module focuses on situations where the card is not present (telephone, fax or mail order transactions).

All PCI Operators must complete the first module; the second and third modules will be assigned by the PCI site manager, according to the business process for the merchant. For example, operators who handle credit cards for over the counter transactions should complete modules 1 and 2; operators who handle credit cards for telephone, fax or mail orders should complete modules 1 and 3. In some cases, operators may need to complete all 3 modules. For assistance in making this determination, please contact PCI-Help@bussvc.wisc.edu.

Here is the link to access the Operator Training Modules:  https://charge.wisc.edu/pci/

Training Confirmation and Tracking

PCI Compliance requires all operators to be trained on an annual basis, which must be tracked by the PCI site manager. To assist you in meeting this requirement, the on-line training tool will produce a certificate of completion, which includes the operator's name, date, and expiration date. Upon completion of the training modules, the system will email the certificate to the PCI Operator who will then print and deliver a copy to the PCI site manager. The PCI site manager must retain a copy of the certificate for each operator, to document that they have been trained according to PCI requirements.

Elavon Equipment and Training Information:
The Hypercom will cost $299.00 and show up directly against the merchant ID on the merchant monthly statement. Hypercom machines are programmed for dial out and need a regular analog phone line.

When the equipment arrives, verify that the machine has the correct address, name and MID on the machine when plugged in. Call Elavon training at 866-451-4007. Schedule a 20 minute training on how to use the Hypercom and transaction settlement. Note: terminal will not auto settle unless the machine is plugged in. Auto settle occurs at 12:30 am unless otherwise specified.

To report equipment problems call Relationship Services National Account at 800-725-1245 Option 1. Document these equipment problem calls; request the first and last name of the relationship person you are working with.

To order supplies such as thermal paper call Customer Service Center at 800-725-1243 Option 3.

Ethernet connection must be approved by PCI-CAT. The Hypercom machine must be dedicated to a specified data port and must not be moved. For approved Ethernet use only (PCI-CAT), you MUST contact RADS to ensure that the IP will go through the PCI Datacenter. Please schedule this with RADS at 263-RADS (7237) or email repair@doit.wisc.edu and let RADS know this is a PCI issue.

Return to Policy Contents.

Contacts

  • Credit Card Security and Payment Card Industry (PCI) Questions:
  • Web-based/Internet Storefront:
  • Face to Face/Counter Swipe/Telephone Sales:
    • Janet Hamm; (Phone) 608-265-2909
    • (FAX) 608-262-5060
  • General financial questions related to credit card processing:
  • Cash Management Supervisor:
    • Sharon Hughes; (Phone) 608-262-1305
    • (FAX) 608-262-5060

Return to Policy Contents.

Forms

Related Documents

Return to Table of Contents.

Policy and Procedure Index