Payment Card Merchant Services and Payment Card Industry (PCI) Compliance

Layout for printing
Policy Number:
UW-3031
Old Policy Number:
404
Responsible Office:
Accounting Services, Division of Business Services

University Policy

Rationale/​Purpose:

The purpose of the policy is to prevent loss or disclosure of cardholder data (CHD) in accordance with University of Wisconsin System Administrative Policy 350, Payment Card Policy.

UW–Madison is contractually responsible for protecting the payment card data used to process these transactions per the guidance provided by the Payment Card Data Security Standards (PCI DSS).

Definitions:
Card brands
Payment card networks, including Visa, Mastercard, Discover, and American Express, which are the respective financial institutions responsible for founding the PCI DSS.
Card identification number (CID)
Also known as Card Validation Code or Card Security Code which is the three-digit security code on the back of the payment card for MasterCard, Visa, and Discover or the four-digit security code on the front of American Express payment cards. Depending on the card brand, this code is also identified as CAV, CAV2, CVV, or CVV2.
Cardholder
The customer to whom a payment card is issued or any individual authorized to use the payment card.
Cardholder data 
At a minimum, cardholder data consists of the full Primary Account Number (PAN). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date, and/or service code. The cardholder’s name with only the last four digits of the PAN is not considered cardholder data and does not need to be protected. See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction.
Cashnet/Transact
A Validated PCI DSS third-party Payment Application Service Provider for e-commerce services contracted by the University of Wisconsin that is used to process credit card payments.
Chargebacks
Occur when the customer challenges the validity of the original charge and instructs their bank to reverse the charge.
Merchant
Any UW-Madison business or entity that accepts payment cards bearing the logos of any of the five members of the PCI SSC (American Express, Discover, JCB, MasterCard, or Visa) as payment for goods and/or services from UW–Madison.
Payment card
A charge card, credit card, debit card, or any other card issued by a financial institution used for payment to purchase goods or services.
Payment Card Industry Data Security Standards (PCI DSS)
A multifaceted security standard developed and owned by the major payment card companies that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. PCI DSS represents a common set of tools and measurements to help ensure the safe handling of sensitive information. The standard comprises 12 requirements that are organized in six logically related groups or “control objectives.” Failure to conform to these standards can result in losing the ability to process payment card payments, being audited, and/or being fined.
Payments Insider
A secure online customer portal from Elavon, the credit card processor, which displays transactional activity and monthly statements used for reconciliation and other merchant account business needs.
PCI Attestation of Compliance (AoC)

A declaration of a Service Provider’s compliance with the PCI DSS. It serves as documented evidence that the Service Provider’s security practices effectively protection against threats to cardholder data.

This document must be completed by a Qualified Security Assessor (QSA) or the merchant and signed by the QSA. A QSA is a company that is certified by the PCI DSS to perform PCI audits and determine whether organizations are PCI compliant.

AoC’s must be submitted to the PCI Team on an annual basis at pci-help@bussvc.wisc.edu

Point-to-point encryption (P2PE)
A PCI Point-to-Point encryption (P2PE) Solution cryptographically protects account data from the point where a merchant accepts the payment card to the secure endpoint. Using a P2PE solution reduces the risk of data theft by securing the transactions and protects the cardholder data. The PCI P2PE Solution can substantially reduce the PCI DSS compliance efforts for merchants.
Responsibility matrix
The matrix outlines the responsibilities between the Third-Party Service Provider (TPSP) and the Campus Merchant. The information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity.
Sensitive authentication data
Security related information used to authenticate cardholders and/or authorize payment card transactions including but not limited to card validation codes/values, full track data from the magnetic stripe or equivalent on a chip, PINs, and PIN blocks.
Third-party service provider (TPSP)

A business entity (vendor) that is not a payment brand but is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This includes vendors that provide services that control or could impact the security of cardholder data. Examples of Third-Party Service Providers include vendors that provide managed firewalls, intrusion detection systems, and other services, in addition to payment card processing.

All Third-Party Service Providers  used in payment card processing are required to contain appropriate PCI language which includes an acknowledgment that the Third-Party Service Providers are responsible for the security of cardholder data. The agreement is also required to be signed by an authorized Purchasing agent and the specified Third-Party Service Provider also contains specific dates of the services agreed upon.

Scope:

UW-Madison merchants must comply with the Payment Card Merchant Services and Payment Card Industry (PCI) Compliance Policy, and all applicable Payment Card Industry Data Security Standard (PCI DSS) requirements. The expectations are an agreement which apply to all UW-Madison departments, people, processes, systems, solutions, devices, and applications that are involved in processing payment cards as a form of payment for goods and services and are included in the PCI Scope for UW-Madison.

Policy:

UW–Madison departments that accept payment cards as a form of payment for goods and services are required to comply with PCI DSS, UW System Administrative Policy 350 Payment Card Compliance Policy, and the following UW-Madison Policy. The purpose of the PCI DSS is to ensure payment card data is protected.

The PCI Compliance Assistance Team (PCI CT) will validate each department’s PCI compliance. Failure to comply with the PCI DSS requirements can result in the loss of payment card processing privileges.

All revenue from payment card transactions is required to be deposited into a UW-Madison bank account which posts the revenue into the general ledger.

Gift donation merchant accounts may only be processed through the University of Wisconsin Foundation since this organization is the official fundraising and gift receiving partner for UW-Madison.

The implementation of all e-commerce websites or payment card device usage to collect revenue must also be approved by Cash Management within the Division of Business Services, the Office of Cybersecurity, and when necessary, Purchasing Services. This ensures all cash management, security, and contractual requirements are adhered to.

Outsourced Third-Party Service Providers (non-UW-Madison merchant accounts) which process payment cards on the behalf of the university which submit payment via ACH or paper check must also be approved by these departments.

Cashnet/Transact Payments is the contracted and preferred enterprise e-commerce Third Party Service Provider for UW-Madison e-commerce merchant accounts.

  1. Payment Card Acceptance and Handling
    1. Policy to Establish a Merchant account

      The opening of a new merchant account for accepting and processing of payment cards is approved on a case-by-case basis. Any fees associated with the acceptance of payment cards from a specific department will be charged to the individual merchant account within that department. These are the requirements for establishing a merchant account:

      1. Obtain approval from your Dean’s office, specifically the Divisional Business Representative (DBR).
      2. Complete and submit the Payment Card Merchant ID Request form.
      3. Review and acknowledgement of Policy UW-3031.
      4. Assign the PCI Site Manager who will have primary authority and responsibility for oversight of payment card transactions. The department should specify if they require a backup individual.
      5. Completion of annual PCI Training, tracking all merchant’s PCI Operator’s Trainings.
      6. Ensure required monthly reconciliation is completed in a timely manner, at least monthly.
      7. Establish and distribute written merchant policies and procedures to all staff related to payment card handling for card present and/or e-commerce transactions.
      8. All Service Providers providing payment card services must be PCI DSS compliant:
        1. Ensure contract includes language stating that the Third-Party Service Provider is PCI DSS compliant and will protect cardholder data.
        2. Annually verify the PCI Compliance status of all Third-Party Service Providers and obtain an Attestation of Compliance (AoC).
        3. For card present transactions, ensure that the payment device is validated on the PCI DSS or is a validated P2PE solution.
        4. For ecommerce channels, all elements of the payment page(s) delivered to the consumer's browser originate only and directly from a PCI DSS validated Third-Party Service Provider(s).
      9. Provide a credit card data flow diagram for your merchant’s transactions which demonstrate the flow of cardholder data. Include all components in the diagram such as payment card devices, systems, databases, web servers, and any other payment components in the payment process.
    2. Merchant Account Fees

      Any fees associated with the acceptance of payment cards from a campus department will be charged to the related merchant on a monthly basis. These fees will be posted into the general ledger on the first of each month for the prior month.

      Procedures to open a merchant account:

  2. Annual Training

    The following training requirements must be met to maintain compliance:

    1. All new divisional business representatives and site managers are required to attend an initial live, online PCI Compliance Training session which is offered twice a year.
    2. All relevant personnel - including divisional business representatives (DBR) and site managers - are required to complete the online PCI Compliance Training renewal annually. This training is completed using Canvas; contact pci-help@bussvc.wisc.edu for access.
    3. Any employee or volunteer that handles a payment card on behalf of UW-Madison is required to complete the PCI Operator Training. The PCI Site Manager is responsible for tracking the completion of all the PCI Operator Trainings each year.
  3. Annual completion of the Self-Assessment Questionnaire (SAQ)

    The department's compliance will be validated through the process of completing and submitting an annual self-assessment questionnaire for each merchant account. This provides the department the opportunity to review its payment card acceptance procedures and ensure compliance is being maintained. The PCI CT reserves the right to validate responses provided by merchants. Failure to validate the department's compliance through the self-assessment questionnaire submission process will result in merchant account termination. If the merchant and PCI CT cannot agree on the interpretation of the PCI Standards, a third-party PCI Qualified Security Assessor (QSA) will be consulted for final interpretation.

  4. Policies and Procedures

    Written PCI policies and procedures for the merchant account must be established by the PCI site manager and submitted to Cash Management; templates will be provided by Cash Management upon request. If stated business practices change, all changes must be submitted to Cash Management via e-mail at Pci-help@bussvc.wisc.edu . Departments must address the following components in their business policies and procedures for each merchant account:

    1. A listing of the e-commerce sites where items are sold, or event registration occurs (e-commerce only).
    2. A listing of payment card devices for card present merchants that are used with the following pieces of information for each device (physical device only):
      1. The physical location of the device
      2. The type/version of the device
      3. When the device is used
    3. A contingency plan for processing transactions should the primary system be unavailable.
    4. That departments are responsible for the physical security of all payment card devices and other equipment used to collect cardholder data and will comply with the following procedures (physical device only):
      1. Obtain approval of the PCI CT for the storage, transmission, and processing of payment card data in an electronic format. All network locations and devices must be specifically approved for processing payment cards.
      2. Maintain an inventory of all payment card devices and their locations.
      3. Inspect the devices to check for tampering or substitution. It is recommended to complete the inspections during regular financial reconciliations but is required to be completed on a quarterly basis at a minimum.
      4. Document the device inspections; a device inspection log template example
      5. Implement training for all personnel to increase understanding of what suspicious behavior, tampering, and substitution look like and procedures on how to report it.
    5. A written list of employees with access to cardholder data is maintained and reviewed periodically.
    6. That access to cardholder data is restricted to only those users who need the data to perform their job duties.
    7. A listing of acceptable methods of processing payment cards.
    8. That email must never be used to transmit payment card or personal payment information. If email is used for this purpose, disposal as outlined below is critical:
      1. The email should be replied to immediately with the payment card number deleted stating that, "UW-Madison does not accept payment card data via email as it is not a secure method of transmitting cardholder data."
      2. Provide a list of the alternative, compliant option(s) for payment.
      3. Delete the email from your inbox and delete it from your email trash.
    9. That fax machines, if used to transmit payment card information to a merchant department, must be standalone machines with appropriate physical security; receipt or transmission of payment card data using a multi-function fax machine is not permitted.
    10. The merchant account's refund policy. Refunds must be processed with the same payment card account which was used to process the original transaction.
  5. Maintaining a Merchant Account
    1. Internal Controls

      The following procedures are required to ensure campus merchants maintain adequate transaction integrity:

      1. A reconciliation of payment card activity to WISER should be completed and documented at least monthly. E-commerce orders should be reconciled to the reporting portal before any merchandise is shipped.
      2. Adequate separation of duties between sales transaction processing and the physical goods being sold must be maintained. In addition, there should be separation of duties between the person issuing refunds and the individual reconciling the account.
      3. All users are required to have their own unique login and password for all systems such as Cashnet/Transact Payments login and Payments Insider for access to transactions, settlements, and monthly fees.
      4. All merchant storefronts or shopping carts are to complete quarterly vulnerability scans. Merchants should remediate any vulnerability within 30 days. Scans can be coordinated through the Office of Cybersecurity.
      5. The merchant should periodically perform transaction walk-throughs to ensure the payment page redirects to Cashnet/Transact Payments. After reaching the Cashnet/Transact page, the browser can be closed without entering any payment card data.
      6. All payment card devices should be inspected for tampering or substitution based on established procedures; these inspections should be documented.
    2. Storage and Destruction

      The storage of payment card data, both electronically and/or on paper, received at any and all locations, must be reviewed and approved by the PCI CT. The following are procedures that should be implemented to ensure proper storage and destruction of payment card data:

      1. Physical security controls are in place to prevent unauthorized individuals from gaining access to the buildings, rooms, or cabinets that store the equipment, documents, or electronic files containing cardholder data.
      2. No database, electronic file, or other electronic repository of information will store the full contents of any track from the magnetic stripe, the card validation code, or the personal identification number (PIN).
      3. Portable electronic media devices should not be used to store cardholder data. These devices include but are not limited to the following: laptops, USB flash drives, portal external hard drives, compact disks, floppy disks, and personal digital assistants.
      4. ardholder data should not be retained any longer than that defined by a legitimate business need. The portion of a document with cardholder data should be destroyed immediately after processing the transaction using a cross-cut shredding machine. It is possible to maintain adequate documentation for transactions without retaining cardholder data.
        1. Mail order forms with payment card information must be secured after the mail is opened.
        2. Any retention of payment card data after the authorization is received must be documented in the department's policies and procedures and approved by the PCI CT.
      5. Chargeback documents from Elavon containing cardholder data must be secured until processed and destroyed (cross-cut shredded) after processing. The maximum period that PCI Operator Training forms and corresponding PCI compliance logs may be retained is three years from the date of creation. For more detail regarding record retention, please see the University of Wisconsin System Fiscal & Accounting General Records Schedule.
      6. All computers on the PCI Network must be returned to DolT Help Desk for PCI sanitization instructions. The computer can be returned to the department after the sanitization process is completed. This media includes, but is not limited to: hard drives, tapes, USB drives, etc. Refer to the university's Media and Device Disposal and Reuse policy.
    3. Risk Assessment

      The Office of Cybersecurity, along with the Cash Management team within the Division of Business Services - Accounting Services Unit, will conduct an annual formal risk assessment. Departments may be asked to participate in the formal risk assessment discussion. The risk assessment will identify vulnerabilities and the potential impact to PCI compliance. The likelihood and impact of the threats will be scored, ranked, and prioritized. All threats will be addressed with mitigation tasks, timelines, and/or acceptance statements. Documentation will be maintained from the output of the risk assessment exercise.

    4. Incident Response

      In the event of a breach or suspected breach of security, the department or unit must immediately report the incident following the Incident Reporting and Response Procedures. If the suspected activity involves computers (hacking, unauthorized access, etc.), immediately notify the DolT Help Desk.

    5. Closing a Merchant Account

      A merchant account will be closed if the department fails to comply with this policy and/or PCI DSS requirements. Compliance includes maintaining a site manager, completing the required annual training. and submitting the appropriate documentation. such as the annual self-assessment questionnaire. Additionally, a merchant account may be closed if there is no activity for twelve consecutive months.

      If the merchant account is no longer needed, a merchant may close its account by contacting Cash Management at pci-help@bussvc@wisc.edu. Confirmation from the divisional business representative will be needed as authorization to close the account. Payment card machines that are no longer needed should be returned to Cash Management at 21 N. Park Street, Suite 5301.

  6. Consequences for Noncompliance, Card Brand Fines, Bank Fines and Penalties

    Failure to meet the requirements outlined in this policy will result in suspension of the physical and, if appropriate, electronic payment capability of the non-compliant merchant(s) 3031.C PCI Non-Compliance Procedure. In the event of a breach or violation of the PCI DSS, the payment card brands may assess penalties to UW-Madison's bank which will likely then be passed on to UW-Madison. Any fines and assessments imposed will be the responsibility of the compromised merchant. A one-time penalty of up to $500,000 per card brand per breach can be assessed as well as ongoing monthly penalties thereafter until compliance is achieved.

    Persons in violation of this policy are subject to sanctions including loss of computer or network access privileges, disciplinary action, suspension and termination of employment, as well as legal action. Some violations may constitute criminal offenses under local, state, or federal laws. UW-Madison will carry out its responsibility to report such violations to the appropriate authorities.

    Staff Responsibilities

    • Campus Merchant Department: Manages the daily operations of the merchant account(s) and maintain PCI compliance.
    • Divisional Business Representative (DBR): An individual within the dean or divisional office. This individual has the highest level of PCI responsibility including approving the initial merchant account request and annually reviewing the Self-Assessment Questionnaire (SAQ) as the executive officer. The DBR is also required to attend an initial in-person/virtual PCI Training for Merchants following an annual PCI Training for merchants.
    • Site Manager: Each department accepting payment cards is required to designate a PCI site manager for each merchant account. This individual is the point of contact for the campus department merchant account(s). The PCI Site Manager annual responsibilities include:
      • Complete Self-Assessment Questionnaire(s) (SAQs).
      • Ensure your departmental merchant’s policies and standard operating procedures have been updated and distributed to all relevant personnel.
      • Ensure the PCI Training Course in UWSA Canvas has been completed by all PCI Site Managers and DBRs.
      • Maintain the credit card data flow diagram for your merchant’s transactions.
      • Complete, track, and document all the merchants’ PCI Operators Training.
      • For card present/mail order transactions: ensure the inventory of payment card devices is up to date and accurate. The devices should be listed in the users inventory (charge.wisc.edu/users) and include the Make/Model, Serial Number, Location, and Inspection Logs.
      • For card present/mail orders: plan to replace any devices with outdated technologies or if the device is at the end-of-life timeline.
      • For e-commerce websites: maintain and ensure accuracy of a complete list of all websites used to redirect the customer to the payment page, including the URLs. 
      • Make sure the current Attestation of Compliance (AoC) is obtained from all merchants using a Third-Party Service Provider directly involved in processing, storage, transmission of cardholder data, or services that could impact the security of their cardholder data environments.
      • Regularly review the Third-Party Service Providers’ required current contract contains appropriate PCI Language and signature by an authorized Purchasing Agent.
      • Provide the responsibility matrix outlining PCI requirements for your Third-Party Service Provider, as it includes what the merchant is responsible for.
    • PCI Operator: Any individual that handles credit card processing on the behalf of University of Wisconsin-Madison or have access to ecommerce payment applications are required to complete the annual PCI Operator Training at charge.wisc.edu/training/.
    • Payment Card Industry Compliance Team (PCI CT): Provides guidance and monitors PCI compliance requirements.
Related UW-Madison Policies:
Related UW–Madison Documents, Web Pages, or Other Resources:
External References:

Policy Administration

Approval Authority:
Assistant Vice Chancellor of Business Services and Controller
Policy Manager:
Finance Associate Director
Contact:
Cash Management -- Cash Management, Cashmgt@bussvc.wisc.edu, (608) 263-7461
Effective Date:
01-01-2020
Revised Dates:

02-12-2020, 03-21-2022, 4-28-2023, 5-25-2023, 5-8-2024

Reviewed Dates:

11/23/2020

Retrieved:
05-16-2025 01:56:07