UW-Madison processes over $100 million in payment card transactions per year. This represents almost 3 million transactions from over 200 merchant accounts. The University is contractually responsible for protecting the payment card data used to process these transactions per the guidance provided by the PCI DSS.
A payment card breach may result in fines starting at $500,000. We must also consider additional costs of a payment card breach which are estimated around $242 per payment card. More importantly, UW-Madison’s reputation would be tarnished. This could result in fewer donors willing to support the University or business partners willing to acquire University resources.
Securing payment card data is everyone’s responsibility. Should there be a data security breach, the department responsible for the merchant account will be responsible for the costs of the breach. UW-Madison can reduce the risk of payment card data being compromised by securing the network, hardware, applications, processes, and meeting PCI compliance requirements.
IBM sponsored report by the Ponemon Institute; Cost of a Data Breach Report 2019
CASHNet: A third-party, e-commerce service provider contracted by the University of Wisconsin that is used to process credit card payments.
Card Brands: Payment card networks including Visa, Mastercard, Discover, and American Express.
Cardholder: The person to whom a payment card is issued or any individual authorized to use the payment card.
Cardholder Data (CHD): At a minimum, cardholder data consists of the full Primary Account Number (PAN). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date, and/or service code. The cardholder name with only the last 4 digits of the PAN is not considered CHD and does not need to be protected. See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction.
Card Identification Number (CID): The three-digit security code on the back of the payment card for MasterCard, Visa, and Discover. The four-digit security code on the front of American Express payment cards.
Chargebacks: Occur when the customer challenges the validity of the original charge and instructs their bank to reverse the charge.
Merchant Connect (MCP): An online tool from Elavon, the credit card processor, which displays transaction activity and monthly statements.
Payment Card: A financial transaction card issued by a financial institution. Also called Bankcard, Charge Card, Credit Card, or Debit Card.
Payment Card Industry Data Security Standards (PCI DSS): A multifaceted security standard developed and owned by the major payment card companies that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. PCI DSS represents a common set of tools and measurements to help ensure the safe handling of sensitive information. The standard comprises 12 requirements that are organized in 6 logically related groups or “control objectives.” Failure to conform to these standards can result in losing the ability to process payment card payments, being audited, and/or being fined.
Point-to-Point Encryption (P2PE): A comprehensive set of security requirements for point-to-point encryption solution providers; this PCI standard helps those solution providers validate their work. Using an approved point-to-point encryption solution will help merchants to reduce the value of stolen cardholder data because it will be unreadable to an unauthorized party. Solutions based on this standard also may help reduce the scope of their cardholder data environment and make compliance easier.
Sensitive Authentication Data: Information used to authenticate cardholders and/or authorize payment card transactions including but not limited to card validation codes/values, full track data from the magnetic stripe or equivalent on a chip, PINs, and PIN blocks.
Service Provider: A business entity that is not a payment brand but is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This includes companies that provide services that control or could impact the security of cardholder data. Examples include service providers that provide managed firewalls, intrusion detection systems (IDS), and other services.
This policy applies to all UW-Madison departments which accept payment cards as a form of payment for goods and services.
UW-Madison departments which accept payment cards as a form of payment for goods and services are required to comply with Payment Card Industry Data Security Standards (PCI DSS). The purpose of the PCI DSS is to ensure payment card data is protected.
The PCI Compliance Assistance Team (PCI CAT) will validate each department’s PCI compliance. Failure to comply with the PCI DSS requirements can result in the loss of payment card processing privileges.
The highest level of PCI responsibility belongs to the Divisional Business Representative (DBR). This individual is responsible for approving the initial merchant account request and reviewing the Self-Assessment Questionnaire (SAQ) annually as the executive officer.
Each department accepting payment cards is required to designate a PCI Site Manager for each merchant account. The PCI Site Manager serves as the point of contact for the merchant account and should have influence to establish procedures for the day-to-day handling of payment cards to ensure compliance.
The implementation of any and all e-commerce websites or payment card devices to collect revenue must be approved by the Cash Management team within the Division of Business Services – Accounting Services Unit, the Office of Cybersecurity, and, when necessary, Purchasing Services. This ensures that all cash management, security, and contractual requirements are adhered to. Third-party vendors which process payment cards on behalf of the University and submit payment via ACH or paper check must also be approved by these departments; CASHNet is the preferred e-commerce vendor on campus.
All revenue must be deposited into a UW-Madison bank account which posts to WISER/WISDM. Gift or donation merchant accounts can only be processed through the University of Wisconsin Foundation (http://www.supportuw.org/how-to-give).
Written PCI policies and procedures must be established by the PCI Site Manager and submitted to Cash Management; templates will be provided by Cash Management upon request. If stated business practices change, all changes must be submitted to Cash Management via e-mail at email@example.com. Departments must address the following components in their business policies and procedures for each merchant account:
Any fees associated with the acceptance of payment cards in a campus department will be charged to the related merchant on a monthly basis. These fees can be seen in WISER/WISDM once they have been posted.
For more information on how to open a merchant account, refer to the following procedures:
The following procedures are required to ensure campus merchants maintain adequate transaction integrity:
The storage of payment card data, both electronically and/or on paper, received at any and all locations, must be reviewed and approved by the PCI CAT. The following are procedures that should be implemented to ensure proper storage and destruction of payment card data:
The department’s compliance will be validated through the process of completing and submitting an annual SAQ for each merchant account. This provides the department the opportunity to review their payment card acceptance procedures and ensure compliance is being maintained. The PCI CAT reserves the right to validate responses provided by merchants. Failure to validate the department’s compliance through the SAQ submission process will result in merchant account termination. If the merchant and PCI CAT cannot agree on the interpretation of the PCI Standards, a third-party PCI Qualified Security Assessor (QSA) will be consulted for final interpretation.
The following training requirements must be met to maintain compliance:
The Office of Cybersecurity, along with the Cash Management team within the Division of Business Services – Accounting Services Unit, will conduct an annual formal risk assessment. Departments may be asked to participate in the formal risk assessment discussion. The risk assessment will identify vulnerabilities and the potential impact to PCI compliance. The likelihood and impact of the threats will be scored, ranked, and prioritized. All threats will be addressed with mitigation tasks, timelines, and/or acceptance statements. Documentation will be maintained from the output of the risk assessment exercise.
In the event of a breach or suspected breach of security, the department or unit must immediately report the incident following the steps documented HERE. If the suspected activity involves computers (hacking, unauthorized access, etc.), immediately notify the DoIT Help Desk.
A merchant account will be closed if the department fails to comply with this policy and/or PCI DSS requirements. Compliance includes maintaining a Site Manager, completing the required annual training, and submitting the appropriate documentation, such as the annual SAQ. Additionally, a merchant account may be closed if there is no activity for twelve consecutive months.
If the merchant account is no longer needed, a merchant may close its account by contacting Cash Management at pci-help@firstname.lastname@example.org. Confirmation from the DBR will be needed as authorization to close the account. Payment card machines that are no longer needed should be returned to Cash Management at 21 N. Park Street, Suite 6101.
Failure to meet the requirements outlined in this policy will result in suspension of the physical and, if appropriate, electronic payment capability of the non-compliant merchant(s). In the event of a breach or violation of the PCI DSS, the payment card brands may assess penalties to UW-Madison’s bank which will likely then be passed on to UW-Madison. Any fines and assessments imposed will be the responsibility of the compromised merchant. A one-time penalty of up to $500,000 per card brand per breach can be assessed as well as on-going monthly penalties thereafter until compliance is achieved.
Persons in violation of this policy are subject to sanctions including loss of computer or network access privileges, disciplinary action, suspension and termination of employment, as well as legal action. Some violations may constitute criminal offenses under local, state, or federal laws. UW-Madison will carry out its responsibility to report such violations to the appropriate authorities.
Campus Merchant Department – Manage the daily operations of the merchant account(s) and maintain PCI compliance.
Divisional Business Representative (DBR) – An individual within the dean or divisional office. This individual has the highest level of PCI responsibility including approving the initial merchant account request and annually reviewing the SAQ as the executive officer.
Payment Card Industry Compliance Assistance Team (PCI CAT) – Provide guidance and monitor PCI compliance requirements.
Site Manager – This individual is the point of contact for the campus department merchant account(s) and should have influence to establish procedures for the day-to-day handling of payment cards to ensure compliance.