UW–Madison processes over $100 million in payment card transactions per year. This represents almost 3 million transactions from over 200 merchant accounts. The university is contractually responsible for protecting the payment card data used to process these transactions per the guidance provided by the Payment Card Industry Data Security Standards (PCI DSS).
A payment card breach may result in fines starting at $500,000. We must also consider the additional costs of a payment card breach which are estimated at around $242 per payment card1. More importantly, UW–Madison’s reputation would be tarnished. This could result in fewer donors willing to support the university or business partners willing to acquire university resources.
Securing payment card data is everyone’s responsibility. Should there be a data security breach, the department responsible for the merchant account will be responsible for the costs of the breach. UW-Madison can reduce the risk of payment card data being compromised by securing the network, hardware, applications, processes, and meeting PCI compliance requirements.
1IBM sponsored report by the Ponemon Institute; Cost of a Data Breach Report 2019
Applies to all UW–Madison departments that accept payment cards as a form of payment for goods and services.
UW–Madison departments that accept payment cards as a form of payment for goods and services are required to comply with PCI DSS. The purpose of the PCI DSS is to ensure payment card data is protected.
The PCI Compliance Assistance Team (PCI CAT) will validate each department’s PCI compliance. Failure to comply with the PCI DSS requirements can result in the loss of payment card processing privileges.
The highest level of PCI responsibility belongs to the divisional business representative. This individual is responsible for approving the initial merchant account request and reviewing the Self-Assessment Questionnaire annually as the executive officer.
Each department accepting payment cards is required to designate a PCI site manager for each merchant account. The PCI site manager serves as the point of contact for the merchant account and should have the influence to establish procedures for the day-to-day handling of payment cards to ensure compliance.
The implementation of any and all e-commerce websites or payment card devices to collect revenue must be approved by the Cash Management team within the Division of Business Services – Accounting Services Unit, the Office of Cybersecurity, and, when necessary, Purchasing Services. This ensures that all cash management, security, and contractual requirements are adhered to. Third-party vendors which process payment cards on behalf of the university and submit payment via ACH or paper check must also be approved by these departments; Cashnet/Transact/Transact is the preferred e-commerce vendor on campus.
All revenue must be deposited into a UW–Madison bank account which posts to WISER/WISDM. Gift or donation merchant accounts can only be processed through the University of Wisconsin Foundation.
Written PCI policies and procedures must be established by the PCI site manager and submitted to Cash Management; templates will be provided by Cash Management upon request. If stated business practices change, all changes must be submitted to Cash Management via e-mail at email@example.com. Departments must address the following components in their business policies and procedures for each merchant account:
Any fees associated with the acceptance of payment cards in a campus department will be charged to the related merchant on a monthly basis. These fees can be seen in WISER/WISDM once they have been posted.
For more information on how to open a merchant account, refer to the following procedures:
The following procedures are required to ensure campus merchants maintain adequate transaction integrity:
The storage of payment card data, both electronically and/or on paper, received at any and all locations, must be reviewed and approved by the PCI CAT. The following are procedures that should be implemented to ensure proper storage and destruction of payment card data:
The department’s compliance will be validated through the process of completing and submitting an annual self-assessment questionnaire for each merchant account. This provides the department the opportunity to review its payment card acceptance procedures and ensure compliance is being maintained. The PCI CAT reserves the right to validate responses provided by merchants. Failure to validate the department’s compliance through the self-assessment questionnaire submission process will result in merchant account termination. If the merchant and PCI CAT cannot agree on the interpretation of the PCI Standards, a third-party PCI Qualified Security Assessor (QSA) will be consulted for final interpretation.
The following training requirements must be met to maintain compliance:
The Office of Cybersecurity, along with the Cash Management team within the Division of Business Services – Accounting Services Unit, will conduct an annual formal risk assessment. Departments may be asked to participate in the formal risk assessment discussion. The risk assessment will identify vulnerabilities and the potential impact to PCI compliance. The likelihood and impact of the threats will be scored, ranked, and prioritized. All threats will be addressed with mitigation tasks, timelines, and/or acceptance statements. Documentation will be maintained from the output of the risk assessment exercise.
In the event of a breach or suspected breach of security, the department or unit must immediately report the incident following the IT Incident Reporting and Response Procedures. If the suspected activity involves computers (hacking, unauthorized access, etc.), immediately notify the DoIT Help Desk.
A merchant account will be closed if the department fails to comply with this policy and/or PCI DSS requirements. Compliance includes maintaining a site manager, completing the required annual training, and submitting the appropriate documentation, such as the annual self-assessment questionnaire. Additionally, a merchant account may be closed if there is no activity for twelve consecutive months.
If the merchant account is no longer needed, a merchant may close its account by contacting Cash Management at pci-help@firstname.lastname@example.org. Confirmation from the divisional business representative will be needed as authorization to close the account. Payment card machines that are no longer needed should be returned to Cash Management at 21 N. Park Street, Suite 5301.
Failure to meet the requirements outlined in this policy will result in suspension of the physical and, if appropriate, electronic payment capability of the non-compliant merchant(s). In the event of a breach or violation of the PCI DSS, the payment card brands may assess penalties to UW–Madison’s bank which will likely then be passed on to UW–Madison. Any fines and assessments imposed will be the responsibility of the compromised merchant. A one-time penalty of up to $500,000 per card brand per breach can be assessed as well as ongoing monthly penalties thereafter until compliance is achieved.
Persons in violation of this policy are subject to sanctions including loss of computer or network access privileges, disciplinary action, suspension and termination of employment, as well as legal action. Some violations may constitute criminal offenses under local, state, or federal laws. UW–Madison will carry out its responsibility to report such violations to the appropriate authorities.
Device Inspection Log Template
Incident Reporting and Response Procedures
3031.A Open an Internet Storefront Merchant Account Procedure
3031.B Open a Merchant Account using an EMV Chip or Swipe Machine Procedure
Regent Policy Document 25-5, Information Security
UWS 350 Payment Card Compliance Policy
UWS 1010 Information Technology Acquisitions Approval
UWS 1030 Information Security: Authentication Standard
UWS 1030.A Information Security: Authentication
UWS 1031 Information Security: Data Classification and Protection
UWS 1031.A Information Security: Data Classification
UWS 1031.B Information Security: Data Protections
UWS 1032 Information Security: Awareness
UWS 1033 Information Security: Incident Response
Payment Card Industry Data Security Standards (PCI DSS)
PCI DSS Quick Reference Guide v3.2
University of Wisconsin Fiscal & Accounting General Records Schedule