3031.C PCI Non-compliance Procedure

PCI Non-compliance Procedure

PCI Non-compliance Procedure
Procedure # 3031.C
Rev.:
Effective Date: September 1, 2020

Related Policy: UW-3031 Credit Card Merchant Services and PCI Compliance Policy 
Functional Owner: Cash Management, Business Services
Contact: PCI Mailbox: pci-help@bussvc.wisc.edu


Contents

I. Procedure Statement
II. Who is affected by this procedure
III. Rationale
IV. Procedure
V. Supporting tools
VI. Related References
VII. Revisions


I. Procedure statement

The University of Wisconsin-Madison has merchant accounts which accept payment for goods sold and services rendered via payment card transactions. All merchants that accept payments via payment card must comply with the Payment Card Industry Data Security Standards (PCI DSS). The purpose of this procedure is to provide a framework for the disciplinary steps that will be taken in the event that a UW-Madison merchant account is found to be non-compliant with the PCI DSS. Persistent noncompliance with the PCI DSS after the enactment of the disciplinary steps described in this policy may result in the suspension or termination of the non-compliant merchant account.


II. Who is affected by this procedure

This policy applies to all merchant accounts at UW-Madison that accept payment cards as a form of payment for goods sold and services rendered.


III. Rationale

Deficiencies exist in a merchant account’s operating procedures if a merchant does not appropriately store, process, or transmit cardholder data as defined by the PCI DSS. These deficiencies result in the merchant account being non-compliant with the applicable governance framework. Deficiencies in a merchant’s ability to appropriately secure cardholder data is the foundation of a potential data breach. Acts of noncompliance and data breaches will result in reputational damages such as distrust and loss of consumers, donors, and other stakeholders.

The ability to accept payment card transactions is a convenient and efficient method of collecting revenue owed to the University. As an alternative to cash and with the use and implementation of appropriate card transaction controls, payment cards provide better financial internal controls for the University. The ability to accept payment cards as a method of payment is a privilege granted to the University by the acquirer that UW-Madison is contracted with, Elavon, and the payment card brands: Visa, MasterCard, Discover, and American Express. If a merchant account is not in compliance with the PCI DSS or a data breach occurs, these agencies have the authority to assess fines for noncompliance. Such fines would be assessed separately by each agency per violation and for acts of noncompliance that remain uncorrected as of a designated deadline. These fines accumulate quickly and could result in hundreds of thousands of dollars in monetary damages.

Additionally, if Elavon or the payment card brands are concerned about the University’s ability to appropriately store, process, or transmit cardholder data, UW-Madison’s ability to accept payment cards could be revoked. This decision would require departments to find alternative ways to collect revenue owed to them and could result in a decline in sales.

Managing compliance with the PCI DSS is a responsibility that should be taken seriously because of its significant financial and reputational impacts.


IV. Procedure

The Cash Management, Division of Business Services, and Cybersecurity, Division of Information Technology, teams will jointly conduct of campus merchant accounts to determine the merchant’s level of compliance with the PCI DSS. Upon completion of a merchant account’s annual review, the PCI review team will complete a Risk Assessment. Each Risk Assessment will document the review team’s opinion of the merchant’s level of compliance with the PCI DSS, instances of identified non-compliant practices, and the disciplinary step to be implemented if non-compliant practices are identified. All Risk Assessments will be presented to the merchant’s Divisional Business Representative for review and signature. Below are the following types of opinions that might be issued with examples of possible instances of noncompliance:

Level 0 – No instances of noncompliance identified.

Level 1 – Minor instance(s) of noncompliance identified. Compliant procedures must be implemented as of the next annual review.

  • Incomplete PCI Security Awareness Training
  • Incomplete PCI Operator Training
  • Missing or incomplete device inspection logs
  • Missing business procedures

Level 2 – Significant instance(s) of noncompliance identified. Compliant procedures must be implemented as of a designated deadline which has been agreed upon with the merchant.

  • Working with unsupported technology
  • Lack of security regarding access to physical devices and technology
  • Inability or neglect to provide documentation indicating appropriate security of e-commerce merchant accounts
  • Unauthorized or unsecured storing of cardholder data
  • Inappropriate use of e-commerce merchant accounts for in-person or over-the-phone transaction processing
  • Failure to implement appropriate procedures to resolve Level 1 noncompliance
  • Failure to complete the annual Self-Assessment Questionnaire A 3.2.1 and Attestation of Compliance

If a deficiency in compliance was identified in a previous review, the PCI review team will follow up as of the which has been agreed upon the merchant, to evaluate the merchant’s progress towards achieving compliance. If measurable progress has not been made towards achieving compliance, the following disciplinary steps will be executed in this order, unless an appropriate deviation is determined:

  1. Requirement to attend in-person Merchant Card Processing training
  2. Notification from PCI review team of Level 1 noncompliance
  3. Notification from PCI review team of Level 2 noncompliance
  4. Temporary suspension of merchant account for up to 9 months
  5. Permanent termination of merchant account

V. Supporting tools


VI. Related references


VII. Revisions

Procedure Number 3031.C
Date Approved September 1, 2020
Revision Dates Jan. 19, 2021 – Changed Procedure Number to 3031.C from 404.C

Refund of Receipts (RoRs) update

This communication is intended for departments that currently submit RoR requests to the Cash Management team for approval.

Cash Management will be granting approval on a case-by-case basis for use of the voucher upload process to facilitate handling and processing of large batches of refund requests. Voucher uploads are intended to expedite processing of repetitive or large quantities of payments. Please email cashmgt@bussvc.wisc.edu for additional information on this process.

Please note that any refunds relating to Covid-19 activities should be coded to the appropriate Covid Account Codes. Please refer to the link below:

Tracking COVID 19 activities in the accounting system (SFS)

Payment Card Industry (PCI) Compliance Guidelines

The COVID-19 pandemic has created many challenges and constraints to the established business processes of many merchants on campus including restricted access to campus and, in many instances, offsite work arrangements. The PCI Compliance Team understands that your established business processes many need to be adjusted to continue conducting business.

If you feel that it is necessary for your merchant account to adjust your business processes to accommodate remote payment card processing, please keep in mind that the PCI Data Security Standards are in effect and must be complied with in carrying out adjusted business processes. While the PCI Compliance Team does not have specific protocols and policies in place to accommodate remote work situations, we are requiring the following at a minimum:

  • Documentation of any changes or modifications to established business processes,
  • Business activity must be conducted on UW-Madison issued work computers and equipment,
  • Global Protect VPN is installed, properly functioning, and connected via a secured internet connection, and
  • Anti-virus and malware software are installed and functioning properly.

With these considerations in mind, the PCI Compliance Team will be reviewing requests for remote processing of payment card transactions on a case-by-case basis. Please send requests for alternative payment card processing to PCI-Help@bussvc.wisc.edu. Any questions or concerns can also be directed to this email address.

Check Deposits – Operational update

For information related to sponsored check payments, please visit RSP’s website at:
https://www.rsp.wisc.edu/COVID-19CheckRoutingGuidance.cfm

For information related to UW Foundation check deposits, please visit the following link:
https://businessservices.wisc.edu/covid-19/update-from-wfaa-regarding-gift-processing/

This communication is intended specifically for UW-Madison related check deposits.

We understand the challenges faced by campus staff for logistics around depositing checks under the current circumstances. Unfortunately, we currently do not have mechanisms in place to facilitate remote handling of check deposits. If this were to change, we will inform as such. Please use your best judgment in carrying out essential business activities, while ensuring employees’ well-being and safety.

We have received numerous questions and hoping to provide some additional guidance through this communication. We have a few options for depositing checks to consider:

  • Deposits made at a US Bank location directly (preferred)
    • Deposits should be secured in a plastic bank bag with deposit ticket and directly dropped off at a US Bank location.
    • Make sure the deposit ticket is included so the bank can process it as a deposit for UW Madison. Each deposit ticket is linked to a specific department and their respective accounting string. If you have any queries, please reach out to us for details at: cashmgt@bussvc.wisc.edu.
    • When making the drop deposits please include a note requesting a receipt. E-mail receipts to cashmgt@bussvc.wisc.edu.
    • For departments without deposit tickets and/or plastic bags, please send requests to cashmgt@bussvc.wisc.edu, and we can request them from for your department.
  • ACH/Wire payments (preferred)
    • As an alternative to check payments, departments may request new and existing customers switch to ACH/wire payments for payment directly deposited into the UW-Madison bank account.
    • It’s a fairly simple process and serves as an opportunity to also improve financial internal controls by shifting from checks to electronic payments. The cash management team strongly encourages this option and is readily available to help set this up.
    • For anyone interested, please forward your requests to us at: cashmgt@bussvc.wisc.edu.
  • Deposit checks dropped off at 21 NPS building
    • Access to the building is currently restricted; however, the building manager, Matt Hanson is onsite (Monday through Friday from 7:30AM- 4:30PM) and will accept check deposits.
    • Please co-ordinate drop off with Matt by email (buildingmanager@bussvc.wisc.edu) or cell phone (608-628-2019) to plan your trip.
  • Interdepartmental mail
    • If interdepartmental mail is still operating for your building, please continue to use per normal process.
    • Please be advised that there have been changes to the mail services scope of operations and schedule. Ensure staff and managers are aware of changes for respective campus locations.
  • Armored car pick up services
    • As campus buildings access has been restricted during the Governor’s stay at home order, many Thillens stops on campus have been cancelled or rescheduled. If you need to cancel or request a pick up please reach out to us at: cashmgt@bussvc.wisc.edu.

If you have any questions or concerns, please do not hesitate to contact us by email at: cashmgt@bussvc.wisc.edu.

Thank you for your help and co-operation.

Cash Management Reminders

Please ensure that effective internal control practices are in place.

    • Checks and cash receipts are stored safely and deposited in a timely manner
    • Stamp or write on back of checks- for UW Madison deposit only
    • If in doubt, please reach out to us in cash management and we are happy to assist
  • State of Wisconsin statute (s 20.906) requires that checks are deposited at least once per week. This requirement is still in effect. Please ensure that your department and teams have made appropriate work arrangements to continue to deliver on this ‘essential’ requirement

Key Contacts:

Cash Management: (cashmgt@bussvc.wisc.edu)
Omar Siddiqi (omar.siddiqi@wisc.edu)
Maria Villaescusa – Deposit Checks (maria.villaescusa@wisc.edu)
Gian Compuesto – Custodian Funds (gian.compuesto@wisc.edu)

Operational Update

Business Services Update and Guidelines for Cash Management and Disbursement Services.

Under the prevailing circumstances arising from the Covid-19 pandemic, with reduced staffing levels onsite and only ‘essential’ activities being performed on campus, we wanted to provide general guidance and updates to address some of the  questions/or concerns you may have.

Please keep the following reminders and considerations in mind:

  • Ensure effective internal control practices are in place. For example:
    • checks and cash receipts are stored safely and deposited in a timely manner
    • stamp or write on back of checks- for UW Madison deposit only
    • if in doubt, please contact cash management with any questions at cashmgt@bussvc.wisc.edu
  • To date there has been no confirmation from Department of Administration that there will be flexibilities to State of Wisconsin statute (s 20.906) requiring checks be deposited at least once a week. The Division is working under the assumption that this requirement remains in effect. In partnership with our UW System colleagues it is mutually recognized that, with limited resources, including mail services, yet anticipating volume may decrease, do the best you can, while having the safety and wellness of employees as the priority.

The Division Cash Management and Disbursement Teams have identified key ‘essential’ activities towards ensuring cash receipts are processed on a regular, periodic basis and properly submitted invoices are paid promptly, to the best of the team’s ability while putting a priority on employee health and wellness. There is currently a small team of essential employees identified to be available at 21 N. Park towards performing the following activities:

  • Interdepartmental mail: Currently, interdepartmental mail will be received on Tuesdays and Fridays and processed as normal.

Cash Management Updates:

  • Deposit Checks: Cash management will deposit checks on a biweekly basis (Tuesdays and Fridays) to align with interdepartmental mail services.
  • Custodian Funds: Custodian fund requests will be processed as usual. Requests may be sent via email to cstdnfnd@bussvc.wisc.edu and will be processed in 1-2 business days. Any requests received via interdepartmental mail will be processed at least weekly.
  • Refund of Receipts (ROR): Requests for approval in cash management can be sent by email (preferred) at cashmgt@bussvc.wisc.edu. Any requests received via interdepartmental mail will be processed at least weekly.

If you have any questions or concerns relating to Cash Management functions, please do not hesitate to contact us by email at: cashmgt@bussvc.wisc.edu.

Disbursement Updates:

  • Outgoing Checks: Outgoing checks will be created on a biweekly basis (Tuesdays and Fridays) to align with interdepartmental mail services. ACH, PPL, and Wires will continue to be processed daily. Please note this includes Emergency Transaction (ET) checks.
  • Email Payment Requests: Direct Payments (DP) and Payments to Individuals (PIR) may be submitted as a PDF attachment to ap-invoices@bussvc.wisc.edu. The subject line of the email must reference “PIR”, “DP”, or “EMERGENCY TRANSACTION”. The email must be sent from an authorized approver or the authorization emails must be included in the PDF of the DP or PIR. All required documents must be combined into a single PDF and only one payment request is permitted per PDF file. Multiple PDFs for multiple requests may be submitted in a single email. Emergency Transactions (ETs) should be emailed to uwmsnap@bussvc.wisc.edu. W-9s including a social security number (SSN) should be sent interoffice mail or faxed to (608) 265-9035.

As you may expect, the future status and availability of courier drop offs or pick ups from 21 N Park is not known at the present time.

Please note that, at the present time, open office hours for 21 N Park suite 5301 will be reduced to 10:00 am to 12:00 pm. If the building is restricted to building card access, call for pick up will not be available and all outgoing checks will be need to be mailed.

If you have any questions or concerns relating to Disbursement Services function, please do not hesitate to contact us by email at: acctg@bussvc.wisc.edu.

Thank you for your help and cooperation.

3031.B Open and Manage a Merchant Account using an EMV Chip or Swipe Machine Procedure

Open a Merchant Account using an EMV Chip or Swipe Machine

Rev.: 2.12.20
Effective Date: January 1, 2020

Related Policy: UW-3031 Credit Card Merchant Services and PCI Compliance Policy 
Functional Owner: Cash Management, Business Services
Contact: PCI Mailbox: pci-help@bussvc.wisc.edu


Contents

I. Procedure Statement
II. Who is Affected by this Procedure
III. Procedure
IV. Definitions
V. Related References
VI. Revisions


I. Procedure statement

The University of Wisconsin-Madison can accept payment card payments from customers to pay for goods and services. A payment card device, such as an EMV chip or swipe machine, is a method of processing these payments in-person, over-the-phone, or via fax communication.


II. Who is affected by this procedure

This procedure applies to all UW-Madison departments that accept payment cards via a payment card device. This procedure should be understood by all Divisional Business Representatives (DBRs), Site Managers, and Operators of the merchant accounts.


III. Procedure

Below are the steps for opening a merchant account that uses an EMV chip or swipe machine:

  1. Complete and submit the Card Merchant ID Request Form.
    1. The DBR must approve the new merchant account.
      1. The DBR will receive an email upon completion of the Card Merchant ID Request Form. The DBR should then sign into the portal to approve the request.
    2. The DBR should determine which card brands the new merchant will accept.
      1. The standard set up for a new merchant account includes MasterCard, Visa, and Discover. Should the department decide to choose to accept American Express cards, an additional reconciliation and an additional connection is required.
  1. Cash Management will review the submitted Card Merchant ID Request Form and contact the Site Manager to facilitate setting up Merchant Connect.
    1. Cash Management will provide information on payment card machines, including pricing information. Standalone payment card machines will ship directly from Elavon to the campus department. The cost of the new payment card machine will be charged to the merchant account.
    2. Each person that will log into Merchant Connect must have a unique operator ID.
  1. The PCI Site Manager must establish card handling procedures and a contingency plan for processing transactions should the primary system be unavailable. Once complete, these policies and procedures shall be submitted to Cash Management via e-mail (pci-help@bussvc.wisc.edu).
  1. Cash Management will schedule a PCI site visit with the Site Manager once a Merchant ID (MID) is assigned by Elavon. During the PCI site visit, Cash Management will review the department business policies and procedures and assist with completing the Self-Assessment Questionnaire (SAQ).
  1. When the equipment arrives, verify the machine has the correct address, merchant name, and MID on the machine when it is turned on.
  1. Record the serial number and manufacturing information at https://charge.wisc.edu/users.
  1. Call Elavon Training at (866) 451-4007 to schedule a training on how to use the payment card machine and transaction settlement. Note that the payment card machine will not auto settle unless the machine is turned on.
  1. The campus department must make a sticker to place on the terminal containing this information:
    1. Equipment problems Relationship Premier Services: (800) 725-1245
    2. Supplies such as thermal paper call Customer Service Center: (800) 725-1243
    3. Elavon Training: (866) 451-4007

Merchant account fees

Any fees associated with the acceptance of payment cards in a campus department will be charged to the related merchant on a monthly basis. These fees can be seen in WISER once they have been posted. Expenses may include a monthly account maintenance fee of $5.00, Elavon processing fees of approximately 2% of each transaction, and $7.50 for chargeback fees. American Express charges a fee of 2.1% of each transaction.


IV. Definitions

Campus Merchant Department – Manage the daily operations of the merchant account(s) and maintain PCI compliance.

Divisional Business Representative (DBR) – An individual within the dean or divisional office. This individual has the highest level of PCI responsibility including approving the initial merchant account request and annually reviewing the SAQ as the executive officer.

Merchant Connect (MCP) – An online tool from Elavon, the credit card processor, which displays transaction activity and monthly statements.

Site Manager – This individual is the point of contact for the campus department merchant account(s) and should have influence to establish procedures for the day-to-day handling of payment cards to ensure compliance.


V. Related references


VI. Revisions

Procedure Number 3031.B
Date Approved January 1, 2020
Revision Dates Jan. 19, 2021 – Changed Procedure Number to 3031.B from 404.B

3031.A Open and Manage an Internet Storefront Merchant Account Procedure

Open an Internet Storefront Merchant Account Procedure

Open and Manage an Internet Storefront Merchant Account Procedure
Procedure # 3031.A
Rev.: 2.12.20
Effective Date: January 1, 2020

Related Policy: UW-3031 Credit Card Merchant Services and PCI Compliance Policy 
Functional Owner: Cash Management, Business Services
Contact: PCI Mailbox: pci-help@bussvc.wisc.edu


Contents

I. Procedure statement
II. Who is affected by this procedure
III. Procedure
IV. Definitions
V. Related references
VI. Revisions


I. Procedure statement

The University of Wisconsin-Madison can accept payment cards from customers to pay for goods and services. An Internet storefront is a method of accepting e-commerce payment transactions via a website.


II. Who is affected by this procedure

This procedure applies to all UW-Madison departments that accept payment cards online. This procedure should be understood by all Divisional Business Representatives (DBRs), Site Managers, and Operators of the merchant accounts.


III. Procedure

Below are the steps for opening an internet storefront merchant account:

  1. Complete and submit the Card Merchant ID Request Form.
    1. The DBR must approve the new merchant account.
      1. The DBR will receive an email upon completion of the Card Merchant ID Request Form. The DBR should then sign into the portal to approve the request.
    2. The DBR should determine which card brands the new merchant will accept.
      1. The standard set up for a new merchant account includes MasterCard, Visa, and Discover. Should the department decide to choose to accept American Express cards, an additional reconciliation and an additional connection is required.
  1. Cash Management will review the submitted Card Merchant ID Request Form and contact the Site Manager to facilitate setting up CASHNet and Merchant Connect.
    1. Each person that will log into CASHNet and Merchant Connect must have a unique operator ID.
    2. The department should provide a logo for the checkout page.
  1. The PCI Site Manager must establish card handling procedures and a contingency plan for processing transactions should the primary system be unavailable. Once complete, these policies and procedures shall be submitted to Cash Management via e-mail (pci-help@bussvc.wisc.edu).
  1. The PCI Compliance Assistance Team and Elavon will review the website that is being used and ensure that it directs customers to CASHNet for payment. The hosting location must be determined and approved before the Merchant ID (MID) goes into production.
  1. Cash Management will schedule a PCI site visit with the Site Manager once a MID is assigned by Elavon. During the PCI site visit, Cash Management will review the department business policies and procedures and assist with completing the Self-Assessment Questionnaire (SAQ).
  1. Cash Management, or a specific DoIT staff, will activate the MID within CASHNet after the PCI site visit. Once the MID is in production in CASHNet, the storefront website may be used by customers.
  2. The PCI Site Manager must track all live websites in use that redirect to the payment page. Contact pci-help@bussvc.wisc.edu to close the websites that are no longer used for payment.

Merchant account fees

Any fees associated with the acceptance of payment cards in a campus department will be charged to the related merchant on a monthly basis. These fees can be seen in WISER/WISDM once they have been posted. Expenses may include a monthly account maintenance fee of $5.00, Elavon processing fees of approximately 2% of each transaction, and $7.50 for chargeback fees. American Express charges a fee of 2.1% of each transaction.


IV. Definitions

  • Campus Merchant Department – Manage the daily operations of the merchant account(s) and maintain PCI compliance.
  • CASHNet – A third-party, e-commerce service provider contracted by the University of Wisconsin that is used to process credit card payments.
  • Divisional Business Representative (DBR) – An individual within the dean or divisional office. This individual has the highest level of PCI responsibility including approving the initial merchant account request and annually reviewing the SAQ as the executive officer.
  • Merchant Connect (MCP) – An online tool from Elavon, the credit card processor, which displays transaction activity and monthly statements.
  • Site Manager – This individual is the point of contact for the campus department merchant account(s) and should have influence to establish procedures for the day-to-day handling of payment cards to ensure compliance.

V. Related references


VI. Revisions

Procedure Number 3031.A
Date Approved January 1, 2020
Revision Dates Jan. 19, 2021 – Changed Procedure Number to 3031.A from 404.A