Procedure # 3031.C; Rev.: 1 (Effective September 1, 2020)
Related Policy: UW-3031 Credit Card Merchant Services and PCI Compliance Policy
Functional Owner: Cash Management, Business Services
Contact: PCI Mailbox: pci-help@bussvc.wisc.edu
Contents
- Procedure statement
- Who is affected by this procedure
- Rationale
- Procedure
- Supporting tools
- Related references
- Revisions
I. Procedure statement
The University of Wisconsin-Madison has merchant accounts which accept payment for goods sold and services rendered via payment card transactions. All merchants who accept payments via payment card must comply must comply with Policy UW-3031 and the Payment Card Industry Data Security Standards (PCI DSS). The purpose of this procedure is to provide a framework for the disciplinary steps that will be taken in the event a UW–Madison merchant account is found to be non-compliant with Policy UW-3031 and the PCI DSS. Persistent noncompliance after the enactment of the disciplinary steps described in this procedure may result in the suspension or termination of the non-compliant merchant account.
II. Who is affected by this procedure
This procedure applies to all UW–Madison departments that accept payment cards via payment card terminals. This procedure should be understood by all relevant personnel including Divisional Business Representatives (DBRs), Site Managers, and Operators of the merchant accounts.
III. Rationale
If a merchant does not appropriately store, process, or transmit cardholder data as defined by Policy UW-3031, deficiencies exist in that merchant account’s standard operating procedures. As a result, these deficiencies deem the merchant account non-compliant with the PCI governance framework. Deficiencies in a merchant’s ability to appropriately secure cardholder data is the foundation of a potential data breach. Acts of PCI noncompliance and data breaches may result in reputational damages, loss of customer confidence and loyalty, and a potential loss of gift and grant donors.
The ability to accept payment card transactions is a convenient and efficient method of collecting revenue owed to the University. This method of payment is a privilege granted to the University by the contracted acquirer, Elavon, and the payment card brands Visa, MasterCard, Discover, and American Express. If a merchant account is not in compliance with the PCI DSS or a data breach occurs, these agencies have the authority to assess fines for noncompliance. These fines begin anywhere between the range of $5,000 to $100,000 per month for violating PCI DSS, depending on the length of noncompliance. These fines would accumulate quickly and could result in hundreds of thousands of dollars in monetary damages.
Further, if Elavon or the payment card brands find the University noncompliant, UW–Madison’s ability to accept payment cards could potentially be revoked. This decision would require departments to find alternative ways to collect revenue and could result in a decline in sales.
IV. Procedure
The Division of Business Services Cash Management team and Division of Information Technology (DoIT) Cybersecurity team will jointly conduct a review of campus merchant accounts’ level of compliance on an annual basis and complete a risk assessment. Each risk assessment will document the review team’s opinion of the merchant’s level of compliance with the PCI DSS. A disciplinary step would be implemented if any non-compliant practices are identified.
All risk assessments which have a level of noncompliance will be presented to the merchant’s Divisional Business Representative for review and signature. Below are examples of possible noncompliance:
Level 0 – No instances of noncompliance identified.
Level 1 – Minor instance(s) of noncompliance identified. Compliant procedures must be implemented as of the next annual review.
- Incomplete PCI Security Awareness Training
- Incomplete PCI Operator Training
- Missing or incomplete device inspection logs
- Missing merchant standard operating procedures
Level 2 – Significant instance(s) of noncompliance identified. Compliant procedures must be implemented as of a designated deadline which has been agreed upon with the merchant.
- Working with unsupported technology or non-approved Service Providers
- Lack of security regarding access to physical devices and technology
- Inability or neglect to provide documentation indicating appropriate security of e-commerce merchant accounts(s); missing the signed Service Provider’s Attestation of Compliance (AoC)
- Unauthorized or unsecured storing of cardholder data
- Inappropriate use of e-commerce merchant accounts or inappropriate use of in-person or over-the-phone transaction processing
- Failure to implement appropriate procedures to resolve Level 1 noncompliance
- Failure to complete the annual Self-Assessment Questionnaire (SAQ)
If a deficiency in compliance was identified and agreed upon by the merchant in a previous review, the PCI review team will follow up and evaluate the merchant’s progress towards achieving compliance. If measurable progress has not been made towards achieving compliance, the following disciplinary steps will be executed in this order:
- Requirement to attend an in-person PCI Training
- Notification from PCI review team of Level 1 noncompliance
- Notification from PCI review team of Level 2 noncompliance
- Temporary suspension of merchant account for up to 9 months
- Permanent termination of merchant account
V. Supporting tools
- e-Commerce Business Procedures Template
- Non-e-Commerce Business Procedures Template
- e-Commerce Security Validation
- Payment Card Terminal Inspection Log
VI. Related references
- UW-3031 Payment Card Merchant Services and PCI Compliance Policy
- Procedure 3031.A: Open an Internet Storefront Merchant Account Procedure
- Procedure 3031.B: Open a Merchant Account Using an EMV Chip or Swipe Machine Procedure
- Payment Card Industry Data Security Standards (PCI DSS)
VII. Revisions
Procedure Number | 3031.C |
Date Approved | September 1, 2020 |
Revision Dates | Jan. 19, 2021 – Changed Procedure Number to 3031.C from 404.C |