404.C PCI Non-compliance Procedure

PCI Non-compliance Procedure

PCI Non-compliance Procedure

Procedure # 404.C
Rev.:
Effective Date: September 1, 2020

Related Policy: 404 Credit Card Merchant Services and PCI Compliance Policy 
Functional Owner: Cash Management, Business Services
Contact: PCI Mailbox: pci-help@bussvc.wisc.edu


Contents

I. Procedure Statement
II. Who is Affected by this Procedure

III. Rationale
IV. Procedure
V. Definitions
VI. Related References


I. Procedure Statement

The University of Wisconsin-Madison has merchant accounts which accept payment for goods sold and services rendered via payment card transactions. All merchants that accept payments via payment card must comply with the Payment Card Industry Data Security Standards (PCI DSS). The purpose of this procedure is to provide a framework for the disciplinary steps that will be taken in the event that a UW-Madison merchant account is found to be non-compliant with the PCI DSS. Persistent noncompliance with the PCI DSS after the enactment of the disciplinary steps described in this policy may result in the suspension or termination of the non-compliant merchant account.


II. Who is affected by this Procedure

This policy applies to all merchant accounts at UW-Madison that accept payment cards as a form of payment for goods sold and services rendered.


III. Rationale

Deficiencies exist in a merchant account’s operating procedures if a merchant does not appropriately store, process, or transmit cardholder data as defined by the PCI DSS. These deficiencies result in the merchant account being non-compliant with the applicable governance framework. Deficiencies in a merchant’s ability to appropriately secure cardholder data is the foundation of a potential data breach. Acts of noncompliance and data breaches will result in reputational damages such as distrust and loss of consumers, donors, and other stakeholders.

The ability to accept payment card transactions is a convenient and efficient method of collecting revenue owed to the University. As an alternative to cash and with the use and implementation of appropriate card transaction controls, payment cards provide better financial internal controls for the University. The ability to accept payment cards as a method of payment is a privilege granted to the University by the acquirer that UW-Madison is contracted with, Elavon, and the payment card brands: Visa, MasterCard, Discover, and American Express. If a merchant account is not in compliance with the PCI DSS or a data breach occurs, these agencies have the authority to assess fines for noncompliance. Such fines would be assessed separately by each agency per violation and for acts of noncompliance that remain uncorrected as of a designated deadline. These fines accumulate quickly and could result in hundreds of thousands of dollars in monetary damages.

Additionally, if Elavon or the payment card brands are concerned about the University’s ability to appropriately store, process, or transmit cardholder data, UW-Madison’s ability to accept payment cards could be revoked. This decision would require departments to find alternative ways to collect revenue owed to them and could result in a decline in sales.

Managing compliance with the PCI DSS is a responsibility that should be taken seriously because of its significant financial and reputational impacts.


IV. Procedure

The Cash Management, Division of Business Services, and Cybersecurity, Division of Information Technology, teams will jointly conduct of campus merchant accounts to determine the merchant’s level of compliance with the PCI DSS. Upon completion of a merchant account’s annual review, the PCI review team will complete a Risk Assessment. Each Risk Assessment will document the review team’s opinion of the merchant’s level of compliance with the PCI DSS, instances of identified non-compliant practices, and the disciplinary step to be implemented if non-compliant practices are identified. All Risk Assessments will be presented to the merchant’s Divisional Business Representative for review and signature. Below are the following types of opinions that might be issued with examples of possible instances of noncompliance:

Level 0 – No instances of noncompliance identified.

Level 1 – Minor instance(s) of noncompliance identified. Compliant procedures must be implemented as of the next annual review.

  • Incomplete PCI Security Awareness Training
  • Incomplete PCI Operator Training
  • Missing or incomplete device inspection logs
  • Missing business procedures

Level 2 – Significant instance(s) of noncompliance identified. Compliant procedures must be implemented as of a designated deadline which has been agreed upon with the merchant.

  • Working with unsupported technology
  • Lack of security regarding access to physical devices and technology
  • Inability or neglect to provide documentation indicating appropriate security of e-commerce merchant accounts
  • Unauthorized or unsecured storing of cardholder data
  • Inappropriate use of e-commerce merchant accounts for in-person or over-the-phone transaction processing
  • Failure to implement appropriate procedures to resolve Level 1 noncompliance

If a deficiency in compliance was identified in a previous review, the PCI review team will follow up as of the which has been agreed upon the merchant, to evaluate the merchant’s progress towards achieving compliance. If measurable progress has not been made towards achieving compliance, the following disciplinary steps will be executed in this order, unless an appropriate deviation is determined:

  1. Requirement to attend in-person Merchant Card Processing training
  2. Notification from PCI review team of Level 1 noncompliance
  3. Notification from PCI review team of Level 2 noncompliance
  4. Temporary suspension of merchant account for up to 9 months
  5. Permanent termination of merchant account

V. Supporting Tools


VI. Related References

320.8 Using Foundation Funding in e-Reimbursement

Expenses may be charged to the Wisconsin Foundation Alumni Association (WFAA) when appropriate. E-Reimbursement Approvers are responsible for entering WFAA funding. Upon approval of the expense reimbursement, the claimant receives one payment from the University. Accounting Services then bills WFAA for their portion.

Using Foundation Funding in e-reimbursement
Procedure # 320.8
Rev.: 1
Effective Date: June 30, 2020

Related Policy: 320 Expense Reimbursement Policy
Functional Owner: Accounting Services, Division of Business Services
Contact: Expense Reimbursement Program Manager – Graig Brooks (608) 262-8691


Contents

I. Procedure Statement
II. Who is Affected by this Procedure
III. Procedure
IV. Contact Roles and Responsibilities
V. Definitions
VI. Related References
VII. Revisions


I. Procedure Statement

Expenses may be charged to the Wisconsin Foundation Alumni Association (WFAA) when appropriate.  E-Reimbursement Approvers are responsible for entering WFAA funding.  Upon approval of the expense reimbursement, the claimant receives one payment from the University.  Accounting Services then bills WFAA for their portion.


II. Who is Affected by This Procedure

Employees who seek reimbursement for out-of-pocket or Corporate Card expenses; alternates who prepare expense reimbursements in e-Reimbursement; Approvers and Auditors; Divisional Business Officers and others who have approval authority.


III.   Procedure

A. Expense Report Submission (Traveler/Alternate role)

  1. For expenses with food and/or drinks, claimants/alternates must enter the number of attendees and their names into e-Reimbursement. This is required for the “Meal-Hosted” and “Event-Catering” expense types.  When entering expenses:
    1. Enter the total number of attendees in the “How many people” field.
    2. Enter the names and affiliations of the attendees in the “Add Additional Attendees” box.
      1. For events with 20 or fewer attendees, enter all attendees here. A list attached to the expense report is not sufficient.
      2. For events with more than 20 attendees, enter at least the names and affiliations of all attendees from the University. Attendees from outside organizations may be listed in an attachment.
  2. Claimants submit expense reimbursements without entering WFAA funding. Include in the justification notes the amount being charged to WFAA and the name and number of the WFAA account, if known.

B. Entering Foundation Funding Information (Approver Role): e-Reimbursement approvers are responsible for entering WFAA funding information. Claimants, alternates, and auditors do not have this ability.

  1. Access the expense line funding for the expense being charged to WFAA funding.
    1. While in the summary view of an expense reimbursement in your approval queue, click the Expense Details link.
    2. View the expense line funding by expanding the two grey arrows. The first is to the left of the expense date, the second is above “Accounting Details”.
  2. If expense is split between UW funding and WFAA funding, add additional funding lines as needed. Funding lines are added by using the plus sign at the far right end of the funding string (may require using the scroll bar below the funding string).
    1. Expenses must be split at the funding line level within one expense line. Do not enter multiple expense lines for the same expense.
    2. For Hosted Events and Business Meals, alcohol and meal overages must be split onto separate funding lines. Meal expenses which include alcohol and meal overages will have three funding lines.
      1. Portion allowable on UW funding
      2. Alcohol to WFAA
      3. Meal overages charged to WFAA
  3. For WFAA funding lines, change the account code to 6240. Hit tab. Click the “Foundation” link that appears at the far left of the funding string.
    1. UW Fund Account Type: leave as “UW Foundation” unless instructed to change by Athletics Business Office.
    2. UW Foundation Account Number: enter the 9-digit WFAA account number.
    3. Account Description: enter the title of the WFAA account.
    4. Reason for Foundation Use: enter justification for why WFAA funding is appropriate and/or UW funding is not appropriate.
    5. Click “OK”
  4. Enter any other relevant information in the Description box of the expense line. This Description box and the “Reason for Foundation Use” box are the only justifications WFAA has access to when reviewing these expenses.  The billing process may be delayed if necessary information is included elsewhere in the expense reimbursement.

C. Reimbursement Payment: Claimants receive one payment from the University, even for expense reimbursements split between UW and WFAA funding.

D. Billing Process: Accounting Services bills WFAA for their portion of e-Reimbursement payments after the reimbursements have been paid.


IV. Contact Roles and Responsibilities

  1. Claimant/Alternate: Responsible for understanding and complying with Business Meals, Hosted Events, Official Functions and University travel and purchasing polices. Responsible for entering number of attendees and their names and affiliations.  Responsible for retaining all required documentation.
  2. Approver: Responsible for entering WFAA funding information, ensuring amounts split between WFAA and UW funding are accurate, and providing sufficient justification for e-Reimbursement auditors and WFAA personnel to approve expenses.
  3. Accounting Services: Responsible for reviewing WFAA expenses, billing expenses to WFAA and processing payments from WFAA.

 


V. Definitions

  1. Claimant: individual claiming reimbursement for expenses.
  2. Alternate: individual granted authority to enter expense reimbursements on behalf of a claimant.
  3. Approver: the first reviewer of expense reimbursements, also known as “Required Departmental Approver.”
  4. Auditor: the final expense reimbursement reviewer, also known as “Required Final Approver.”
  5. WFAA: Wisconsin Foundation and Alumni Association. WFAA is a separate, non-profit entity which solicits and accepts gifts on behalf of the University and invests and protects those gift funds until needed by the University.
  6. E-Reimbursement: the University’s web-based expense reimbursement submission and review tool.

VI. Related References


VII.  Revisions

Procedure Number 320.8
Date Approved
Revision Dates

 

 

100.6 Refunding a payment Procedure

This procedure for refunding a payment is specifically for transactions that have been processed through centralized Accounts Receivable.

Refunding a Payment Procedure

Procedure # 100.6
Rev.: 7.1.20
Effective Date: July 1, 2020

Related Policy:Non-Sponsored Centralized Accounts Receivable Policy
Functional Owner: Director of Financial Information Management
Contact: Supervisor Central AR for Non-Sponsored Billing, 608-890-1328, Email: uwmsnar@bussvc.wisc.edu


Contents

I. Procedure Statement
II. Who is Affected by this Procedure
III. Procedure
IV. Definitions
V. Related References
VI. Revisions


I. Procedure Statement

This procedure for refunding a payment is specifically for transactions that have been processed through centralized Accounts Receivable. Refunds may become necessary as a result of duplicate or over payments made by customers or adjustments and cancelations of invoices that result in overpayments.


II. Who is affected by this Procedure

Any department that sells goods or services for non-sponsored activities should use this procedure.

The SFS Accounts Receivable and Billing System is currently being rolled out to UW-Madison departments for all non-sponsored accounts receivable, including internal and external customers. The use of SFS for non-sponsored billing and receivables was launched in November of 2018 and will be introduced campus-wide in the coming months/years – unless otherwise agreed upon with the Division of Business Services (DoBS).


III. Procedure

The following steps represent the overall process for requesting a refund:

  • If the refund is a result of an adjustment or cancelation of a bill, clearly indicate on the Cancel_Adjust Form that a refund needs to be processed.
  • Any duplicate payments received by customers will be placed on account for the customer in SFS. DoBS will work collaboratively with departments to determine if the payment needs to be refunded or can be applied to other open invoices.
  • Weekly, DoBS will request refunds to be processed through Accounts payable.

The following journal entry is a sample of what will post when a payment is refunded:

Debit: Selling Department Accounts Receivable (#6200) XXXX

Credit: Central funding string for payments                                      XXXX


IV. Definitions

  • Cancellation – Canceling an invoice should only be used when an error has been made on the bill. An error can include the incorrect customer, contact or location identified on the bill. A duplicate bill for services already invoiced would be a good reason to cancel the bill.
  • Adjustment – Adjusting the bill should be reserved for errors in amounts invoiced. Such as charging the wrong rate for a service or the wrong quantity ordered.
  • Refund – The process of returning money to a customer as a result of overpayment for goods or services.

V. Related Resources


VI. Revisions

Procedure Number

 

Date Approved

 

Revision Dates

100.5 Declined Payment Procedure

This procedure is for handling customer payments that have been declined for any reason including insufficient funds, closed bank accounts, etc.

Declined Payment Procedure

Procedure # 100.5
Rev.: 7.1.20
Effective Date: July 1, 2020

Related Policy:Non-Sponsored Centralized Accounts Receivable Policy
Functional Owner: Director of Financial Information Management
Contact: Supervisor Central AR for Non-Sponsored Billing, 608-890-1328, Email: uwmsnar@bussvc.wisc.edu


Contents

I. Procedure Statement
II. Who is Affected by this Procedure
III. Procedure
IV. Definitions
V. Related References
VI. Revisions


I. Procedure Statement

This procedure is for handling customer payments that have been declined for any reason including insufficient funds, closed bank accounts, etc.


II. Who is affected by this Procedure

Any department that sells goods or services for non-sponsored activities should use this procedure.

The SFS Accounts Receivable and Billing System is currently being rolled out to UW-Madison departments for all non-sponsored accounts receivable, including internal and external customers. The use of SFS for non-sponsored billing and receivables was launched in November of 2018 and will be introduced campus-wide in the coming months/years – unless otherwise agreed upon with the Division of Business Services (DoBS).


III. Procedure

The following steps represent the overall process for a declined payment:

  • Notification received that a credit card or check payment has been declined.
  • Business Services will reverse the payment in SFS and will reinstate the debt outstanding.
  • Business Services will apply an NSF fee of $25 to the customer account for the declined payment.
  • The customer will receive an updated invoice reflecting the additional fee.
  • The NSF fee will be used to offset the bank fees UWMSN incurs. The NSF fee will not be distributed to the department.

The following journal entries are samples of what will post when a declined payment is posted:

Reverse the payment:

Debit: Selling Departments Accounts Receivable $500.00

Credit: Central funding string for bank transactions          $500.00

Add the NSF fee:

Debit: Selling Departments Accounts Receivable $25.00

Credit: Central funding string for bank fee transactions   $25.00


IV. Definitions

  • Cancellation – Canceling an invoice should only be used when an error has been made on the bill. An error can include the incorrect customer, contact or location identified on the bill. A duplicate bill for services already invoiced would be a good reason to cancel the bill.
  • Adjustment – Adjusting the bill should be reserved for errors in amounts invoiced. Such as charging the wrong rate for a service or the wrong quantity ordered.
  • Refund – The process of returning money to a customer as a result of overpayment for goods or services.
  • NSF – Non-sufficient funds. This term is commonly used for when a credit card or check payment is declined. This could be the result of many different reasons such as insufficient funds or closed bank account.

V. Related Resources


VI. Revisions

Procedure Number

 

Date Approved

 

Revision Dates

100.4 Write off and Collection Procedure

Non-Sponsored receivable balances will be managed centrally by the Division of Business Services

Write off and Collection Procedure

Procedure # 100.4
Rev.: 7.1.20
Effective Date: July 1, 2020

Related Policy:Non-Sponsored Centralized Accounts Receivable Policy
Functional Owner: Director of Financial Information Management
Contact: Supervisor Central AR for Non-Sponsored Billing, 608-890-1328, Email: uwmsnar@bussvc.wisc.edu


Contents

I. Procedure Statement
II. Who is Affected by this Procedure
III. Procedure
IV. Definitions
V. Related References
VI. Revisions


I. Procedure Statement (Non-Sponsored receivable balances will be managed centrally by the Division of Business Services.)

Once an invoice is generated the customer will receive a monthly statement. If payment is not received, the customer will receive dunning letters each month after the due date. Once the invoice reaches 90 days past due, write offs and collection activities will be managed centrally by the Division of Business Services (DoBS) in collaboration with UW-Madison divisions and departments. Write off and collection activities need to be processed timely to ensure responsible stewardship of UW-Madison resources.

Write offs and collection activities are only for External customers. All intra-unit invoices are paid immediately so no collection activities are needed.


II. Who is affected by this Procedure

Any department that has an invoice outstanding in the SFS AR module and has become a doubtful account.

The SFS Accounts Receivable and Billing System is currently being rolled out to UW-Madison departments for all non-sponsored accounts receivable, including internal and external customers. The use of SFS for non-sponsored billing and receivables was launched in November of 2018 and will be introduced campus-wide in the coming months/years – unless otherwise agreed upon with the Division of Business Services.


III. Procedure

The following steps represent the overall process for collection efforts:

  • Statements will be sent for all outstanding invoices regardless of due date on or around the 15th of the month.
  • Dunning letters (reminder notices) will be issued by DoBS monthly on or around the 15th. Dunning letters will begin after 30 days past due and will continue to be sent until the debt is cleared.
  • At 90 days, DoBS will reach out to the billing department to discuss collections. Decision needs to be made at that time if the invoice should be sent to a collection agency, the state of Wisconsin Department of Revenue or written off. If the department is working with the customer on payment, a note can be placed on the account providing detail on the expected date of resolution.

The following steps represent the overall process for requesting a write off:

  • Write -off transactions are initiated through workflow in SFS. Follow instructions on how to initiate a write-off.
  • Write-offs over $1,000 require Dean or Director and DoBS approval.
  • Write offs must include explanation.

The following journal entry is a sample of what will post after a write off has been processed:

Debit: Selling Department contra-revenue account (#9312) XXXX

Credit: Selling Department accounts receivable account (#6200) XXXX


IV. Definitions

  • Doubtful account – a doubtful account refers to outstanding balances that we do not expect to be paid. Typically, a doubtful account takes many things into consideration such as age of the invoice, ability to make contact with the customer or bankruptcy notification.
  • Dunning letter – The word dunning stems from a 17th century word dun which means to demand payment of a debt. Dunning letters are reminder notices that are sent periodically when an accounts receivable balance is past due.
  • Write-off – Write off relevant to this policy means that we cannot collect on the outstanding balance for an invoice. Examples of reasons for a write off would include a customer in bankruptcy or deceased, or the debt has reached the age where we can legally no longer attempt to collect payment (statute of limitations).

 


V. Related Resources


VI. Revisions

Procedure Number

 

Date Approved

 

Revision Dates

100.3 Cancelation or Adjustment of an invoice Procedure

Cancelations and adjustments of open invoices are processed centrally in the Division of Business Services (DoBS). Adjustments and cancelations need to include explanation for the adjustment.

Cancelation or Adjustment of an invoice Procedure

Procedure # 100.3
Rev.: 7.1.20
Effective Date: July 1, 2020

Related Policy:Non-Sponsored Centralized Accounts Receivable Policy
Functional Owner: Director of Financial Information Management
Contact: Supervisor Central AR for Non-Sponsored Billing, 608-890-1328, Email: uwmsnar@bussvc.wisc.edu


Contents

I. Procedure Statement
II. Who is Affected by this Procedure
III. Procedure
IV. Definitions
V. Related References
VI. Revisions


I. Procedure Statement

Cancelations and adjustments of open invoices are processed centrally in the Division of Business Services (DoBS). Adjustments and cancelations need to include explanation for the adjustment. This procedure should not be used to write off a debt. For instructions on how to write off a debt, please refer to “Write off and Collection Procedure”. Please review the definitions section of this procedure to help determine which process to use.


II. Who is affected by this Procedure

Any department that has an invoice outstanding in the SFS AR module and has found an error in the bill.

The SFS Accounts Receivable and Billing System is currently being rolled out to UW-Madison departments for all non-sponsored accounts receivable, including internal and external customers. The use of SFS for non-sponsored billing and receivables was launched in November of 2018 and will be introduced campus-wide in the coming months/years – unless otherwise agreed upon with the Division of Business Services.


III. Procedure

The following steps represent the overall process for requesting a cancelation or adjustment of an invoice:

  • Fill out the Invoice Cancel_Adjust Form including your signature and the signature of the reviewing party for your area.
  • Submit form to DoBS via email to: uwmsnar@bussvc.wisc.edu
  • Adjustments and cancelations over $1,000 need additional review from the Dean or Director and DoBS.
  • DoBS will create a credit memo in SFS. The credit memo will be matched up to the original invoice to correct the balance due. The customer will receive a copy of the credit memo.

The following journal entries are samples of what will post after a cancelation or adjustment is processed:

Internal customer:

Debit: Selling Department Revenue XXXX

Credit: Buying Department Expense        XXXX

External customer:

Debit: Selling Department Revenue XXXX

Credit: Selling Department Accounts Receivable (#6200) XXXX


IV. Definitions

  • Cancellation – Canceling an invoice should only be used when an error has been made on the bill. An error can include the incorrect customer, contact or location identified on the bill. A duplicate bill for services already invoiced would be a good reason to cancel the bill.
  • Adjustment – Adjusting the bill should be reserved for errors in amounts invoiced. Such as charging the wrong rate for a service or the wrong quantity ordered.
  • Write-off – Write off relevant to this policy means that we cannot collect on the outstanding balance for an invoice. Types of reasons for a write off would include a customer in bankruptcy or deceased, or the debt has reached the age where we can legally no longer attempt to collect payment (statute of limitations).

V. Related Resources


VI. Revisions

Procedure Number

 

Date Approved

 

Revision Dates

100.2 Creating a Bill Procedure

Departments are responsible for entering bills into SFS. The Division of Business Services (DoBS) will generate invoices from the bills entered. Bills can be entered as either one-time or installment. Payment terms generally will be Net30, unless an exception has been approved by DoBS.

Creating a Bill Procedure

Procedure # 100.2
Rev.: 7.1.20
Effective Date: July 1, 2020

Related Policy:Non-Sponsored Centralized Accounts Receivable Policy
Functional Owner: Director of Financial Information Management
Contact: Supervisor Central AR for Non-Sponsored Billing, 608-890-1328, Email: uwmsnar@bussvc.wisc.edu


Contents

I. Procedure Statement
II. Who is Affected by this Procedure
III. Procedure
IV. Definitions
V. Related References
VI. Revisions


I. Procedure Statement

Departments are responsible for entering bills into SFS. The Division of Business Services (DoBS) will generate invoices from the bills entered. Bills can be entered as either one-time or installment. Payment terms generally will be Net30, unless an exception has been approved by DoBS.


II. Who is affected by this Procedure

Any department that sells goods or services for non-sponsored activities should use this procedure.

The SFS Accounts Receivable and Billing System is currently being rolled out to UW-Madison departments for all non-sponsored accounts receivable, including internal and external customers. The use of SFS for non-sponsored billing and receivables was launched in November of 2018 and will be introduced campus-wide in the coming months/years – unless otherwise agreed upon with the Division of Business Services.


III. Procedure

The following steps represent the overall process for creating a bill:

  • Use the bill upload template to import bills
  • Follow the instructions to upload bills

The following journal entries are a sample of what will post when the bills are generated:

Internal customer:

Debit: Buying Department Expense         XXXX
Credit: Selling Department Revenue                      XXXX

External customer:

Debit: Selling Department Accounts Receivable (#6200) XXXX
Credit: Selling Department Revenue                                                   XXXX


IV. Definitions

  1. Bill – A bill is a document created when a sale is made. A bill becomes an invoice when a balance is due. For the purpose of this policy, intra-unit bills (Madison department to Madison department) never become invoices because the bill is paid at the same time the bill is created.
  2. Invoice – A bill becomes an invoice when the bill is delivered to the customer and creates a balance due.

V. Related Resources


VI. Revisions

Procedure Number

 

Date Approved

 

Revision Dates

100.1 Shared Customer Procedure

UW-Madison Non-Sponsored AR and Billing has a shared customer file that is managed centrally by the Division of Business Services (DoBS).

Shared Customer Procedure

Procedure # 100.1
Rev.: 7.1.20
Effective Date: July 1, 2020

Related Policy:Non-Sponsored Centralized Accounts Receivable Policy
Functional Owner: Director of Financial Information Management
Contact: Supervisor Central AR for Non-Sponsored Billing, 608-890-1328, Email: uwmsnar@bussvc.wisc.edu


Contents

I. Procedure Statement
II. Who is Affected by this Procedure
III. Procedure
IV. Related References
V. Revisions


I. Procedure Statement

UW-Madison Non-Sponsored AR and Billing has a shared customer file that is managed centrally by the Division of Business Services (DoBS). Departments can request new internal or external customers by submitting the Customer upload file. Customers can have multiple contacts and locations. Modifications to existing customer information including additional contacts or locations should be requested through the uwmsnar@bussvc.wisc.edu mailbox. DoBS will review each customer request to ensure compliance with export control lists such as OFAC.


II. Who is affected by this Procedure

Any department that is using Billing and Accounts Receivable modules in SFS for invoicing to non-sponsored customers either within the UW-Madison community or externally.

The SFS Accounts Receivable and Billing System is currently being rolled out to UW-Madison departments for all non-sponsored accounts receivable, including internal and external customers. The use of SFS for non-sponsored billing and receivables was launched in November of 2018 and will be introduced campus-wide in the coming months/years – unless otherwise agreed upon with the Division of Business Services.


III. Procedure

The following steps represent the overall process for requesting new customers:

  1. Fill out either the Internal or External customer upload file
  2. If the customer is already set up but a different contact or location is needed, fill out the Customer Update Form
  3. Email to DoBS at: uwmsnar@bussvc.wisc.edu
  4. DoBS will review the customer information and ensure the customer is not on any export control lists such as OFAC.
  5. DoBS will reply via email when customers have been set up.

IV. Related References


VI. Revisions

Procedure Number

 

Date Approved

 

Revision Dates

404.B Open a Merchant Account using an EMV Chip or Swipe Machine Procedure

Open a Merchant Account using an EMV Chip or Swipe Machine

Open a Merchant Account using an EMV Chip or Swipe Machine Procedure
# 404.B

Rev.: 2.12.20
Effective Date: January 1, 2020

Related Policy: 404 Credit Card Merchant Services and PCI Compliance Policy 
Functional Owner: Cash Management, Business Services
Contact: PCI Mailbox: pci-help@bussvc.wisc.edu


Contents

I. Procedure Statement
II. Who is Affected by this Procedure
III. Procedure
IV. Definitions
V. Related References
VI. Revisions


I. Procedure Statement

The University of Wisconsin-Madison can accept payment card payments from customers to pay for goods and services. A payment card device, such as an EMV chip or swipe machine, is a method of processing these payments in-person, over-the-phone, or via fax communication.


II. Who is affected by this Procedure

This procedure applies to all UW-Madison departments that accept payment cards via a payment card device. This procedure should be understood by all Divisional Business Representatives (DBRs), Site Managers, and Operators of the merchant accounts.


III. Procedure

Below are the steps for opening a merchant account that uses an EMV chip or swipe machine:

  1. Complete and submit the Card Merchant ID Request Form found HERE.
    1. The DBR must approve the new merchant account.
      1. The DBR will receive an email upon completion of the Card Merchant ID Request Form. The DBR should then sign into the portal to approve the request.
    2. The DBR should determine which card brands the new merchant will accept.
      1. The standard set up for a new merchant account includes MasterCard, Visa, and Discover. Should the department decide to choose to accept American Express cards, an additional reconciliation and an additional connection is required.
  1. Cash Management will review the submitted Card Merchant ID Request Form and contact the Site Manager to facilitate setting up Merchant Connect.
    1. Cash Management will provide information on payment card machines, including pricing information. Standalone payment card machines will ship directly from Elavon to the campus department. The cost of the new payment card machine will be charged to the merchant account.
    2. Each person that will log into Merchant Connect must have a unique operator ID.
  1. The PCI Site Manager must establish card handling procedures and a contingency plan for processing transactions should the primary system be unavailable. An example of department business policies and procedures can be found HERE. Once complete, these policies and procedures shall be submitted to Cash Management via e-mail (pci-help@bussvc.wisc.edu).
  1. Cash Management will schedule a PCI site visit with the Site Manager once a Merchant ID (MID) is assigned by Elavon. During the PCI site visit, Cash Management will review the department business policies and procedures and assist with completing the Self-Assessment Questionnaire (SAQ).
  1. When the equipment arrives, verify the machine has the correct address, merchant name, and MID on the machine when it is turned on.
  1. Record the serial number and manufacturing information at https://charge.wisc.edu/users.
  1. Call Elavon Training at 866-451-4007 to schedule a training on how to use the payment card machine and transaction settlement. Note that the payment card machine will not auto settle unless the machine is turned on.
  1. The campus department must make a sticker to place on the terminal containing this information:
    1. Equipment problems Relationship Premier Services: 800-725-1245
    2. Supplies such as thermal paper call Customer Service Center: 800-725-1243
    3. Elavon Training: 866-451-4007

IV. Merchant Account Fees

Any fees associated with the acceptance of payment cards in a campus department will be charged to the related merchant on a monthly basis. These fees can be seen in WISER/WISDM once they have been posted. Expenses may include a monthly account maintenance fee of $5.00, Elavon processing fees of approximately 2% of each transaction, and $7.50 for chargeback fees. American Express charges a fee of 2.1% of each transaction.


V. Definitions

Campus Merchant Department – Manage the daily operations of the merchant account(s) and maintain PCI compliance.

Divisional Business Representative (DBR) – An individual within the dean or divisional office. This individual has the highest level of PCI responsibility including approving the initial merchant account request and annually reviewing the SAQ as the executive officer.

Merchant Connect (MCP) – An online tool from Elavon, the credit card processor, which displays transaction activity and monthly statements.

Site Manager – This individual is the point of contact for the campus department merchant account(s) and should have influence to establish procedures for the day-to-day handling of payment cards to ensure compliance.


VI. Related References


VII. Revisions

Procedure Number: 404.B
Date Approved: 02/12/2020
Next Revision: 12/01/2020

404.A Open an Internet Storefront Merchant Account Procedure

Open an Internet Storefront Merchant Account Procedure

Open an Internet Storefront Merchant Account Procedure
Procedure # 404.A
Rev.: 2.12.20
Effective Date: January 1, 2020

Related Policy: 404 Credit Card Merchant Services and PCI Compliance Policy 
Functional Owner: Cash Management, Business Services
Contact: PCI Mailbox: pci-help@bussvc.wisc.edu


Contents

I. Procedure Statement
II. Who is Affected by this Procedure
III. Procedure
IV. Definitions
V. Related References
VI. Revisions


I. Procedure Statement

The University of Wisconsin-Madison can accept payment cards from customers to pay for goods and services. An Internet storefront is a method of accepting e-commerce payment transactions via a website.


II. Who is affected by this Procedure

This procedure applies to all UW-Madison departments that accept payment cards online. This procedure should be understood by all Divisional Business Representatives (DBRs), Site Managers, and Operators of the merchant accounts.


III. Procedure

Below are the steps for opening an internet storefront merchant account:

  1. Complete and submit the Card Merchant ID Request Form found HERE.
    1. The DBR must approve the new merchant account.
      1. The DBR will receive an email upon completion of the Card Merchant ID Request Form. The DBR should then sign into the portal to approve the request.
    2. The DBR should determine which card brands the new merchant will accept.
      1. The standard set up for a new merchant account includes MasterCard, Visa, and Discover. Should the department decide to choose to accept American Express cards, an additional reconciliation and an additional connection is required.
  1. Cash Management will review the submitted Card Merchant ID Request Form and contact the Site Manager to facilitate setting up CASHNet and Merchant Connect.
    1. Each person that will log into CASHNet and Merchant Connect must have a unique operator ID.
    2. The department should provide a logo for the checkout page.
  1. The PCI Site Manager must establish card handling procedures and a contingency plan for processing transactions should the primary system be unavailable. An example of department business policies and procedures can be found HERE Once complete, these policies and procedures shall be submitted to Cash Management via e-mail (pci-help@bussvc.wisc.edu).
  1. The PCI Compliance Assistance Team and Elavon will review the website that is being used and ensure that it directs customers to CASHNet for payment. The hosting location must be determined and approved before the Merchant ID (MID) goes into production.
  1. Cash Management will schedule a PCI site visit with the Site Manager once a MID is assigned by Elavon. During the PCI site visit, Cash Management will review the department business policies and procedures and assist with completing the Self-Assessment Questionnaire (SAQ).
  1. Cash Management, or a specific DoIT staff, will activate the MID within CASHNet after the PCI site visit. Once the MID is in production in CASHNet, the storefront website may be used by customers.

IV. Merchant Account Fees

Any fees associated with the acceptance of payment cards in a campus department will be charged to the related merchant on a monthly basis. These fees can be seen in WISER/WISDM once they have been posted. Expenses may include a monthly account maintenance fee of $5.00, Elavon processing fees of approximately 2% of each transaction, and $7.50 for chargeback fees. American Express charges a fee of 2.1% of each transaction.


V. Definitions

Campus Merchant Department – Manage the daily operations of the merchant account(s) and maintain PCI compliance.

CASHNet – A third-party, e-commerce service provider contracted by the University of Wisconsin that is used to process credit card payments.

Divisional Business Representative (DBR) – An individual within the dean or divisional office. This individual has the highest level of PCI responsibility including approving the initial merchant account request and annually reviewing the SAQ as the executive officer.

Merchant Connect (MCP) – An online tool from Elavon, the credit card processor, which displays transaction activity and monthly statements.

Site Manager – This individual is the point of contact for the campus department merchant account(s) and should have influence to establish procedures for the day-to-day handling of payment cards to ensure compliance.


VI. Related References