Procedure # 3031.A; Rev.: 2.12.20 (Effective January 1, 2020)
Related Policy: UW-3031 Payment Card Merchant Services and PCI Compliance Policy
Functional Owner: Cash Management, Business Services
Contact: PCI Mailbox: pci-help@bussvc.wisc.edu
Contents
- Procedure statement
- Who is affected by this procedure
- Procedure
- Definitions
- Related references
- Revisions
I. Procedure statement
The University of Wisconsin–Madison can accept payment cards from customers to pay for goods and services. An Internet storefront is a method of accepting e-commerce payment transactions via a website.
II. Who is affected by this procedure
This procedure applies to all UW–Madison departments that accept payment cards online. This procedure should be understood by all Divisional Business Representatives (DBRs), Site Managers, and Operators of the merchant accounts.
III. Procedure
Below are the steps for opening an internet storefront merchant account:
- Complete and submit the Card Merchant ID Request Form.
- The DBR must approve the new merchant account.
- The DBR will receive an email upon completion of the Card Merchant ID Request Form. The DBR should then sign into the portal to approve the request.
- The DBR should determine which card brands the new merchant will accept.
- The standard set up for a new merchant account includes MasterCard, Visa, and Discover. Should the department decide to choose to accept American Express cards, an additional reconciliation and an additional connection is required.
- The DBR must approve the new merchant account.
- Cash Management will review the submitted Card Merchant ID Request Form and contact the Site Manager to facilitate setting up CASHNet and Merchant Connect.
- Each person that will log into CASHNet and Merchant Connect must have a unique operator ID.
- The department should provide a logo for the checkout page.
- The PCI Site Manager must establish card handling procedures and a contingency plan for processing transactions should the primary system be unavailable. Once complete, these policies and procedures shall be emailed to Cash Management (pci-help@bussvc.wisc.edu).
- The PCI Compliance Assistance Team and Elavon will review the website that is being used and ensure that it directs customers to CASHNet for payment. The hosting location must be determined and approved before the Merchant ID (MID) goes into production.
- Cash Management will schedule a PCI site visit with the Site Manager once a MID is assigned by Elavon. During the PCI site visit, Cash Management will review the department business policies and procedures and assist with completing the Self-Assessment Questionnaire (SAQ).
- Cash Management, or a specific DoIT staff, will activate the MID within CASHNet after the PCI site visit. Once the MID is in production in CASHNet, the storefront website may be used by customers.
- The PCI Site Manager must track all live websites in use that redirect to the payment page. Contact pci-help@bussvc.wisc.edu to close the websites that are no longer used for payment.
Merchant account fees
Any fees associated with the acceptance of payment cards in a campus department will be charged to the related merchant on a monthly basis. These fees can be seen in WISER/WISDM once they have been posted. Expenses may include a monthly account maintenance fee of $5.00, Elavon processing fees of approximately 2% of each transaction, and $7.50 for chargeback fees. American Express charges a fee of 2.1% of each transaction.
IV. Definitions
- Campus Merchant Department – Manage the daily operations of the merchant account(s) and maintain PCI compliance.
- CASHNet – A third-party, e-commerce service provider contracted by the University of Wisconsin that is used to process credit card payments.
- Divisional Business Representative (DBR) – An individual within the dean or divisional office. This individual has the highest level of PCI responsibility including approving the initial merchant account request and annually reviewing the SAQ as the executive officer.
- Merchant Connect (MCP) – An online tool from Elavon, the credit card processor, which displays transaction activity and monthly statements.
- Site Manager – This individual is the point of contact for the campus department merchant account(s) and should have influence to establish procedures for the day-to-day handling of payment cards to ensure compliance.
V. Related references
- UW-3031 Payment Card Merchant Services & PCI Compliance Policy
- Payment Card Industry Data Security Standards (PCI DSS)
- PCI Compliance Team (PCI-CT) Charter
- PCI DSS Quick Reference Guide v3.2
VI. Revisions
Procedure Number | 3031.A |
Date Approved | January 1, 2020 |
Revision Dates | Jan. 19, 2021 – Changed Procedure Number to 3031.A from 404.A |