Procedure # 3031.A; Rev.: 3 (Effective January 1, 2020)
Related Policy: UW-3031 Payment Card Merchant Services and PCI Compliance Policy
Functional Owner: Cash Management, Business Services
Contact: PCI Mailbox: pci-help@bussvc.wisc.edu
Contents
- Procedure statement
- Who is affected by this procedure
- Procedure
- Definitions
- Related references
- Revisions
I. Procedure statement
An e-commerce website is a method of accepting online payment transactions for merchants to sell products or services online. All e-commerce merchants must be approved by their dean’s office and Cash Management within the Division of Business Services.
Transact/Cashnet is the contracted comprehensive solution for campus-wide e-commerce payments.
All e-commerce websites are required to use authorized secure websites via support by DoIT’s Web & Mobile Solutions (WaMS) to ensure security updates and maintenance for the security of the systems are managed appropriately. Learn more on the Set up or Maintain a Cashnet/Transact Payments Storefront page.
Also permitted are Transact/Cashnet-ready partners or approved third-party service providers with contractual agreements including appropriate Payment Card Industry (PCI) language. This program is used where external vendors can pass payments to Transact/Cashnet securely in a Payment Card Industry Data Security Standards (PCI DSS) compliant manner.
Transact/Cashnet storefronts may also be built for a simple category of items. These are hosted by and exist entirely within the Transact/Cashnet Store. The site appearance is somewhat fixed and has character limits for item descriptions. Business Services will update product information and prices upon request.
Do not sign a click-through contract with any vendor or third-party service provider that could impact the credit card environment.
All merchants are required to complete the annual PCI requirements listed in Policy UW-3031. These PCI requirements are validated annually by the PCI Compliance Team.
II. Who is affected by this procedure
This procedure applies to all UW–Madison merchants that accept payment cards online. This procedure should be understood by all Divisional Business Representatives (DBRs), Site Managers, and relevant staff of the merchant accounts.
III. Procedure
Below are the steps for opening an internet storefront merchant account:
- Complete and submit the Card Merchant ID Request Form.
- The Divisional Business Representative (DBR) receives an email with the submitted request. The DBR is required to approve the new merchant account.
- Payment cards accepted are American Express, Discover, MasterCard, and Visa.
- Authorized staff within Cash Management will review the submitted Card Merchant ID Request Form and contact the Site Manager to facilitate setting up the merchant account and related systems.
- Each person that requires access to Transact/Cashnet will be set up with a unique operator ID.
- Provide a departmental logo for the checkout page for e-Commerce Transact/Cashnet set-ups.
- The PCI Site Manager must establish card handling procedures and a contingency plan for processing transactions should the primary system be unavailable. Once complete, email these policies and procedures to Cash Management (pci-help@bussvc.wisc.edu).
- Elavon, the merchant card processor, will review the website prior to deploying the new merchant account. When the merchant account is approved, Elavon will assign a merchant ID number. Appropriate merchant staff will be required to have access to merchant account activity in the secure online portal, Payments Insider, to ensure they have access to all merchant account activity used in reconciliation.
- Before moving the e-commerce merchant account into production, a final PCI review is required. The review will be performed by staff in Cybersecurity and Cash Management and assist with completing the Self-Assessment Questionnaire (SAQ).
- Once the account is in production within Transact/Cashnet, the storefront website may be used by customers.
- The PCI Site Manager is required to track all live websites in use that redirect to the payment page. Contact pci-help@bussvc.wisc.edu to close the websites that are no longer used for payment.
- Annually, ensure the current Attestation of Compliance (AoC) is obtained from all merchants using a Third-Party Service Provider directly involved in processing, storage, transmission of cardholder data, or services that could impact the security of their cardholder data environments.
- Reminder: All employees who process payment cards or may impact the security of the cardholder environment, must complete annual UW PCI Training.
Merchant account fees
All fees associated with the merchant account and activity will be charged directly to the related merchant monthly. Fees include a monthly account maintenance fee of $5.00, Elavon processing fees passed on by the card brands, approximately 2.5% of each transaction, $7.50 for chargeback fees, and any other system fee involved in the process.
IV. Definitions
- Cashnet/Transact – A third-party, e-commerce service provider contracted by the University of Wisconsin that is used to process credit card payments.
- Divisional Business Representative (DBR) – An individual within the dean or divisional office. This individual has the highest level of PCI responsibility, including approving the initial merchant account request and annually reviewing the SAQ as the executive officer.
- Merchant – The school, college, or department responsible to manage the daily operations of the merchant account(s) activity and is the legal entity required to maintain PCI compliance.
- Payments Insider– An online customer portal from Elavon, the credit card processor, which displays transactional activity and monthly statements used for reconciliation and other merchant account business needs.
- Site Manager – This required role for the merchant account is an individual who is the point of contact for the merchant account(s) and should have influence to establish procedures for the day-to-day handling of payment cards to ensure compliance.
V. Related references
- UW-3031 Payment Card Merchant Services & PCI Compliance Policy
- Payment Card Industry Data Security Standards (PCI DSS)
- PCI Compliance Team (PCI-CT) Charter
- PCI DSS Quick Reference Guide v3.2
VI. Revisions
| Procedure Number | 3031.A |
| Date Approved | January 1, 2020 |
| Revision Dates | Jan. 19, 2021 – Changed Procedure Number to 3031.A from 404.A November 17, 2025 – Clarifying procedural steps, including workflow, accepted card brands, and customer portal information. |