Procedure #3031.B; Rev.: 2.12.20 (Effective January 1, 2020)
Related Policy: UW-3031 Credit Card Merchant Services and PCI Compliance Policy
Functional Owner: Cash Management, Business Services
Contact: PCI Mailbox: pci-help@bussvc.wisc.edu
Contents
- Procedure statement
- Who is affected by this procedure
- Procedure
- Definitions
- Related references
- Revisions
I. Procedure statement
The University of Wisconsin–Madison can accept payment card payments from customers to pay for goods and services in person. A payment card terminal is used for processing payments in-person or over-the-phone by a merchant at the point-of-interaction. In some cases, payments can be made via fax communication if proper security is in place and is properly documented.
II. Who is affected by this procedure
This procedure applies to all UW–Madison departments that accept payment cards via payment card terminals. This procedure should be understood by all Divisional Business Representatives (DBRs), Site Managers, and Operators of the merchant accounts.
III. Procedure
Below are the steps for opening a merchant account that uses an approved PCI P2PE or an approved EMV payment card terminal with no electronic cardholder data storage:
- Complete and submit the Card Merchant ID Request Form.
- The Divisional Business Representative (DBR) must approve the new merchant account.
- The DBR will receive an email upon completion of the Card Merchant ID Request Form. The DBR should then sign into the portal to approve the request.
- The DBR should determine which card brands the new merchant will accept.
- The standard set up for a new merchant account includes MasterCard, Visa, and Discover. Should the department decide to choose to accept American Express cards, an additional reconciliation and an additional connection is required.
- The Divisional Business Representative (DBR) must approve the new merchant account.
- Cash Management will review and approve the submitted Card Merchant ID Request Form and contact the Site Manager to facilitate setting up Payments Insider access.
- Cash Management will provide information on payment card machines, including pricing information. Standalone payment card machines will ship directly from Elavon to the campus department. The cost of the new payment card machine will be charged directly to the merchant account.
- Each person who logs into Payments Insider for settlements and monthly statements is required to have a unique operator ID.
- Complex Point of Sale Systems will require additional PCI review and approval, signed contracts, and annual AoC documentation. Please contact pci-help@bussvc.wisc.edu for additional information.
- The PCI Site Manager is required to establish card handling procedures and a contingency plan for processing transactions should the primary system be unavailable. Once complete, these policies and procedures shall be submitted to Cash Management via email (pci-help@bussvc.wisc.edu).
- Cash Management will schedule a PCI site visit with the Site Manager once a Merchant ID (MID) is assigned by Elavon. During the PCI site visit, Cash Management will review the department business policies and procedures and assist with completing the Self-Assessment Questionnaire (SAQ).
- When the equipment is received, verify the machine has the correct address, merchant name, and MID on the machine.
- The PCI Site Manager is responsible to document:
- Make and model of the device(s)
- Physical location of the device(s)
- Device Serial number(s) or other methods of unique identification
- Physical inspection of each device periodically to detect tempering, skimming devices, and unauthorized substitution; Record your device information and inspection dates (charge.wisc.edu/users)
- Call Elavon Training at (866) 451-4007 to schedule a training on how to use the payment card terminal; training includes daily transactions and settlements. Note: the payment card terminal will not auto settle unless the terminal is turned on.
- Elavon terminals are factory shipped and contain incorrect information on each terminal. The merchant is required to add the correct information directly on the terminal containing this information:
- Equipment problems – Relationship Premier Services: (800) 725-1245
- Supplies such as thermal paper – Customer Service Center: (800) 725-1243
- Elavon Training: (866) 451-4007
Merchant account fees
Any fees associated with the acceptance of payment cards in a campus department will be charged to the related merchant on a monthly basis. These fees will post to WISER on the first of the month for the prior month’s transactions. Expenses include a monthly account maintenance fee of $5.00, Elavon processing fees of approximately 2.5% of each transaction, and in some cases $7.50 for chargeback fees (rare). American Express charges a fee of 2.1% of each transaction.
Requirements to manage a Merchant Account
- Annual completion of a Self-Assessment Questionnaire every calendar year.
- Participation in assessments of your environment by the designated PCI Compliance Analyst and/or Internal Security Assessor.
- Completion of mandatory annual payment card industry (PCI) merchant training.
- Maintaining documentation of employees who have participated in the annual training, with the ability to produce to the PCI Compliance Analyst upon request.
- In some instances, maintaining relationships with third party vendors for departmental specific payment applications, to receive compliance documentation from the vendors (AOCs, ASV Scans, etc.).
- Review annually the University Policies and Procedures related to the PCI compliance environment. UW-3031 Credit Card Merchant Services and PCI Compliance Policy
- Maintain accurate lists of individuals within your organization directly involved in the credit card processing environment.
- Reconcile the transactions from the merchant account to WISER, at a minimum, monthly.
IV. Definitions
- Campus Merchant Department – Manage the daily operations of the merchant account(s) and maintain PCI compliance.
- Divisional Business Representative (DBR) – An individual within the divisional or dean’s office. This individual has the highest level of PCI responsibility, including approving the initial merchant account request and annually reviewing the SAQ as the executive officer.
- Payments Insider – An online tool from Elavon, the credit card processor, which displays transaction activity and monthly statements.
- Site Manager – This individual is the point of contact for the campus department merchant account(s) and should have influence to establish procedures for the day-to-day handling of payment cards to ensure compliance.
V. Related references
- UW-3031 Payment Card Merchant Services & PCI Compliance Policy
- Payment Card Industry Data Security Standards (PCI DSS)
- PCI Compliance Team (PCI-CT) Charter
- PCI DSS Quick Reference Guide v3.2
VI. Revisions
Procedure Number | 3031.B |
Date Approved | January 1, 2020 |
Revision Dates | Jan. 19, 2021 – Changed Procedure Number to 3031.B from 404.B Sept. 14, 2023 – Small tweaks related to language change (terminal vs. machine) and added a section with what is needed to manage a merchant account. |