3031.C PCI Non-compliance Procedure

PCI Non-compliance Procedure
Procedure # 3031.C
Rev.:
Effective Date: September 1, 2020

Related Policy: UW-3031 Credit Card Merchant Services and PCI Compliance Policy 
Functional Owner: Cash Management, Business Services
Contact: PCI Mailbox: pci-help@bussvc.wisc.edu


Contents

I. Procedure Statement
II. Who is affected by this procedure
III. Rationale
IV. Procedure
V. Supporting tools
VI. Related References
VII. Revisions


I. Procedure statement

The University of Wisconsin-Madison has merchant accounts which accept payment for goods sold and services rendered via payment card transactions. All merchants that accept payments via payment card must comply with the Payment Card Industry Data Security Standards (PCI DSS). The purpose of this procedure is to provide a framework for the disciplinary steps that will be taken in the event that a UW-Madison merchant account is found to be non-compliant with the PCI DSS. Persistent noncompliance with the PCI DSS after the enactment of the disciplinary steps described in this policy may result in the suspension or termination of the non-compliant merchant account.


II. Who is affected by this procedure

This policy applies to all merchant accounts at UW-Madison that accept payment cards as a form of payment for goods sold and services rendered.


III. Rationale

Deficiencies exist in a merchant account’s operating procedures if a merchant does not appropriately store, process, or transmit cardholder data as defined by the PCI DSS. These deficiencies result in the merchant account being non-compliant with the applicable governance framework. Deficiencies in a merchant’s ability to appropriately secure cardholder data is the foundation of a potential data breach. Acts of noncompliance and data breaches will result in reputational damages such as distrust and loss of consumers, donors, and other stakeholders.

The ability to accept payment card transactions is a convenient and efficient method of collecting revenue owed to the University. As an alternative to cash and with the use and implementation of appropriate card transaction controls, payment cards provide better financial internal controls for the University. The ability to accept payment cards as a method of payment is a privilege granted to the University by the acquirer that UW-Madison is contracted with, Elavon, and the payment card brands: Visa, MasterCard, Discover, and American Express. If a merchant account is not in compliance with the PCI DSS or a data breach occurs, these agencies have the authority to assess fines for noncompliance. Such fines would be assessed separately by each agency per violation and for acts of noncompliance that remain uncorrected as of a designated deadline. These fines accumulate quickly and could result in hundreds of thousands of dollars in monetary damages.

Additionally, if Elavon or the payment card brands are concerned about the University’s ability to appropriately store, process, or transmit cardholder data, UW-Madison’s ability to accept payment cards could be revoked. This decision would require departments to find alternative ways to collect revenue owed to them and could result in a decline in sales.

Managing compliance with the PCI DSS is a responsibility that should be taken seriously because of its significant financial and reputational impacts.


IV. Procedure

The Cash Management, Division of Business Services, and Cybersecurity, Division of Information Technology, teams will jointly conduct of campus merchant accounts to determine the merchant’s level of compliance with the PCI DSS. Upon completion of a merchant account’s annual review, the PCI review team will complete a Risk Assessment. Each Risk Assessment will document the review team’s opinion of the merchant’s level of compliance with the PCI DSS, instances of identified non-compliant practices, and the disciplinary step to be implemented if non-compliant practices are identified. All Risk Assessments will be presented to the merchant’s Divisional Business Representative for review and signature. Below are the following types of opinions that might be issued with examples of possible instances of noncompliance:

Level 0 – No instances of noncompliance identified.

Level 1 – Minor instance(s) of noncompliance identified. Compliant procedures must be implemented as of the next annual review.

  • Incomplete PCI Security Awareness Training
  • Incomplete PCI Operator Training
  • Missing or incomplete device inspection logs
  • Missing business procedures

Level 2 – Significant instance(s) of noncompliance identified. Compliant procedures must be implemented as of a designated deadline which has been agreed upon with the merchant.

  • Working with unsupported technology
  • Lack of security regarding access to physical devices and technology
  • Inability or neglect to provide documentation indicating appropriate security of e-commerce merchant accounts
  • Unauthorized or unsecured storing of cardholder data
  • Inappropriate use of e-commerce merchant accounts for in-person or over-the-phone transaction processing
  • Failure to implement appropriate procedures to resolve Level 1 noncompliance
  • Failure to complete the annual Self-Assessment Questionnaire A 3.2.1 and Attestation of Compliance

If a deficiency in compliance was identified in a previous review, the PCI review team will follow up as of the which has been agreed upon the merchant, to evaluate the merchant’s progress towards achieving compliance. If measurable progress has not been made towards achieving compliance, the following disciplinary steps will be executed in this order, unless an appropriate deviation is determined:

  1. Requirement to attend in-person Merchant Card Processing training
  2. Notification from PCI review team of Level 1 noncompliance
  3. Notification from PCI review team of Level 2 noncompliance
  4. Temporary suspension of merchant account for up to 9 months
  5. Permanent termination of merchant account

V. Supporting tools


VI. Related references


VII. Revisions

Procedure Number 3031.C
Date Approved September 1, 2020
Revision Dates Jan. 19, 2021 – Changed Procedure Number to 3031.C from 404.C