3031.C PCI Non-compliance Procedure

Procedure # 3031.C; Rev.: 1 (Effective September 1, 2020)
Related Policy: UW-3031 Credit Card Merchant Services and PCI Compliance Policy
Functional Owner: Cash Management, Business Services
Contact: PCI Mailbox: pci-help@bussvc.wisc.edu

Procedure statement
Who is affected by this procedure
Rationale
Procedure
Supporting tools
Related references
Revisions

I. Procedure statement

The University of Wisconsin-Madison has merchant accounts which accept payment for goods sold and services rendered via payment card transactions. All merchants who accept payments via payment card must comply must comply with Policy UW-3031 and the Payment Card Industry Data Security Standards (PCI DSS). The purpose of this procedure is to provide a framework for the disciplinary steps that will be taken in the event a UW–Madison merchant account is found to be non-compliant with Policy UW-3031 and the PCI DSS. Persistent noncompliance after the enactment of the disciplinary steps described in this procedure may result in the suspension or termination of the non-compliant merchant account.

II. Who is affected by this procedure

This procedure applies to all UW–Madison departments that accept payment cards via payment card terminals. This procedure should be understood by all relevant personnel including Divisional Business Representatives (DBRs), Site Managers, and Operators of the merchant accounts.

III. Rationale

If a merchant does not appropriately store, process, or transmit cardholder data as defined by Policy UW-3031, deficiencies exist in that merchant account’s standard operating procedures. As a result, these deficiencies deem the merchant account non-compliant with the PCI governance framework. Deficiencies in a merchant’s ability to appropriately secure cardholder data is the foundation of a potential data breach. Acts of PCI noncompliance and data breaches may result in reputational damages, loss of customer confidence and loyalty, and a potential loss of gift and grant donors.

The ability to accept payment card transactions is a convenient and efficient method of collecting revenue owed to the University. This method of payment is a privilege granted to the University by the contracted acquirer, Elavon, and the payment card brands Visa, MasterCard, Discover, and American Express. If a merchant account is not in compliance with the PCI DSS or a data breach occurs, these agencies have the authority to assess fines for noncompliance. These fines begin anywhere between the range of $5,000 to $100,000 per month for violating PCI DSS, depending on the length of noncompliance. These fines would accumulate quickly and could result in hundreds of thousands of dollars in monetary damages.

Further, if Elavon or the payment card brands find the University noncompliant, UW–Madison’s ability to accept payment cards could potentially be revoked. This decision would require departments to find alternative ways to collect revenue and could result in a decline in sales.

IV. Procedure

The Division of Business Services Cash Management team and Division of Information Technology (DoIT) Cybersecurity team will jointly conduct a review of campus merchant accounts’ level of compliance on an annual basis and complete a risk assessment. Each risk assessment will document the review team’s opinion of the merchant’s level of compliance with the PCI DSS. A disciplinary step would be implemented if any non-compliant practices are identified.

All risk assessments which have a level of noncompliance will be presented to the merchant’s Divisional Business Representative for review and signature. Below are examples of possible noncompliance:

Level 0 – No instances of noncompliance identified.

Level 1 – Minor instance(s) of noncompliance identified. Compliant procedures must be implemented as of the next annual review.

Incomplete PCI Security Awareness Training
Incomplete PCI Operator Training
Missing or incomplete device inspection logs
Missing merchant standard operating procedures

Level 2 – Significant instance(s) of noncompliance identified. Compliant procedures must be implemented as of a designated deadline which has been agreed upon with the merchant.

Working with unsupported technology or non-approved Service Providers
Lack of security regarding access to physical devices and technology
Inability or neglect to provide documentation indicating appropriate security of e-commerce merchant accounts(s); missing the signed Service Provider’s Attestation of Compliance (AoC)
Unauthorized or unsecured storing of cardholder data
Inappropriate use of e-commerce merchant accounts or inappropriate use of in-person or over-the-phone transaction processing
Failure to implement appropriate procedures to resolve Level 1 noncompliance
Failure to complete the annual Self-Assessment Questionnaire (SAQ)

If a deficiency in compliance was identified and agreed upon by the merchant in a previous review, the PCI review team will follow up and evaluate the merchant’s progress towards achieving compliance. If measurable progress has not been made towards achieving compliance, the following disciplinary steps will be executed in this order:

Requirement to attend an in-person PCI Training
Notification from PCI review team of Level 1 noncompliance
Notification from PCI review team of Level 2 noncompliance
Temporary suspension of merchant account for up to 9 months
Permanent termination of merchant account

V. Supporting tools

VI. Related references

VII. Revisions

Procedure Number	3031.C
Date Approved	September 1, 2020
Revision Dates	Jan. 19, 2021 – Changed Procedure Number to 3031.C from 404.C

Contents