404 Credit Card Merchant Services and PCI Compliance Policy

UW-Madison Administrative Policy
Policy # 404
404 Credit Card Merchant Services and PCI Compliance Policy

Effective Date: January 1, 2020
Last Updated: February 12, 2020
Last Reviewed: July 23, 2020
Next Review: December 1, 2020


Policy Summary

UW-Madison departments which accept payment cards as a form of payment for goods and services are required to comply with Payment Card Industry Data Security Standards (PCI DSS). The purpose of the PCI DSS is to ensure payment card data is protected.

The PCI Compliance Assistance Team (PCI CAT) will validate each department’s PCI compliance. Failure to comply with the PCI DSS requirements can result in the loss of payment card processing privileges.


Policy Application

This policy applies to all UW-Madison departments which accept payment cards as a form of payment for goods and services.


Rationale

UW-Madison processes over $100 million in payment card transactions per year. This represents almost 3 million transactions from over 200 merchant accounts. The University is contractually responsible for protecting the payment card data used to process these transactions per the guidance provided by the PCI DSS.

A payment card breach may result in fines starting at $500,000. We must also consider additional costs of a payment card breach which are estimated around $242 per payment card[1]. More importantly, UW-Madison’s reputation would be tarnished. This could result in fewer donors willing to support the University or business partners willing to acquire University resources.

Securing payment card data is everyone’s responsibility. Should there be a data security breach, the department responsible for the merchant account will be responsible for the costs of the breach. UW-Madison can reduce the risk of payment card data being compromised by securing the network, hardware, applications, processes, and meeting PCI compliance requirements.

[1]IBM sponsored report by the Ponemon Institute; Cost of a Data Breach Report 2019


Policy Detail

The highest level of PCI responsibility belongs to the Divisional Business Representative (DBR). This individual is responsible for approving the initial merchant account request and reviewing the Self-Assessment Questionnaire (SAQ) annually as the executive officer.

Each department accepting payment cards is required to designate a PCI Site Manager for each merchant account. The PCI Site Manager serves as the point of contact for the merchant account and should have influence to establish procedures for the day-to-day handling of payment cards to ensure compliance.

A. Opening a Merchant Account

Cash Management Approval

The implementation of any and all e-commerce websites or payment card devices to collect revenue must be approved by the Cash Management team within the Division of Business Services – Accounting Services Unit, the Office of Cybersecurity, and, when necessary, Purchasing Services. This ensures that all cash management, security, and contractual requirements are adhered to. Third-party vendors which process payment cards on behalf of the University and submit payment via ACH or paper check must also be approved by these departments; CASHNet is the preferred e-commerce vendor on campus.

All revenue must be deposited into a UW-Madison bank account which posts to WISER/WISDM. Gift or donation merchant accounts can only be processed through the University of Wisconsin Foundation (http://www.supportuw.org/how-to-give).

Policies and Procedures

Written PCI policies and procedures must be established by the PCI Site Manager and submitted to Cash Management; templates will be provided by Cash Management upon request. If stated business practices change, all changes must be submitted to Cash Management via e-mail at pci-help@bussvc.wisc.edu. Departments must address the following components in their business policies and procedures for each merchant account:

  1. A listing of the e-commerce sites where items are sold or event registration occurs (e-commerce only).
  2. A listing of payment card devices that are used with the following pieces of information for each device (physical device only):
    1. The physical location of the device;
    2. The type/version of the device;
    3. When the device is used.
  3. A contingency plan for processing transactions should the primary system be unavailable.
  4. That departments are responsible for the physical security of all payment card devices and other equipment used to collect cardholder data (CHD) and will comply with the following procedures (physical device only):
    1. Obtain approval of the PCI CAT for the storage, transmission, and processing of payment card data in an electronic format. All network locations and devices must be specifically approved for processing payment cards;
    2. Maintain an inventory of all payment card devices and their locations;
    3. Inspect the devices to check for tampering or substitution. It is recommended to complete the inspections during regular financial reconciliations but is required to be completed on a quarterly basis at a minimum;
    4. Document the device inspections; a device inspection log template can be found HERE;
    5. Implement training for all personnel to increase understanding of what suspicious behavior, tampering, and substitution look like and procedures on how to report it.
  5. That a list of employees with access to CHD is maintained and reviewed periodically.
  6. That access to CHD is restricted to only those users who need the data to perform their job duties.
  7. A listing of acceptable methods of processing payment cards.
  8. That email must never be used to transmit payment card or personal payment information. If email is used for this purpose, disposal as outlined below is critical:
    1. The email should be replied to immediately with the payment card number deleted stating that, “UW-Madison does not accept payment card data via email as it is not a secure method of transmitting cardholder data;”
    2. Provide a list of the alternative, compliant option(s) for payment;
    3. Delete the email from your inbox and delete it from your email trash.
  9. That fax machines, if used to transmit payment card information to a merchant department, must be standalone machines with appropriate physical security; receipt or transmission of payment card data using a multi-function fax machine is not permitted.
  10. The merchant account’s refund policy. Refunds must be processed with the same payment card account which was used to process the original transaction.

Merchant Account Fees

Any fees associated with the acceptance of payment cards in a campus department will be charged to the related merchant on a monthly basis. These fees can be seen in WISER/WISDM once they have been posted.

For more information on how to open a merchant account, refer to the following procedures:

 B. Maintaining a Merchant Account

Internal Controls

The following procedures are required to ensure campus merchants maintain adequate transaction integrity:

  1. A reconciliation of payment card activity to WISER/WISDM should be completed and documented at least monthly. E-commerce orders should be reconciled to the CASHNet reporting portal before any merchandise is shipped.
  2. Adequate separation of duties between sales transaction processing and the physical goods being sold must be maintained. In addition, there should be separation of duties between the person issuing refunds and the individual reconciling the account.
  3. All users are required to have their own CASHNet login and Merchant Connect login for access to transactions, settlements, and monthly fees.
  4. All merchant storefronts or shopping carts are to complete quarterly vulnerability scans. Merchants should remediate any vulnerability within 30 days. Scans can be coordinated through the Office of Cybersecurity at https://it.wisc.edu/services/scanning-tools/.
  5. The merchant should periodically perform transaction walk-throughs to ensure the payment page redirects to CASHNet. After reaching the CASHNet page, the browser can be closed without entering any payment card data.
  6. All payment card devices should be inspected for tampering or substitution based on established procedures; these inspections should be documented.

Storage and Destruction

The storage of payment card data, both electronically and/or on paper, received at any and all locations, must be reviewed and approved by the PCI CAT. The following are procedures that should be implemented to ensure proper storage and destruction of payment card data:

  1. Physical security controls are in place to prevent unauthorized individuals from gaining access to the buildings, rooms, or cabinets that store the equipment, documents, or electronic files containing CHD.
  2. No database, electronic file, or other electronic repository of information will store the full contents of any track from the magnetic stripe, the card validation code, or the personal identification number (PIN).
  3. Portable electronic media devices should not be used to store CHD. These devices include, but are not limited to, the following: laptops, USB flash drives, portal external hard drives, compact disks, floppy disks, and personal digital assistants.
  4. CHD should not be retained any longer than that defined by a legitimate business need. The portion of a document with CHD should be destroyed immediately after processing the transaction using a cross-cut shredding machine. It is possible to maintain adequate documentation for transactions without retaining CHD.
    1. Mail order forms with payment card information must be secured after the mail is opened.
    2. Any retention of payment card data after the authorization is received must be documented in the department’s policies and procedures and approved by the PCI CAT.
  5. Chargeback documents from Elavon containing CHD must be secured until processed and destroyed (cross-cut shredded) after processing.The maximum period that PCI Operator Training forms and corresponding PCI compliance logs may be retained is three years from the date of creation. For more detail regarding record retention, please see the University of Wisconsin System Fiscal & Accounting General Records Schedule.
  6. All computers on the PCI Network must be returned to DoIT Departmental Support for sanitization (http://www.doit.wisc.edu/services/departmental-support/). The computer can be returned to the department after the sanitization process is completed. This media includes, but is not limited to: hard drives, tapes, USB drives, etc. The official University Media and Device Disposal and Reuse Policy is documented HERE.

 Self-Assessment Questionnaire (SAQ)

The department’s compliance will be validated through the process of completing and submitting an annual SAQ for each merchant account. This provides the department the opportunity to review their payment card acceptance procedures and ensure compliance is being maintained. The PCI CAT reserves the right to validate responses provided by merchants. Failure to validate the department’s compliance through the SAQ submission process will result in merchant account termination.  If the merchant and PCI CAT cannot agree on the interpretation of the PCI Standards, a third-party PCI Qualified Security Assessor (QSA) will be consulted for final interpretation.

Training

The following training requirements must be met to maintain compliance:

  1. All new DBRs and Site Managers are required to attend an initial in-person PCI Compliance Training session which is offered twice a year.
  2. All DBRs and Site Mangers are required to complete the online PCI Compliance Training renewal annually. This training is completed using Canvas; contact pci-help@bussvc@wisc.edu for access.
  3. Any employee or volunteer that handles a payment card on behalf of UW-Madison is required to complete the PCI Operator Training
    1. The PCI Site Manager is responsible for tracking the completion of all the PCI Operator Trainings each year.

Risk Assessment

The Office of Cybersecurity, along with the Cash Management team within the Division of Business Services – Accounting Services Unit, will conduct an annual formal risk assessment. Departments may be asked to participate in the formal risk assessment discussion. The risk assessment will identify vulnerabilities and the potential impact to PCI compliance. The likelihood and impact of the threats will be scored, ranked, and prioritized. All threats will be addressed with mitigation tasks, timelines, and/or acceptance statements. Documentation will be maintained from the output of the risk assessment exercise.

Incident Response

In the event of a breach or suspected breach of security, the department or unit must immediately report the incident following the steps documented HERE. If the suspected activity involves computers (hacking, unauthorized access, etc.), immediately notify the DoIT Help Desk.

C. Closing a Merchant Account

A merchant account will be closed if the department fails to comply with this policy and/or PCI DSS requirements. Compliance includes maintaining a Site Manager, completing the required annual training, and submitting the appropriate documentation, such as the annual SAQ. Additionally, a merchant account may be closed if there is no activity for twelve consecutive months.

If the merchant account is no longer needed, a merchant may close its account by contacting Cash Management at pci-help@bussvc@wisc.edu. Confirmation from the DBR will be needed as authorization to close the account. Payment card machines that are no longer needed should be returned to Cash Management at 21 N. Park Street, Suite 6101.


Consequences for Non-Compliance

Failure to meet the requirements outlined in this policy will result in suspension of the physical and, if appropriate, electronic payment capability of the non-compliant merchant(s). In the event of a breach or violation of the PCI DSS, the payment card brands may assess penalties to UW-Madison’s bank which will likely then be passed on to UW-Madison. Any fines and assessments imposed will be the responsibility of the compromised merchant. A one-time penalty of up to $500,000 per card brand per breach can be assessed as well as on-going monthly penalties thereafter until compliance is achieved.

Persons in violation of this policy are subject to sanctions including loss of computer or network access privileges, disciplinary action, suspension and termination of employment, as well as legal action. Some violations may constitute criminal offenses under local, state, or federal laws. UW-Madison will carry out its responsibility to report such violations to the appropriate authorities.


Supporting Tools


Definitions

CASHNet: A third-party, e-commerce service provider contracted by the University of Wisconsin that is used to process credit card payments.

Card Brands: Payment card networks including Visa, Mastercard, Discover, and American Express.

Cardholder: The person to whom a payment card is issued or any individual authorized to use the payment card.

Cardholder Data (CHD): At a minimum, cardholder data consists of the full Primary Account Number (PAN). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date, and/or service code. The cardholder name with only the last 4 digits of the PAN is not considered CHD and does not need to be protected. See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction.

Card Identification Number (CID): The three-digit security code on the back of the payment card for MasterCard, Visa, and Discover. The four-digit security code on the front of American Express payment cards.

Chargebacks: Occur when the customer challenges the validity of the original charge and instructs their bank to reverse the charge.

Merchant Connect (MCP): An online tool from Elavon, the credit card processor, which displays transaction activity and monthly statements.

Payment Card: A financial transaction card issued by a financial institution. Also called Bankcard, Charge Card, Credit Card, or Debit Card.

Payment Card Industry Data Security Standards (PCI DSS): A multifaceted security standard developed and owned by the major payment card companies that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. PCI DSS represents a common set of tools and measurements to help ensure the safe handling of sensitive information. The standard comprises 12 requirements that are organized in 6 logically related groups or “control objectives.” Failure to conform to these standards can result in losing the ability to process payment card payments, being audited, and/or being fined.

Point-to-Point Encryption (P2PE): A comprehensive set of security requirements for point-to-point encryption solution providers; this PCI standard helps those solution providers validate their work. Using an approved point-to-point encryption solution will help merchants to reduce the value of stolen cardholder data because it will be unreadable to an unauthorized party. Solutions based on this standard also may help reduce the scope of their cardholder data environment and make compliance easier.

Sensitive Authentication Data: Information used to authenticate cardholders and/or authorize payment card transactions including but not limited to card validation codes/values, full track data from the magnetic stripe or equivalent on a chip, PINs, and PIN blocks.

Service Provider: A business entity that is not a payment brand but is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This includes companies that provide services that control or could impact the security of cardholder data. Examples include service providers that provide managed firewalls, intrusion detection systems (IDS), and other services.


General Responsibilities

Campus Merchant Department – Manage the daily operations of the merchant account(s) and maintain PCI compliance.

Divisional Business Representative (DBR) – An individual within the dean or divisional office. This individual has the highest level of PCI responsibility including approving the initial merchant account request and annually reviewing the SAQ as the executive officer.

Payment Card Industry Compliance Assistance Team (PCI CAT) – Provide guidance and monitor PCI compliance requirements.

Site Manager – This individual is the point of contact for the campus department merchant account(s) and should have influence to establish procedures for the day-to-day handling of payment cards to ensure compliance.


Links to Related Policies & Procedures