Administrative Procedure 91: Payment Card Procedures

1. Purpose of Procedures

The purpose of these procedures is to prevent loss or disclosure of cardholder data (CHD) in accordance with University of Wisconsin System Administrative Policy 350, Payment Card Policy.

2. Responsible Institutional Officer

The Cashiers Office and Campus Technology Services (CTS) are responsible for assuring compliance and providing guidance to all departments accepting credit card payments.

3. Definitions

Cardholder: The person to whom a payment card is issued or any individual authorized to use the payment card.

Cardholder Data (CHD): At a minimum, cardholder data consists of the full Primary Account Number (PAN). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code. See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction.

High Risk Data:  Any data where the unauthorized disclosure, alteration, loss, or destruction may:  cause personal or institutional financial loss, or the unauthorized release of which would be a violation of a statue, act, or law; constitute a violation of confidentiality agreed to as a condition of possessing or producing or transmitting data; cause significant reputational harm to the University; or require the UW system to self-report to the government and/or provide public notice if the data is inappropriately accessed.

Institution: Includes all UW System universities, campuses, and UW System Administration.

Merchant Account:  A bank account that enables the holder to accept credit card payment.

Merchant Department:  Any department or unit (can be a group of departments or a subset of a department) which has been approved by a UW System institution to accept payment cards. Hereinafter referred to as Departments.

Payment Card: A financial transaction card (credit, debit, etc.) issued by a financial institution; also called Bankcard/Payment Card/Charge Card/Credit Card/Debit Card.

Payment Card Industry Data Security Standards (PCI DSS): A multifaceted security standard developed and owned by the major payment card companies that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. PCI DSS represents a common set of tools and measurements to help ensure the safe handling of sensitive information. The standard comprises 12 requirements that are organized in 6 logically related groups or “control objectives”.  Failure to conform to these standards can result in losing the ability to process payment card payments and being audited and/or fined.

Sensitive Authentication Data: Security-related information (including but not limited to card validation codes/values, full track data from the magnetic stripe or equivalent on a chip, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.

Service Provider: A business entity that is not a payment brand but is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This includes companies that provide services that control or could impact the security of cardholder data. Examples include service providers that provide managed firewalls, intrusion detection systems (IDS), and other services.

4. Procedures

Departments at the University of Wisconsin Parkside (UW Parkside) may accept payment cards as a form of payment. UW Parkside departments that accept payment cards must do so in compliance with the PCI DSS; UW System Administrative Policy 350, Payment Card Compliance Policy, and in accordance with this procedure document, institutional payment card procedures and policies, and state and federal law.

Service Providers and other entities that have access to cardholder data through relationships with UW Parkside are responsible for complying with PCI Standards to ensure the protection of CHD. UW Parkside shall verify the compliance of those entities with PCI standards continuously by reviewing and obtaining relevant compliance documentation (Attestations of Compliance) from Service Providers or third-party entities.

A. Card Acceptance and Handling

The opening of a new merchant account for accepting and processing payment cards is done on a case by case basis.  Any fees associated with the acceptance of the payment card in that department will be charged to the individual merchant.

1.1   Interested departments should contact the Cashiers Office, payment coordinator.  Departments are prohibited from obtaining merchant ID numbers directly form credit card companies or third-party vendors.  To begin the process of accepting payment cards.  Steps include:

1.1.1   Completion of an “Application to become a Merchant Department”.

1.1.2   Completion of training.

1.1.3   Review and acknowledgment of the UW System Administrative Policy 350, Payment Card Compliance Policy, including proof of ongoing compliance with all requirements of the policy.

1.2   Any department accepting payment cards on behalf of the institution must designate an individual within the department who will have primary authority and responsibility within the department for oversight of payment card transactions.  The department should also specify a back-up, or person of secondary responsibility, should matters arise when the primary is unavailable.  The names of the primary and secondary designees must be kept current and be submitted to the Cashier’s Office.

1.3   Specific details regarding processing, reconciliation, and credit card processing fees (if applicable) will depend on the method of payment card acceptance and type of merchant account.  Detailed instructions will be provided when the merchant account is established and are also available by contacting the Cashiers Office.

1.4   All service providers and third-party vendors providing payment card services must be PCI DSS compliant.  Departments who contract with third-party providers must maintain a list that documents all service providers and:

1.4.1   Ensure contracts include language stating that the service provider or third-party vendor is PCI DSS compliant and will protect all CHD.  Copy of contract must be submitted to the Cashier’s Office.

1.4.2   Annually verify the PCI DSS compliance status of all service providers and third-party vendors.  A lapse in PCI DSS compliance could result in termination of the relationship.

B. Payment Card Data Security

All departments that have been authorized by the Cashier’s Office to accept payment card transactions must have their card handling procedures documented and made available for periodic review.  Departments must have in place the following components in their procedures and ensure that these components are maintained on an ongoing basis.

I. Processing and Collection

2.1   Access to CHD is restricted to only those users who need the data to perform their jobs.  Each merchant department must maintain a current list of employees’ with access to CHD and review the list periodically to ensure that the list reflects the most current access needed and granted.

2.2   Equipment used to collect CHD is secured against unauthorized use or tampering in accordance to PCI DSS.  This includes the following:

2.2.1   Maintain an inventory/list of devices and their locations.

2.2.2   Periodically inspect the devices to check for tampering and substitution,

2.2.3   Training for all personnel to be aware of suspicious behavior and reporting procedures in the event of suspected tampering or substitution.

2.3   Email and other insecure online methods (chat, instant message, etc.) must never be used to transmit payment card or personal payment information, nor should it be accepted as a method to supply such information.  In the event that it does occur, disposal as outlined is critical.  The following must also be included in the employee’s annual training.  If payment card data is received in an email:

2.3.1   The email should be replied to immediately with the payment card number deleted stating that, “University of Wisconsin Parkside does not accept payment card data via email as it is not a secure method of transmitting cardholder data.”

2.3.2   Provide alternate, compliant option(s) for payment.

2.3.3   Delete the email from your inbox and your email Trash.

2.4   All UW Parkside equipment used in the processing and collection of credit card information must be PCI compliant and be preapproved by Campus Technology Systems. 

2.4.1   Fax machines used to transit payment card information to a merchant must be standalone machines with appropriate physical security; receipt or transmission of payment card data using a multi-function fax machine is not permitted.

II. Storage and Destruction

3.1   CHD, whether collected on paper or electronically, shall be protected against unauthorized access.

3.2   Physical security controls are to be in place to prevent unauthorized individuals from gaining access to the building, rooms, or cabinets that store the equipment, documents, or electronic files containing CHD.

3.3   No database, electronic file, or other electronic repository of information will store the full contents of any track from the magnetic strip or the card validation code.

3.4   Portable electronic media devices should not be used to store CHD.  These devices include, but are not limited to, the following:  laptops, compact disks, floppy disks, USB flash drives, personal digital assistants, and portable external hard drives.

3.5   CHD should not be retained any longer than that defined by a legitimate business need.  CHD must be destroyed immediately following the required retention period using a PCI DSS approved method of destruction.  The UW System defined maximum period of time that credit card receipts and/or deposit transaction documents may be retained is three years form the date of the transaction, unless a longer retention time period is required by contract or law.  The maximum period of time that PCI Operator Training forms and corresponding PCI Compliance Logs may be retained is three years from the date of creation.  A regular schedule of deleting or destroying data should be established in the merchant department to ensure that no CHD is kept beyond the required retention period.  For more detail regarding record retention, please refer to the University of Wisconsin System Fiscal and Accounting General Records Schedule.

C. Risk Assessment

Campus Technology shall implement a formal risk assessment process in which current threats and vulnerabilities to the institution’s network and processing environment, including staff, are analyzed.  Risk assessments must be conducted annually and must commence no later than two years after the initial adoption of UW System Administrative Policy 350, Payment Card Policy.  CTS should conduct the risk assessment of the infrastructure and threats; departments that accept payment cards should also conduct an assessment of their physical environments and asses the risks to the payment environment.  Assessments are to address all threats with mitigation tasks, timelines, and/or acceptance statements.  Documented output from the risk assessment exercise(s) are to be prepared and maintained.

D. Incident Response

In the event of a breach or suspected breach of security, the department or unit must immediately execute The Incident Response Plan.   The Incident Response Plan will be reviewed annually by CTS to ensure that it meets or exceeds the requirements of UW System Administrative Policy 1033, Information Security; Incident Response.

All employees must notify the Controller in the event of a compromise to customer credit card numbers or to any card processing device.  The Controller in Business Services will immediately notify the Bursar, in the Cashier’s Office and CTS personnel to review the related security incident.  Within twenty four hours of the security related incident all findings must be presented to the Vice Chancellor for Finance and Administration.  The Vice Chancellor for Finance and Administration will determine the appropriate notification to law enforcement, our merchant bank, and the various card associations.

E. Policy and Training

The Cashier’s Office is to ensure policy and procedure documentation governing CHD exists and that it covers the entirety of the PCI DSS. 

Departments with merchant accounts are to document and maintain on file, users’ acknowledgment of understanding and compliance with all policies and procedures annually and ensure training on the PCI DSS and overall information security is provided to all staff members with access to CHD and/or processing environment upon hire and at least annually thereafter.

F. Sanctions

Failure to meet the requirements outlined in the policy will result in suspension of the physical and, if appropriate, electronic payment capability for the affected merchants).  In the event of a breach or a PCI violation the payment card brands may assess penalties to the institution’s bank which will likely then be passed on to the institution.  Any fines and assessments imposed will be the responsibility of the impacted merchant.  A one-time penalty of up to $500,000 per card brand per breach may be assessed as well as on-going monthly penalties thereafter until compliance is achieved.

Persons in violation of this policy are subject to sanctions, including one or more of the following:  loss of computer or network access privileges, disciplinary action, suspension and termination of employment, as well as legal action. Some violations may constitute criminal offenses under local, state, or federal laws.  The UW Parkside will carry out its responsibility to report such violations to the appropriate authorities.

5. Related Documents

University of Wisconsin Parkside Policy 91, Credit Card Payment Security Policy
Regent Policy Document 25-5, Information Security
UW System Administrative Policy 350, Payment Card Compliance Policy
UW System Administrative Policy 1010, Information Technology Acquisitions Approval
UW System Administrative Policy 1030, Information Security: Authentication
UW System Administrative Procedure 1030.A, Information Security: Authentication
UW System Administrative Policy 1031, Information Security: Data Classification and Protection
UW System Administrative Procedure 1031.A, Information Security: Data Classification
UW System Administrative Procedure 1031.B, Information Security: Data Protections
UW System Administrative Policy 1032, Information Security: Awareness
UW System Administrative Policy 1033, Information Security: Incident Response
PCI DSS Quick Reference Guide v3.2
University of Wisconsin System Fiscal & Accounting General Records Schedule)