University groups, organizations and departments that want to accept credit card payments need to contact the Credit Card Acceptance Team at ccat@uwm.edu.

All groups, organizations, and departments at UWM that accept credit card are required to participate in mandator Payment Card compliance activities. These activities include:

• Annual completion of a Self Assessment Questionnaire every academic / fiscal year
• Participation in in-person assessments of your environment by the UWM designated PCI Compliance Analyst
• Completion of mandatory, annual training in payment card acceptance best practices
• Maintaining documentation at the group, organization, and department level of employees who have participated in the annual training, with the ability to produce to the PCI Compliance Analyst upon request
• In some instances, maintaining relationships with third party vendors for departmental specific payment applications, to receive compliance documentation from the vendors (AOCs, etc)
• Review annually the University Policies and Procedures related to the PCI compliance environment
• Maintain accurate lists of individuals within your organization directly involved in the credit card processing environment
• Review and submit annual Service Level Agreement to the Controller’s Office

Merchants must determine the method or application they wish to accept credit card payments through. If it is a solution that UWM currently doesn’t use, adequate research needs to be performed by the PCI Compliance Analyst to determine the appropriateness of the application for our environment, in an effort to reduce compliance costs, and most importantly, reduce the risk for UWM.

Point of Sale Devices (POS)

UWM has relationships with Bluefin, Elavon, and FreedomPay for POS machines. Bluefin terminals are the general terminals deployed for university departments. The recommended model is the PAX A80. Tearsheets on the terminals are below. Please reach out to ccat@uwm.edu to initiate the process with the Controller’s Office and Accounting Services.

PAX A80

PAX A920 (Cellular Model)

Costs

Costs associated with accepting credit cards are listed below. There are associated one time and recurring fees for setup, maintenance, and support of the associated product. Additional administrative fees are variable and depend on the types of credit cards you accept, as well as the volume of transactions you process.

Merchant Fees – Mandatory fees Merchant Number Fee – $5 per month

Administrative Fees Card Issuer Processing Charges PIN Debit Charges Card Association Fees Authorization Fees

POS Device – A80 (Standard) PAX A80 – $248

POS Device A920 – Cellular PAX A920 – $369

Additionally, there are monthly fees with utilizing Bluefin.

• Monthly fee of $15 per terminal which is non-negotiable and mandatory
• Transactions fees of $0.10 per transaction

These fees are assessed as Bluefin is a PCI DSS listed P2PE solution, and has additional fees for the security of the transaction.

**Please reach out to the Credit Card Acceptance Team to verify current costs as they are subject to change**

Credit Card Acceptance Procedure:

1. Contact the Credit Card Acceptance team with a statement of interest to accept credit card transactions. All merchants must be approved by the Controller’s Office. Email: ccat@uwm.edu
2. Complete and return the Merchant Card Application
3. Complete the Service Level Agreement
4. Identify and coordinate with a project manager with your university group to manage the implementation
5. Determine the technology you will require
6. Review the current Policy and Procedures for University Information Security and the Credit Card Operating Regulations

Policies and Procedures have not been updated as we are waiting for PCI DSS 4.0. Below are the most recent Policies and Procedures, approved by the Credit Card Acceptance Committee and the PCI Policy and Procedure workgroup. You are required to review annually and verify with the PCI Compliance Analyst or Controller’s Office.

The most relevant Policies and Procedures to our current environment are:

• Cardholder Data Information Security Policy
• Data Retention, Retrieval and Secure Disposal Policy
• Incident Management Policy
• Information Incident Response Procedure
• Media Policy & Procedure
• Technology Usage Policy

Historical Policies and Procedures are:

• Access Control Policy
• Asset Classification Procedure
• Application Development Policy
• Audit Log & Monitoring Policy
• Key Management and Encryption Policy
• Log Review Procedure
• Network Device Configuration Standards
• Patch Management and Malicious Code Prevention Policy
• Patch Management Procedure
• System Configuration Standards
• Vulnerability Management Policy
• Approved Applications

PCI Addendum Language

Merchant Application (MID) – US Bank merchant application

Service Level Agreement – Service Level Agreement between the department/unit and Controller’s Office

Merchant Card Administration Procedure (ASM) – internal UWM Operating Principles and Responsibilities for accepting credit card activity

Service Level Agreement – Service Level Agreement between the department/unit and Controller’s Office

UWM Credit Card Acceptance Committee Team Charter – Under Review

Glossary of PCI Terms – Definitions of terms according to the PCI Security Standards Council

Approved Vendor List

For UWM Employee MANDATORY Cashier’s Training, please click on the following link: https://uws-td.instructure.com/enroll/YDGJYP