University groups, organizations and departments that want to accept credit card payments need to contact the Credit Card Acceptance Team at ccat@uwm.edu.
All groups, organizations, and departments at UWM that accept credit card are required to participate in mandator Payment Card compliance activities. These activities include:
- Annual completion of a Self Assessment Questionnaire every academic / fiscal year
- Participation in in-person assessments of your environment by the UWM designated PCI Compliance Analyst
- Completion of mandatory, annual training in payment card acceptance best practices
- Maintaining documentation at the group, organization, and department level of employees who have participated in the annual training, with the ability to produce to the PCI Compliance Analyst upon request
- In some instances, maintaining relationships with third party vendors for departmental specific payment applications, to receive compliance documentation from the vendors (AOCs, etc)
- Review annually the University Policies and Procedures related to the PCI compliance environment
- Maintain accurate lists of individuals within your organization directly involved in the credit card processing environment
- Review and submit annual Service Level Agreement to the Controller’s Office
Merchants must determine the method or application they wish to accept credit card payments through. If it is a solution that UWM currently doesn’t use, adequate research needs to be performed by the PCI Compliance Analyst to determine the appropriateness of the application for our environment, in an effort to reduce compliance costs, and most importantly, reduce the risk for UWM.
- Contact the Credit Card Acceptance team with a statement of interest to accept credit card transactions. All merchants must be approved by the Controller’s Office. Email: ccat@uwm.edu
- Complete and return the Merchant Card Application
- Complete the Service Level Agreement
- Identify and coordinate with a project manager with your university group to manage the implementation
- Determine the technology you will require
- Review the current Policy and Procedures for University Information Security and the Credit Card Operating Regulations
Policies and Procedures have not been updated as we are waiting for PCI DSS 4.0. Below are the most recent Policies and Procedures, approved by the Credit Card Acceptance Committee and the PCI Policy and Procedure workgroup. You are required to review annually and verify with the PCI Compliance Analyst or Controller’s Office.
The most relevant Policies and Procedures to our current environment are:
- Cardholder Data Information Security Policy
- Data Retention, Retrieval and Secure Disposal Policy
- Incident Management Policy
- Information Incident Response Procedure
- Media Policy & Procedure
- Technology Usage Policy
Historical Policies and Procedures are:
- Access Control Policy
- Asset Classification Procedure
- Application Development Policy
- Audit Log & Monitoring Policy
- Key Management and Encryption Policy
- Log Review Procedure
- Network Device Configuration Standards
- Patch Management and Malicious Code Prevention Policy
- Patch Management Procedure
- System Configuration Standards
- Vulnerability Management Policy
- Approved Applications
Merchant Application (MID) – US Bank merchant application
Service Level Agreement – Service Level Agreement between the department/unit and Controller’s Office
Merchant Card Administration Procedure (ASM) – internal UWM Operating Principles and Responsibilities for accepting credit card activity
Service Level Agreement – Service Level Agreement between the department/unit and Controller’s Office
UWM Credit Card Acceptance Committee Team Charter – Under Review
Glossary of PCI Terms – Definitions of terms according to the PCI Security Standards Council
For UWM Employee MANDATORY Cashier’s Training, please click on the following link: https://uws-td.instructure.com/enroll/YDGJYP