PCI
Payment Card Compliance – PCI
The University of Wisconsin - Whitewater and all of its subsidiaries are required to be PCI Compliant per UW System Policy. Additionally to ensure the university remains PCI Compliant, internal audits are performed periodically. For questions or help related to PCI, please contact the PCI Team via Jodi Sumpter sumpterj@uww.edu and Kirsten Mortimer mortimek@uww.edu.
PCI DSS
PCI DSS or the Payment Card Industry Data Security Standard, was a collaboration between card companies like VISA and MasterCard aimed to set standard security requirements to protect cardholder data across all card brands. To view more information on the PCI DSS you can visit their website.
To begin accepting credit card payments in your department:
Review the requirements and procedures, then email Jodi Sumpter sumpterj@uww.edu and Kirsten Mortimer mortimek@uww.edu stating your interest in accepting credit card payments.
Requirements for groups or departments that accept credit cards includes:
- Annual completion of a Self Assessment Questionnaire
- Annual completion of training for best payment card acceptance practices
- Review the University policies and procedures related to PCI annually
- Maintain documentation of individuals directly involved in the credit card processing environment
- Maintain documentation of employees who have participated in the annual training
- Responsible for credit card fees, terminal, compliance, and related charges.
- Reconciliation of the daily merchant account activity.
The employee will need to complete the PCI training in Canvas as well as trained on the departments procedures regarding credit card transactions. They will also need to be added to the documented list of staff using the machines.
Anyone who uses the credit card machines or handles credit card data needs to complete the training.
Cardholder data is transmitted electronically to a payment card processor. The processor receives authorization and payment from the cardholder's bank. Funds are deposited into a University bank account.
Cardholder Data encompasses all of the information stored/encoded/imprinted on the payment card. There are three main groups of data to keep in mind when processing payment cards: payment card data, sensitive authentication data, and personally identifiable data.
- Cardholder Data (CHD)
- Primary Account Number (PAN)
- Expiration Data
- Cardholder Name
- Sensitive Authentication Data (SAD)
- Magstripe Full Track Data
- Card Verification Value/Code (CVV/CVC)
- PIN Number (Bank Card)
- Personally Identifiable Information (PII)
- Name
- Address
- Email/Phone Number