Credit Card Procedures

The information below is intended to provide guidance for departments who would like to accept credit cards as a means of payment for goods or services. It is necessary for all departments to adhere to these procedures to assure the University is in compliance with Payment Card Industry (PCI) standards.Managers of Revenue Producing Accounts (RPA) at UW-Superior must obtain approval from the Controller's Office, Main 202, prior to initiating or engaging in credit card payment acceptance for goods or services. There is growing risk and a legal regulatory environment surrounding the responsibilities of organizations which collect payment card numbers from customers to process payment transactions, whether automated or manual.  University departments accepting credit/debit cards for payment must meet University policy, state and federal laws, and contractual obligations with the University's banks and financial institutions. To comply with PCI regulations we must:

  • Build and maintain a secure network
  • Protect cardholder data
  • Develop and maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test network(s)
  • Follow information security policy and procedures

The estimated costs to accept credit card payments online include:

  • 2% of sales paid to the credit card company (Visa, MasterCard, Discover, etc...)
  • $400 set-up fee to establish a hosted order page (HOP)
  • $600 annual charge for Trustwave PCI consulting services
  • $5 monthly fee for merchant ID
  • Technology Services set-up for HOP and link to the University website
  • Elevon must review HOP/website before activation

The estimated costs to accept credit card payments using a swipe machine include:

  • 2% of sales paid to the credit card company (Visa, MasterCard, Discover, etc...)
  • $300 Hypercom processing machine
  • $100 monthly charge for a dedicated phone line
  • $600 annual charge for Trustwave PCI consulting services
  • $400 cross cut shredding machine if not currently available
  • $5 monthly fee for merchant ID

The following merchant responsibilities have been developed to assure UW-Superior is in compliance with PCI regulations:

  • Credit card merchant sites (whether online, in person, by mail, or by phone) must be established and maintained through the Business Office.
  • Departments who would like to accept payment cards must submit a request to the Business Office. Departments may not begin accepting payment cards until the request has been approved.
  • Credit card information can be accepted in person or by phone, mail, and secure website. 
  • Credit card information should never be accepted or communicated via e-mail!  Any e-mail received which includes credit card information should be immediately deleted.
  • Credit card information should never be stored on a University computer or server!
  • If it is absolutely necessary to record the entire credit card number to process transactions, all but the last 4 numbers should be blacked out as soon as refunds and disputes are no longer likely, not to exceed 180 days.
  • All paper documents containing credit card numbers should be processed as soon as possible.  Documents should be stored in a secure location such as a locked file cabinet or safe room.  After processing the transaction(s), the credit card number shall be be removed or destroyed.
  • Transactions must be processed using a Hypercom terminal or PCI compliant device, preferably utilizing a dial up phone line.  A dedicated line is not required.
  • Credit card receipts may only display the last 4 digits of the credit card number.
  • Third party vendors who contract with UW-Superior and have access to credit card information must provide proof of PCI certification.
  • University employees who will be involved with payment card transactions must complete online PCI training.  Upon completion of this training, the department must print and maintain training certificates for each employee with access to payment card information.
  • Departments must contact Technology Services when equipment used to process payment card transactions is transferred, retired, or otherwise removed from the department.  Technology Services is required to wipe any storage, media, or hard drives which may contain payment card data.

Any questions regarding the information above should be directed to the Business Office at 715.394.8017.