Giving Credit

May 4, 2012

By Bruce Maas

This is a different column from what I normally write.  Bear with me as I tell a “behind-the-scenes” story about something many of you never need to think about.

Like most places in our increasingly cashless society, UW-Madison relies on credit and debit cards for commerce. Buying lunch at the Union, Badger gear at Camp Randall, or parking at Grainger usually happens with plastic.

Making card services broadly available is convenient for all of us. But that convenience comes with a price. The credit card industry imposes strict rules on merchants who offer payment by card and exacts stiff penalties on those who allow security breaches to occur through non-compliance.

Visa and American Express charge a penalty of $50,000 for the first compromise, and it goes up if more breaches occur. MasterCard charges $25,000 a day if a merchant does not comply with industry standards. At Discover, the maximum fine is $100,000 per violation.

Complying with payment card industry (PCI) standards is a major priority for the campus. UW-Madison has more than 200 entities that offer payment by credit or debit card. A security breach at one of them could incur penalties so harsh that we could no longer offer the use of the card. That would seriously disrupt our business, given that our credit and debit card transactions totaled more than $80 million last year.

In November of 2009, we set out to develop a formal process for ensuring campus compliance with PCI standards. A PCI Compliance Assistance Team was formed, including staff from Business Services, the Office of Campus Information Security (OCIS), Cash Management, Purchasing, and DoIT. We set up a governance structure that involves divisional business representatives (DBRs), who are responsible for site managers, who oversee the thousands of on-site operators who handle card transactions for UW-Madison.

Since then, we have upgraded our hardware and software, trained (online and in-person) 175 DBRs and site managers and more than 2,000 operators, established a means of scanning for vulnerabilities in our systems, and completed hundreds of self-assessment questionnaires. In June, we will sign an “Attestation of Compliance” that will certify our ability to meet industry standards.

Achieving full PCI compliance was a major effort that required technical skill and organizational coordination. We were able to convince departments offering credit card services that joining the campus compliance effort would be a good deal for them We now have a structure that ensures that the many flavors of campus web storefronts and point-of-sale systems are processing payments safely and securely. An evaluator who reviewed our system last week was amazed that a campus so large and diverse as ours was able to do this so effectively.

My colleague Don Miner, recently retired leader of Business Services, often said that people are a big part of the equation. Thanks to all of you—our campus partners—who took part in this incredibly effective behind-the-scenes project. Now we can all feel confident that the student selling an ice cream cone at Babcock understands how to handle our credit card payment; that when we buy a game ticket at Athletics, our credit card will be processed safely; that our computer purchase at the DoIT Tech Store will be secure. We are grateful for your professionalism and dedication. Nice job!

--Bruce