UW Health Credit Card Handling Policy (policy is used by UWHC and UWMF) (1.52)

UW Health Credit Card Handling Policy (policy is used by UWHC and UWMF) (1.52) - Policies, Administrative, UWHC, UWHC-wide, Administration


Administrative (Non-Clinical) Policy
 UWHC only (Hospital Administrative-entity wide)  UWMF only (entity wide)
 UWHC Departmental (indicate name)  UWMF Departmental (indicate name)
 UWHC and UWMF (shared)

Policy Title: UW Health Credit Card Handling Policy (policy is used by UWHC
and UWMF)
Policy Number: 1.52
Effective Date: January 6, 2015
Chapter: Administrative
Version: Original
UW Health accepts credit cards for patient and insurance payments, as well as various guest services. To
protect against the exposure and possible theft of account and personal cardholder information, and to
comply with Payment Card Industry (PCI) requirement, UW Health will adhere to these standards to limit
its liability and continue its ability to process payments using payment cards.

Cardholder Data - Cardholder Data represents any personal information of the cardholder. This could be
an account number, expiration date, name, address, telephone number, social security number, card
validation code (CVC), or any other cardholder identifying information.

Credit Card - A credit card is a payment card issued to users as a system of payment. In this document,
credit cards include charge cards, cash cards, debit cards, and flex spending cards from an accepted
payment card issuing company like Visa, Mastercard, Discover, or American Express.

Payment Card Industry Council (PCI) - The PCI is a group formed by the credit card industry (VISA,
MasterCard, Discover and American Express) to establish Data Security Standards (DSS) for the
industry. https://www.pcisecuritystandards.org

Data Security Standards (DSS) - Standards developed by the PCI Council to assure consumers that their
credit cards are reliable and secure. These standards include controls for safe handling of sensitive
consumer information.

Merchant - An organization, department, institution or unit that accepts credit/debit cards as a method of
payment for goods, services, information, or gifts.

Merchant Account - An account established for an organization by a bank to credit sale amounts and debit
processing fees.

A. This policy is applicable to staff that process, transmit, or handle cardholder data [i.e., full card
account number, card type, expiration, PIN, and card-validation code (three-digit or four-digit
value printed on the front or back of the card)] in a physical or electronic format for patient or
insurance payments.
B. All computers and electronic devices at UW Health involved in processing payment card data are
governed by the PCI Data Security Standards. This includes servers which store payment card
information, workstations which are used to enter payment card information into Health Link or
other systems, and any computers or credit/debit card swipe devices through which the payment
card information is transmitted. Approved UW Health servers, workstations, or systems that
store credit card information must be segregated on the UW Health network and their information
encrypted to protect card holder information.
C. All transactions that involve the transfer of credit card information must be performed on systems
approved by IS and will include a compliance and security review. Any specialized servers that
have been approved for this activity must be housed behind a UW Health firewall, and must be
administered in accordance with the requirements of all UW Health policies and PCI-DSS
regulatory requirements.
D. Per Payment Card Industry Data Security Standard, staff involved with the acceptance of and
processing of credit card for payment must use adequate processes to ensure the following are
1. Staff must follow established procedures for safeguarding cardholder information and
securing storage of data. This pertains to ALL transactions initiated via the telephone, in-
person, mail, Internet, etc.
2. Credit card numbers must not be transmitted in an insecure manner, using messaging
technologies including, but not limited to e-mail, instant messaging, texting, or unsecured
or stored fax (including RightFax or similar networked fax servers). When using inter-
office mail, the information should be placed in a signed and sealed envelope inside of
the inter-office envelope.
3. Sensitive cardholder data [i.e., full account number, card type, expiration, PIN, and card-
validation code (three-digit or four-digit value printed on the front or back of the card)
should not be stored in any UW Health system, personal computer, or e-mail account.
Electronic lists of customer’s credit card numbers should not be retained.
4. The merchant copy or customer copy of any receipts should not have the entire credit
card number. Old receipts with the entire credit card number should have all but the last
four digits blacked out.
5. All documentation containing card account numbers must be stored in a secure
environment until processed. Secure environments include locked drawers and safes, with
limited access to only individuals who are processing the credit card transaction.
Processing should be completed as soon as reasonably possible. After processing, the
credit card number and the card expiration date should be blacked out and the paper
crosscut shredded.
6. Stored credit card information will be retained according to the approved document
retention policy. All media used for credit cards must be destroyed when retired from use.
All hardcopy must be crosscut shredded prior to disposal.
7. Staff must agree not to disclose or acquire any information concerning a cardholder’s
account without the cardholder’s consent. Sensitive cardholder data should not be shared
with other individuals.
8. All personnel involved in credit card handling must complete annual card security
training in adherence with PCI-DSS requirements.

9. IS will administer the log-in privileges, limit software access to secure locations, delete
access to software for terminated employees, and not use vendor-supplied defaults for
system passwords following Administrative Policy 1.53-UW Health Authentication and
Password Policy.
10. UW Health will require all third parties or third party systems with access to cardholder
data to adhere to PCI-DSS security requirements and provide proof of PCI certification to
the merchant upon request.
Areas that accept credit/debit cards through a physical terminal or a data capture machine, for either
swiped or keyed transactions, need to contact the Finance and IS Departments to execute the required
paper work, obtain a merchant account, receive training, and be given direction as to the balancing of
those payments. Data capture machines must be configured according to PCI-DSS requirements to meet
security standards and UW Health policy. Only approved technologies can be used for processing
payment card transactions and appropriate controls must be used to limit and monitor physical access to
systems in the cardholder data environment. Staff should inspect devices for evidence of tampering prior
to daily use.
A. Limit Access to Cardholder Data
Access to UW Health cardholder data is limited to only those individuals whose job
requires such access. Access limitations must include the following:
1. Restriction of access rights to cardholder data to the least access needed to
perform job responsibilities.
2. Access to cardholder data is based on an individual’s job classification and
3. Access to cardholder data will be granted only after completing training.
B. Physically Secure All Paper Containing Cardholder Data
Hard copy materials containing confidential or sensitive information (e.g., paper receipts, paper
reports, faxes, etc.) are subject to the following storage guidelines:
1. Printed reports containing cardholder data are to be physically retained, stored or
archived only within secure UW Health office environments, and only for the minimum
time deemed necessary for their use.
2. All hardcopy media containing cardholder data must be stored in a secure and locked
container (e.g. locker, cabinet, desk, storage bin).
3. Hardcopy material containing cardholder data should never be stored in unlocked or
insecure containers or open workspaces.
4. All hardcopy material containing cardholder data must be easily distinguishable through
labeling or other methods.
5. All confidential or sensitive hardcopy material must be sent or delivered by a secured
courier or other delivery methods that can be accurately tracked.
6. At no time is printed material containing cardholder data to be removed from any UW
Health data center or computer room without prior authorization from management.
7. Custodians of hardcopy media containing cardholder data must perform an inventory of
the media at least annually. Results of inventories shall be recorded in an inventory log.
C. Destruction of Data

All media containing cardholder data must be destroyed when no longer needed for business or
legal reasons. Hardcopy media must be destroyed by shredding, incineration or pulping so that
cardholder data cannot be reconstructed.
D. Staff Education and Training
1. UW Health shall implement and maintain a security awareness program with the intent of
ensuring all employees that process, store, or are otherwise involved in handling
cardholder data are aware of the importance of cardholder data security.
2. UW Health IS Security Officer will ensure employees receive data security awareness
training upon hire as part of New Hire Orientation (NEO) and at least annually. This
program will be administered by IS.
E. Incident Management
1. Anyone who learns of an actual or potential cardholder data security breach must
immediately inform their supervisor and Compliance via the UWHC Compliance Help
Line or the UWMF Compliance Hotline. If a cardholder data security breach involving
electronic resources is suspected, the UW Health IS Computer Security Incident
Response Procedure must be followed. You must also notify the relevant finance
department immediately to report the suspected breach.
2. This breach may also include a release & disclosure of Patient Protected Health
Information and should follow the PHI disclosure policies.
3. If you suspect credit card fraud, please follow the procedures outlined in the Identity
Theft Prevention Program Policy.
4. UW Health will respond to and investigate any incident in which there is a risk that
cardholder data has been accessed without authorization. Indications that such an
investigation may be necessary include, but are not limited to, the following:
a. A computer or device involved in credit card processing is compromised. You
may observe a virus or other malware installed on the system or that
unauthorized configuration changes have been made that cannot be adequately
b. Vulnerability is discovered that could be used to gain unauthorized access to
cardholder data.
c. An external report is received that indicates that UW Health may be a source of
fraudulent transactions, or that cardholder data from UW Health has been
accessed without authorization.
d. Paper, tapes, USB devices, laptops, or other media containing cardholder data
have been lost or cannot be accounted for.
e. Cardholder data has been discussed in public or overheard without authorization.
f. Any of the above occurs with a service provider or other third party involved in
payment card processing for UW Health.
UW Health is a cohesive, united and integrated academic medical enterprise comprised of several entities.
This policy applies to facilities and programs operated by the University of Wisconsin Hospital and
Clinics and the University of Wisconsin Medical Foundation, Inc., and to clinical facilities and programs
administered by the University of Wisconsin School of Medicine and Public Health. Each entity is
responsible for enforcement of this policy in relation to the facilities and programs that it operates.


Hospital Administrative Policy 1.02-Access to Electronic Information Systems
Hospital Administrative Policy 1.04-Workstation Acceptable Use and Security Management
Hospital Administrative Policy 1.53-UW Health Authentication and Password Policy (this is
used by UWHC, UWMF and UWSMPH)
UW Medical Foundation Policy: MF Acceptable Use Policy
UW Medical Foundation Policy: Identity Theft Prevention Program
UW Health Policy SE – POL - 002: UW Health IS Computer Security Incident Response

VII. COORDINATION (the details of Coordination of UWHC and UWMF are shown below. Approval
and coordination of this policy by those entities is per their individual process.)
UWHC Sr. Management Sponsor: UW Health Vice President, Revenue Cycle
UWHC Author(s): UW Health IS Security Officer; UWMF Director Patient Business Services
UWHC Reviewers: Director, Internal Audit
UWHC Approval Committee: Administrative Policy and Procedure Committee

UWMF Sr. Management Sponsor: UW Health Vice President, Revenue Cycle
UWMF Author(s): UW Health IS Security Officer; UWMF Director, Patient Business Services


Ronald Sliwinski
President & CEO

Revision Detail:
Previous revision:
Next revision: January 2018