Internet-Based Credit Card Processing Policy
Responsible Offices: Office of Information Services & Office of the Controller
Policy Purpose: To protect against the exposure and possible theft of account and personal cardholder information that has been provided to PSU offices during the course of business with the University; and to comply with credit card company requirements for transferring credit card information over the Internet.
The internet-based credit card processing policy is one of the documents that are related to the PSU eCommerce Infrastructure. This Infrastructure has been created to support electronic business (eBusiness) done over the internet. This environment supports financial transactions supported by credit card transactions, digital signatures for approvals of credit card transactions, certificates that establish electronic identification, and other electronic methods needed to support electronic transmission of financial transactions.
Scope: This policy is applicable to any PSU administered unit that processes, transmits, or handles cardholder information in electronic format. Affiliated corporations will also be expected to comply.
General Policy Provisions
All electronic-based transactions that involve the transfer of credit card information must be performed on the systems provided by Information Services for this purpose. All specialized servers that have been approved for this activity must be housed within Information Services and administered in accordance with the requirements of the eCommerce Server Compliance Requirements and the Cardholder Information Security Program (CISP). The Information Technology Security Officer will be responsible for verifying compliance with industry best practices for conducting electronic payment transactions on the central server.
No credit card numbers should be transmitted or stored in any other system, personal computer, or e-mail account.
Exceptions to this policy may be granted only after a written request from the unit has been reviewed and approved by the Director, Office of Information Services and the university Controller.
Responsibilities of Information Services
Provide a central secure server for the purpose of transacting electronic payments, and for data storage, as required for compliance with credit card company regulations.
Provide advice/how-to/tools to enable departments to clearly follow industry best practices for access, firewalls, patches, data storage, passwords, encryption, and security. Work with university departments and affiliated organizations to evaluate and approved 3 rd party services that collect, record, or process credit card numbers.
Investigate suspected security breaches and coordinate the response with the appropriate credit card agency, affected customers, and law enforcement as needed (see Cardholder Information Security Program (CISP) Security Audit Procedures and Reporting).
Responsibilities of the Controller's Office
Monitor the use of credit card transactions for compliance with this policy and other University policy, state/federal laws and regulations, and contracts with financial institutions.
Approve each unit requesting to electronically accept credit cards, and perform an annual review of all approved units to ensure compliance.
Oversee credit card accounting for each approved unit.
Responsibilities of University Departments
Use only the central secure server provided by IS for the purpose of transacting electronic payments, and for handling cardholder information.
Reconcile and verify credit card transactions along with normal accounting reconciliation process.
Notify ITSO of any suspected security breaches.
Consequences
Failure to meet the requirements outlined in this policy will result in suspension of electronic payment capability for affected units. Additionally, fines may be imposed by the affected credit card company, beginning at $50,000 for the first violation.
Persons in violation of this policy are subject to the full range of sanctions, including the loss of computer or network access privileges, disciplinary action, suspension, termination of employment, dismissal from the University, and legal action. Some violations may constitute criminal offenses under local, state, and federal laws. The University will carry out its responsibility to report such violations to the appropriate authorities.
Responsible Offices: Office of Information Services & Office of the Controller
Approved by Information Technology Council: June 30, 2005
Signed by President Tom Bryant: July 21, 2005
Review Cycle: Annual