Introduction & Guiding Principles
Oklahoma State University views electronic commerce as an additional outlet for contact with future alumni, faculty, staff, and the public. OSU encourages Colleges and auxiliary departments to utilize electronic commerce as a component of current business functions and interactions.
The use of credit cards or debit cards is a common and widely accepted practice of conducting payment transactions. Oklahoma State University allows departments within the university to establish themselves as credit card merchants to more fully participate in e-commerce at OSU.
The purpose of this policy is to establish guidelines and minimum requirements to be followed when accepting e-Commerce payments, specifically credit and debit card payments.
The Office of the Associate Vice President for Administration and Finance will have oversight responsibility for institutional provision that define electronic commerce, e-Commerce standards and procedures, and enforcement of payment card industry data security standards at Oklahoma State University.
Business transactions over electronic means. This normally means the internet, but can include any electronic interaction – including automated phone banks, touch screen kiosks, or even ATMs. Transactions can include debit/credit cards (historically the primary method of e-Commerce payment), but also include any electronic transfer of funds via ACH.
2.02 Payment Card Industry Data Security Standard [PCI DSS]
A consolidated standard from the major credit card issuers detailing merchant requirements when accepting credit/debit cards. The requirements include network, security (physical/logical), and monitoring components, among others.
2.03 Cardholder Data
Cardholder data is any personally identifiable information associated with a user of a credit/debit. Primary account number [PAN], name, expiry date, and card verification value 2 [CVV2] are included in this definition.
This policy applies to all University departments, employees, approved vendors, consultants, and other persons associated with the University wishing to conduct e-Commerce via any and all media and delivery mechanisms.
Individual units within the University may define 'conditions of use' for information resources under their control. These statements must be consistent with this overall policy, but may provide additional detail, guidelines, and/or restrictions. Such policies may not relax or subtract from this policy. Where such 'conditions of use' exist, enforcement mechanisms defined therein shall apply. These additional policies will be subject to review and approval by the Office of the Associate Vice President for Administration and Finance.
Any electronic commerce associated with Oklahoma State University must have a basis in University mission. Unrelated e-Commerce activity cannot utilize the university network or associated systems. A Payment Card Industry Security Standards Council (PCI SSC) validated Point to Point Encryption (P2PE) solution is required to utilize the University network for payment processing.
Any transaction, system, application, or process associated with e-Commerce (including credit/debit card transactions) will be performed in compliance with the PCI DSS, OSU standards and procedures for e-Commerce, and retain ongoing approval of the Office of the Associate Vice President for Administration and Finance.
E-Commerce activity will be performed within the centralized solutions provided by Oklahoma State University administration unless a written exception is granted by the Office of the Associate Vice President for Administration and Finance.
The merchants grandfathered in as SAQ-C and SAQ-D levels will hire external assessors to validate compliance with PCI DSS. The department responsible for the merchant will be required to pay for the assessor’s report.
Compliance Failure Penalties
Failure to comply with this policy may have the following consequences:
- Revocation of credit card acceptance for the affected unit.
- Fines (up to $500,000.00) assessed to the responsible branch or department.
- Legal action by injured parties.
- Prosecution for criminal violations.
Following OSU Policies and Procedures, Oklahoma laws and applicable federal laws, OSU strives to protect personal privacy and the confidentiality of information. Departments engaging in e-Commerce are responsible for safeguarding confidential information used in the processing of e-Commerce activity.
Cardholder information can never be transmitted across a network unsecured. Transport Layer Security 1.2 [TLS] at the very minimum is required to transmit cardholder data. Emailing unencrypted credit card numbers is never acceptable.
As a part of the OSU network, wireless connectivity is available for use in the same manner as a wired network jack. However, special considerations and additional security requirements from a PCI DSS standpoint are necessary when connecting to a wireless network for e-Commerce activities. For these reasons, Oklahoma State University has not authorized the use of any wireless network for e-Commerce activities.
The major regulatory body associated with credit card transactions is the PCI security Standards Council and promulgates the rules and regulations OSU adheres to in the credit card environment.
Questions or Comments
Any questions or comments regarding this policy should be directed to:
Office of the Associate VP for Administration & Finance
Stillwater, OK 74078