Skip to main content
OKState.edu
Quicklinks
/
Search
 Apply
Close

Search

DirectoryA-Z Site Index

Quicklinks

Logins

Academic Schedule

Places & Departments

Trending Now

Administration and Finance
Financial StatementsIncentive PlansPolicies and ProceduresDepartmentsSenior VPAF Staff
Financial StatementsIncentive PlansPolicies and ProceduresDepartmentsSenior VPAF Staff Apply

Search

DirectoryA-Z Site Index

Quicklinks

Logins

Academic Schedule

Places & Departments

Trending Now

Go back to top of page

Information Security Policy

 

1. Purpose

Oklahoma State University (OSU) is committed to protecting payment card data and ensuring compliance with the Payment Card Industry Data Security Standard (PCI DSS), as established by the PCI Security Standards Council.

The purpose of this policy is to establish requirements for security awareness training for all personnel involved in payment card processing, in alignment with PCI DSS Requirement 12.6.

2. Scope

This policy applies to all OSU employees, student employees, and affiliates and third parties who:

  • Accept payment cards using Point of Sale (POS), Point of Interaction (POI), or card reader devices; and/or
  • Accept payment cards through online or hosted payment solutions.

This includes individuals who operate payment devices, manage payment-related processes, or have administrative or oversight responsibilities for payment card activities.

For the purposes of this policy, these individuals are collectively referred to as OSU merchants.

3. Policy

3.01 Training Requirement

All individuals within the scope of this policy must complete PCI Information Security training at least annually.

Completion of required training is a condition for continued involvement in payment card processing activities.

3.02 Roles and Responsibilities
  • Merchant Services is responsible for establishing and maintaining PCI security awareness training requirements and ensuring alignment with PCI DSS.
  • Departments and Merchants are responsible for ensuring that all applicable personnel complete required training and adhere to secure payment card handling practices.
 
3.03 Training Content Requirements

The training program provided by Merchant Services must, at a minimum:

  • Address roles and responsibilities for protecting sensitive information and payment card data
  • Include high-level PCI DSS concepts relevant to the individual’s role
  • Reinforce secure handling practices and expected behaviors
  • Require acknowledgement of this policy and applicable OSU security requirements
 
3.04 Policy Acknowledgement

All individuals subject to this policy must acknowledge their understanding of and responsibility to comply with:

  • Information security Training policy
  • Applicable PCI DSS requirements
 
3.05 Security Awareness and Communication

OSU will maintain ongoing information security awareness efforts to reinforce training and promote secure behavior.

This includes periodic communication to merchants regarding:

  • Emerging threats and vulnerabilities
  • Secure payment card handling practices
  • Updates to policies or payment environments
 
3.06 Risk Based Updates and Review

Information security training and awareness activities must be reviewed and updated at least annually based on risk, including:

  • Changes to business processes or payment environments
  • Emerging vulnerabilities and threat landscape
  • Industry standards and best practices
  • Findings from audits, risk assessments, or security incidents
 
3.07 Compliance and Enforcement

Failure to comply with this policy may result in:

  • Required retraining
  • Additional disciplinary action in accordance with university policies

Non-compliance may also result in increased institutional risk, financial penalties, and loss of payment card processing privileges.

4. Governance

This policy is part of OSU’s PCI DSS compliance framework and will be reviewed annually to ensure continued alignment with PCI DSS requirements and University security standards.