Skip to main content
Apply

Administration and Finance

Open Main MenuClose Main Menu

OSU E-Commerce & PCI Policy


Introduction & Guiding Principles

Third-Party Service Provider (TPSP) Management Program

Physical Security Program for POS/POI/Card Reader Devices

Questions or Comments

 

Introduction & Guiding Principles

1.01

Oklahoma State University encourages colleges and auxiliary departments to utilize electronic commerce, or e-commerce, as an additional point of contact with future alumni, faculty, staff, and the public. OSU views e-commerce as an integral component of current business functions and interactions.

 

1.02

Because credit and debit cards are so commonly used in payment transactions, OSU allows departments within the university to establish themselves as credit card merchants to more fully participate in e-commerce at OSU.

 

1.03

The purpose of this policy is to establish guidelines and minimum requirements to be followed when accepting e-commerce payments, specifically credit and debit card payments.

 

1.04

The Office of the Associate Vice President for Administration and Finance has oversight responsibility for institutional provisions that define electronic commerce, e-commerce standards and procedures, and enforcement of payment card industry data security standards at Oklahoma State University.

 

Definitions

2.01 e-Commerce

E-commerce encompasses all business transactions over electronic means.  This normally means the internet but can include any electronic interaction–including automated phone banks, touch screen kiosks, and even automated teller machines, or ATMs.  Transactions can include debit or credit cards (historically the primary method of e-commerce payment) but can also include any electronic transfer of funds via ACH. (The Automated Clearing House, or ACH, is the primary method of fund transfer from one bank to another, enabling payments to be made online.)

 

2.02 Payment Card Industry Data Security Standard [PCI DSS]

Payment Card Industry Data Security Standard [PCI DSS] is a consolidated standard from the major credit card issuers detailing merchant requirements when accepting credit/debit cards.  The requirements include network, security (physical/logical), and monitoring components, among others.

 

2.03 Cardholder Data

Cardholder data is any personally identifiable information associated with a user of a credit/debit card account.  Primary account number [PAN], name, expiry date, and card verification value 2 [CVV2] are included in this definition.

 

Scope

3.01

This policy applies to all university departments, employees, approved vendors, consultants, and other persons associated with the university wishing to conduct e-commerce via any and all media and delivery mechanisms. 

 

3.02

Individual units within the university may define “conditions of use” for information resources under their control. These statements must be consistent with this overall policy but may provide additional detail, guidelines, and/or restrictions. Such policies may not relax or subtract from this policy. Where such “conditions of use” exist, enforcement mechanisms defined therein shall apply. These additional policies will be subject to review and approval by the Office of the Associate Vice President for Administration and Finance.

 

Policy

4.01

Any electronic commerce associated with Oklahoma State University must have a basis in university mission.  Unrelated e-commerce activity cannot utilize the university network or associated systems. A Payment Card Industry Security Standards Council (PCI SSC) validated Point to Point Encryption (P2PE) solution is required to utilize the university network for payment processing. 

 

4.02

Any transaction, system, application, or process associated with e-commerce (including credit/debit card transactions) shall be performed in compliance with the PCI DSS, OSU standards and procedures for e-commerce and shall retain ongoing approval of the Office of the Associate Vice President for Administration and Finance. 

 

4.03

E-commerce activity will be performed within the centralized solutions provided by Oklahoma State University administration unless a written exception is granted by the Office of the Associate Vice President for Administration and Finance. 

 

4.04

The merchants grandfathered in as SAQ-C and SAQ-D levels will hire external assessors to validate compliance with PCI DSS. The department responsible for the merchant will be required to pay for the assessor’s report. 

 

Compliance Failure Penalties

5.01

Failure to comply with this policy may have the following consequences:

  1. Revocation of credit card acceptance for the affected unit.
  2. Fines (up to $500,000.00) assessed to the responsible branch or department.
  3. Legal action by injured parties.
  4. Prosecution for criminal violations. 

Special Notifications

6.01

Following OSU Policies and Procedures, Oklahoma laws and applicable federal laws, OSU strives to protect personal privacy and the confidentiality of information. Departments engaging in e-commerce are responsible for safeguarding confidential information used in the processing of e-commerce activity. 

 

6.02

Cardholder information can never be transmitted across a network unsecured. Transport Layer Security 1.2 [TLS], at the very minimum, is required to transmit cardholder data.  Emailing unencrypted credit card numbers is never acceptable. 

 

6.03

As part of the OSU network, wireless connectivity is available for use in the same manner as a wired network jack. However, special considerations and additional security requirements from a PCI DSS standpoint are necessary when connecting to a wireless network for e-commerce activities. For these reasons, the Office of the Associate Vice President for Administration and Finance has oversight responsibility of authorization to utilize any wireless network for e-commerce activities.

 

6.04

The major regulatory body associated with credit card transactions is the PCI Security Standards Council, which promulgates the rules and regulations OSU adheres to in the credit card environment.

 

Third-Party Service Provider (TPSP) Management Program

1. Purpose

The purpose of this program is to establish a standardized and centralized process for managing third-party service providers (TPSPs) engaged in payment card activities at Oklahoma State University (OSU). This program ensures compliance with the Payment Card Industry Data Security Standard (PCI DSS) Requirement 12.8 and reduces institutional risk associated with third-party relationships.

 

2. Scope

This program applies to all OSU departments that engage third-party service providers to support payment card acceptance, processing, storage, or related services. It covers all providers that directly handle cardholder data, manage systems within the cardholder data environment (CDE), or otherwise influence the security of payment operations.

 

3. Roles and Responsibilities

  • Program Owner – Merchant Services
    • Maintains the centralized TPSP inventory.
    • Verifies PCI DSS compliance of all TPSPs prior to engagement and on an annual basis.
    • Provides guidance to departments regarding the use of approved providers.
    • Ensure contracts include PCI DSS responsibility acknowledgments and breach notification requirements.
  • Departments
    • Notify and collaborate with Merchant Services in the review and selection of any Third-Party Service Provider (TPSP) for payment acceptance
    • Adhere to the centralized approval process and may not independently contract with TPSPs for payment card services.
  • Signing Authority
    • Merchant Services will handle execution of agreements only after the due diligence process has been completed and compliance has been verified.

4. Program Requirements

4.1 TPSP Inventory

Merchant Services maintains a single, enterprise-wide inventory of all TPSPs. The inventory includes:

  • Provider name and service description.
  • Department(s) utilizing the service.
  • PCI DSS role (store, process, transmit, or support).
  • Current Attestation of Compliance (AOC) or Report on Compliance (ROC).
  • Contract dates and renewal timelines.
  • Assigned risk tier (High, Medium, Low).

4.2 Due Diligence

Prior to engagement and at least annually, Merchant Services will conduct due diligence on each Third-Party Service Provider (TPSP) to confirm:

  • A current PCI DSS Attestation of Compliance (AOC) or Report on Compliance (ROC) for the relevant services.
  • Clear definition of PCI DSS responsibilities between OSU and the provider.
  • Adequate contractual commitments for data security, including incident response and breach notification.

4.3 Risk Rating

Each TPSP will be assigned a risk level:

  • High Risk: Providers that directly store, process, or transmit cardholder data (e.g., payment processors, gateways).
  • Medium Risk: Providers that support the CDE but do not directly handle cardholder data (e.g., hosting providers, monitoring services).
  • Low Risk: Providers with limited or indirect access that could still affect security (e.g., software vendors with remote support).

Risk rating determines the depth of review and frequency of oversight.

 

4.4 Engagement Workflow

1. Department submits request to Merchant Services when payment acceptance is needed.

2. Department either:

      • Identifies a preferred TPSP for review, or
      • Requests Merchant Services to recommend an existing approved provider.

3. Merchant Services performs due diligence and confirms PCI DSS compliance.

4. Merchant Services adds the provider to the central TPSP inventory and schedules ongoing reviews.

 

5. Governance and Oversight

  • Merchant Services is responsible for maintaining this program and reporting annually on TPSP compliance status.
  • Departments are encouraged to work with Merchant Services when engaging TPSPs for payment card services to help ensure consistency and compliance.
  • This program will be reviewed at least annually and updated as needed to reflect changes to PCI DSS requirements, University structure, or risk conditions.

 

6. Continuous Improvement

OSU is committed to strengthening third-party oversight. Feedback from departments, findings from audits, and lessons learned from incidents will be incorporated into program updates. 

 

Physical Security Program for POS/POI/Card Reader Devices

1. Purpose

The purpose of this program is to establish a centralized, University-wide approach for inspecting Point of Sale (POS), Point of Interaction (POI), and card reader devices used by OSU merchants. This program ensures consistent physical security controls, mitigates the risk of device tampering or skimming, and maintains compliance with PCI DSS Requirement 9.5.

 

2. Scope

This program applies to all OSU departments and merchants that operate POS/POI/card reader devices for accepting payment cards. It covers inspection, monitoring, documentation, and reporting of devices to protect against tampering, skimming, or substitution that could compromise cardholder data.

 

3. Roles and Responsibilities

  • Program Owner – Merchant Services is responsible for maintaining the centrally managed inspection program, defining inspection standards, providing training, reviewing inspection records, and coordinating escalation for nonconformities.
  • Departments/Merchants are responsible for conducting device inspections according to the centralized program and reporting inspection results to Merchant Services

 

4. Inspection Program

Inspection Frequency: Devices must be inspected at regular intervals of three months. Inspections are to be conducted consistently across all departments.

 

Visual, Physical, and Technical Inspections: Devices must be checked for external tampering, loose parts, or unauthorized attachments. Serial numbers should be verified, and any unusual device behavior should be noted.

 

Post-Inspection: Inspection findings must be documented, submitted to Merchant Services

 

Escalation and Service Level Agreements: Nonconformities must be escalated promptly. Merchant Services will coordinate corrective actions in accordance with SLAs, and departments must comply with all required measures.

 

Additional Security Measures: Devices must be securely stored when not in use, protected against tampering, connected to secure networks.

 

5. Governance and Oversight

Merchant Services is responsible for maintaining this program, reviewing compliance with inspection procedures. Departments are required to adhere to inspection schedules and maintain inspection records for audit purposes. The program will be reviewed at least annually or as needed based on operational changes or updates to PCI DSS.

 

6. Training and Awareness

Merchant Services will provide training to departments on inspection procedures and incident reporting. All staff responsible for operating POS/POI/card reader devices must complete training prior to device use. 

 

Questions or Comments

7.01

Any questions or comments regarding this policy should be directed to:

 

Finance Operational Risk, Compliance, and Efficiency
405-744-4102
merchantservices@okstate.edu

MENUCLOSE