Policy
Introduction & Guiding Principles
1.01
Oklahoma State University encourages colleges and auxiliary departments to utilize electronic commerce, or e-commerce, as an additional point of contact with future alumni, faculty, staff, and the public. OSU views e-commerce as an integral component of current business functions and interactions.
1.02
Because credit and debit cards are so commonly used in payment transactions, OSU allows departments within the university to establish themselves as credit card merchants to more fully participate in e-commerce at OSU.
1.03
The purpose of this policy is to establish guidelines and minimum requirements to be followed when accepting e-commerce payments, specifically credit and debit card payments.
1.04
The Office of the Associate Vice President for Administration and Finance has oversight responsibility for institutional provisions that define electronic commerce, e-commerce standards and procedures, and enforcement of payment card industry data security standards at Oklahoma State University.
Definitions
2.01 e-Commerce
E-commerce encompasses all business transactions over electronic means. This normally means the internet but can include any electronic interaction–including automated phone banks, touch screen kiosks, and even automated teller machines, or ATMs. Transactions can include debit or credit cards (historically the primary method of e-commerce payment) but can also include any electronic transfer of funds via ACH. (The Automated Clearing House, or ACH, is the primary method of fund transfer from one bank to another, enabling payments to be made online.)
2.02 Payment Card Industry Data Security Standard [PCI DSS]
Payment Card Industry Data Security Standard [PCI DSS] is a consolidated standard from the major credit card issuers detailing merchant requirements when accepting credit/debit cards. The requirements include network, security (physical/logical), and monitoring components, among others.
2.03 Cardholder Data
Cardholder data is any personally identifiable information associated with a user of a credit/debit card account. Primary account number [PAN], name, expiry date, and card verification value 2 [CVV2] are included in this definition.
Scope
3.01
This policy applies to all university departments, employees, approved vendors, consultants, and other persons associated with the university wishing to conduct e-commerce via any and all media and delivery mechanisms.
3.02
Individual units within the university may define “conditions of use” for information resources under their control. These statements must be consistent with this overall policy but may provide additional detail, guidelines, and/or restrictions. Such policies may not relax or subtract from this policy. Where such “conditions of use” exist, enforcement mechanisms defined therein shall apply. These additional policies will be subject to review and approval by the Office of the Associate Vice President for Administration and Finance.
Policy
4.01
Any electronic commerce associated with Oklahoma State University must have a basis in university mission. Unrelated e-commerce activity cannot utilize the university network or associated systems. A Payment Card Industry Security Standards Council (PCI SSC) validated Point to Point Encryption (P2PE) solution is required to utilize the university network for payment processing.
4.02
Any transaction, system, application, or process associated with e-commerce (including credit/debit card transactions) shall be performed in compliance with the PCI DSS, OSU standards and procedures for e-commerce and shall retain ongoing approval of the Office of the Associate Vice President for Administration and Finance.
4.03
E-commerce activity will be performed within the centralized solutions provided by Oklahoma State University administration unless a written exception is granted by the Office of the Associate Vice President for Administration and Finance.
4.04
The merchants grandfathered in as SAQ-C and SAQ-D levels will hire external assessors to validate compliance with PCI DSS. The department responsible for the merchant will be required to pay for the assessor’s report.
Compliance Failure Penalties
5.01
Failure to comply with this policy may have the following consequences:
- Revocation of credit card acceptance for the affected unit.
- Fines (up to $500,000.00) assessed to the responsible branch or department.
- Legal action by injured parties.
- Prosecution for criminal violations.
Special Notifications
6.01
Following OSU Policies and Procedures, Oklahoma laws and applicable federal laws, OSU strives to protect personal privacy and the confidentiality of information. Departments engaging in e-commerce are responsible for safeguarding confidential information used in the processing of e-commerce activity.
6.02
Cardholder information can never be transmitted across a network unsecured. Transport Layer Security 1.2 [TLS], at the very minimum, is required to transmit cardholder data. Emailing unencrypted credit card numbers is never acceptable.
6.03
As part of the OSU network, wireless connectivity is available for use in the same manner as a wired network jack. However, special considerations and additional security requirements from a PCI DSS standpoint are necessary when connecting to a wireless network for e-commerce activities. For these reasons, the Office of the Associate Vice President for Administration and Finance has oversight responsibility of authorization to utilize any wireless network for e-commerce activities.
6.04
The major regulatory body associated with credit card transactions is the PCI Security Standards Council, which promulgates the rules and regulations OSU adheres to in the credit card environment.
Questions or Comments
7.01
Any questions or comments regarding this policy should be directed to:
Finance Operational Risk, Compliance, and Efficiency
405-744-4102
merchantservices@okstate.edu