Business Policies and Procedures Manual
Chapter 30: Finance
Payment Card Data Security Compliance
BPPM 30.61
For more information contact:
Finance and Administration
509-335-2039
Purpose
Due to rapidly-evolving financial crimes and computer-related security challenges, the payment card industry has published specific Payment Card Industry Data Security Standards (PCIDSS) in an effort to better secure payment account data in a globally consistent manner. The payment card industry includes MasterCard Worldwide, Visa International, and American Express. Departments and business units throughout the Washington State University system may need to enter into WSU’s master merchant agreement with credit card processors as part of their business transaction services.
All University departments which process credit card transactions are required to adopt and implement tools, practices, and policies to comply with these data security standards. Failure to comply may result in financial penalties or security breaches with the consequence of loss of acceptance of credit cards.
This policy helps ensure that Payment Card Industry Data Security Standards compliance requirements are met by University business units and departments. Contact Finance and Administration regarding University requirements and procedures for using and reporting contracted payment card services, and procedures for obtaining and maintaining merchant agreements.
Policy
See Definitions below for definitions of terms and acronyms used in this policy.
Payment Card Industry Data Security Standards (PCIDSS)
All University departments which process credit card transactions are required to comply with and support the Payment Card Industry Data Security Standards (PCIDSS).
Each year, all departments which process credit card transactions are required to submit completed payment card data security compliance surveys to the E-Commerce Coordinator. The E-Commerce Coordinator sends the surveys to all credit card processing departments annually.
Merchant Agreements
University departments must coordinate any merchant agreement participation through the Associate Vice President for Finance.
Transaction Service Providers
All departments which process credit card transactions are required to use PCIDSS-compliant transaction service providers approved by the Associate Vice President for Finance or designee.
Transaction Service Technology
WSU-hosted transaction service technology deployments must comply with all relevant University security policies, procedures, and practices in addition to the Payment Card Industry Data Security Standards.
Policy Exceptions
Any existing or future University credit card processing department with a specific need or operational requirement which is an exception to this policy must submit a formal written request for the exception to the Associate Vice President for Finance.
The Associate Vice President for Finance or designee:
- Reviews the request while consulting with the Information Technology Services Security Office.
- Notifies the requesting party regarding whether or not the exception is allowable.
- Notifies the requesting party of any specific conditions that must be honored as part of the exception.
Applicability
All current and future University departments which process credit card transactions and all temporary transaction services established to accept credit card transactions for specific activities or events are required to comply with this policy.
Enforcement
Failure to comply with this payment card data security policy results in:
- Restrictions on use or closure of merchant-account-related services.
- Disciplinary action up to and including termination of employment at Washington State University.
Responsibilities
Associate Vice President for Finance
The Associate Vice President for Finance is responsible for:
- Conducting oversight of the entire merchant credit card process.
- Implementing payment card data security policy and procedures across all campuses.
- Determining whether or not vendor/third parties meet industry certification.
- Maintaining master merchant agreements with WSU’s financial institutions.
E-Commerce Coordinator
The E-Commerce Coordinator is responsible for:
- Departmental training.
- Communicating changes to all merchants.
- Sending and reviewing annual payment card data security merchant compliance surveys.
University Information Security Officer
The University Information Security Officer is responsible for:
Executing final approval of methods of credit card processing through websites and third-party software.
Serving as a resource for Finance and Administration Systems Support and/or merchants regarding electronic-security-related issues.
University Controller
The University Controller is responsible for enforcing this policy.
Definitions
Merchant Agreement Holder
A merchant agreement holder is defined as any business unit or department which holds a merchant agreement with any payment card industry (PCI) service provider. This includes terminal-based payment system owners and online web-based application system owners.
Payment Card Industry Data Security Standards (PCIDSS)
The Payment Card Industry Data Security Standards (PCIDSS) are defined as information security standards published by the PCI Security Standards Council that all merchant agreement holders are required to adopt and implement. Failure to comply may result in serious fines, penalties, and/or restrictions on merchant account activity.
The specific data security standards compliance requirements are available from the PCI Security Standards Council.
Transaction Service Provider
A transaction service provider is defined as a third party which provides a secured processing connection with the merchant agreement holders transaction processing bank.
_______________________
Revisions: Feb. 2008 – new policy (Rev. 316).