University Policies and Procedures Manual (previously Business Policies and Procedures Manual)

Payment Card Data Security Compliance

UPPM 30.61

For more information contact:
Treasury Services
509-335-2070 / fi.treasury@wsu.edu

1.0 Overview and Purpose
2.0 Applicability
3.0 Definitions
4.0 Responsibilities
5.0 Requirements
6.0 Policy Exceptions
7.0 Enforcement

1.0 Overview and Purpose

Due to rapidly-evolving financial crimes and computer-related security challenges, the payment card industry has published specific Payment Card Industry Data Security Standards (PCIDSS) in an effort to better secure payment account data in a globally consistent manner. The payment card industry includes MasterCard Worldwide, Visa International, Discover, JCB, and American Express. Departments and business units throughout the Washington State University system may need to enter into WSU’s master merchant agreement with credit card processors as part of their business transaction services.

All University departments which process credit card transactions are required to adopt and implement tools, practices, and policies to comply with these data security standards and participate in the annual compliance program. Failure to comply may result in financial penalties or security breaches with the consequence of loss of acceptance of credit cards.

This policy helps ensure that Payment Card Industry Data Security Standards compliance requirements are met by University business units and departments. Contact Treasury Services regarding University requirements and procedures for using and reporting contracted payment card services, and procedures for obtaining and maintaining merchant agreements.

2.0 Applicability

All current and future University departments that process credit card transactions and all temporary transaction services established to accept credit card transactions for specific activities or events are required to comply with this policy.

3.0 Definitions

Merchant agreement holder: A merchant agreement holder is defined as any business unit or department which holds a merchant agreement with any payment card industry (PCI) service provider. This includes terminal-based payment system owners and online web-based application system owners.

Payment Card Industry Data Security Standards (PCIDSS): The Payment Card Industry Data Security Standards (PCIDSS) are defined as information security standards published by the PCI Security Standards Council that all merchant agreement holders are required to adopt and implement. Failure to comply may result in serious fines, penalties, and/or restrictions on merchant account activity.

The specific data security standards compliance requirements are available on the PCI Security Standards Council.

Transaction Service Provider: A transaction service provider is defined as a third party which provides a secured processing connection with the merchant agreement holders transaction processing bank.

4.0 Responsibilities

4.1 Vice President of Finance and Business Services

The Vice President of Finance and Business Services is responsible for:

Conducting oversight of the entire merchant credit card process;
Implementing payment card data security policy and procedures across all campuses;
Determining whether or not vendor/third parties meet industry certification; and
Maintaining master merchant agreements with WSU’s financial institutions.

4.2 University Treasury Services

University Treasury Services is responsible for:

Maintaining records of university merchant and terminal accounts and assisting with the opening and closing of new merchant accounts;
Managing credit card processing equipment inventory and assisting with the ordering of new terminals;
Departmental training;
Communicating changes to all merchants;
Coordinating and reviewing annual payment card data security compliance assessment requirements; and
Treasury Services is responsible for enforcing this policy.

4.3 University Information Technology Services (ITS)

The University Information Technology Services is responsible for:

Complete security review/ensure compliance/ of methods of credit card acceptance through websites and third party software; and
Serving as a resource for Finance and Operations Systems Support and/or merchants regarding electronic-security-related issues.

5.0 Requirements

5.1 Payment Card Industry Data Security Standards

All current and prospective University departments that process credit card transactions are required to comply with and support the Industry Data Security Standards (PCI DSS).

Each year, all departments which process credit card transactions are required to complete a PCI DSS compliance assessment.

5.2 Merchant Agreements

University departments must coordinate any merchant agreement participation through the Vice President of Finance and Business Services or their designee.

5.3 Transaction Service Providers

All departments which process credit card transactions are required to use PCIDSS-compliant transaction service providers approved by the Vice President of Finance and Business Services or designee.

5.4 Transaction Service Technology

WSU-hosted transaction service technology deployments must comply with all relevant University security and privacy policies (point to catalogs, security/privacy), procedures, and practices in addition to the Payment Card Industry Data Security Standards.

6.0 Policy Exceptions

Any existing or future University credit card processing department with a specific need or operational requirement which is an exception to this policy must submit a formal written request for the exception to the Vice President of Finance and Business Services or designee.

Vice President of Finance and Business Services or designee performs the following actions:

Reviews the request while consulting with the Information Technology Services Security Office;
Notifies the requesting party regarding whether or not the exception is allowable; and
Notifies the requesting party of any specific conditions that must be honored as part of the exception.

7.0 Enforcement

Failure to comply with this payment card data security policy results in both of the following:

Restrictions on use or closure of merchant-account-related services; and
Disciplinary action up to and including termination of employment at Washington State University.

_______________________
Revisions: May 2026 (Rev. 656); Feb. 2008 – new policy (Rev. 316).