POL-U5351.14 Accepting, Processing & Securing Payments Through the Internet

Dates and Approval

Effective Date:

June 9, 2008

Approved by:

Karen W. Morse, President, Executive Policy Group

Who does this policy apply to?

This policy applies to employees in departments that accept payments for university fees, goods or services through an Internet website (also known as “e-commerce”).

Overview

There is no overview for this policy.

Definitions

PCI DSS (Payment Card Industry Data Security Standard)

A widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and to protect cardholders against misuse of their personal information. The PCI DSS was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express. (https://www.pcisecuritystandards.org/)

Standard Internet Payment System(s)

A system(s) which university departments can safely and easily utilize to accept payment from customers for fees, goods, or services via the Internet.

Specialized Internet Payment System

A system which contains unique or specialized features necessary for certain university departments, such as the Associated Students Bookstore, WWU Box Office and Parking Services, to accept payment from customers for fees, goods, or services via the Internet.

Payment System Information

Information obtained in the process of receiving payment over the internet, including a credit card or bank account holder’s name, address, credit card account number, bank routing number, bank account number, credit card expiration date, the three digit verification code located on the back of a credit card, transaction information, and/or any other information that may be used to personally identify a credit card or bank account holder.

Transaction Processing Cost

The credit card or electronic check payment fees incurred when a department receives payments through an Internet Payment System. Transaction Processing Cost may also include set-up costs and/or monthly fees if a department has specific requirements that require a set-up unique to that department.

Policy Statements

1. Vice President for Business and Financial Affairs Approves University Standard Internet Payment System(s)

The Vice President for Business and Financial Affairs will consult with the Director of Administrative Computing in the selection and approval of a standard system(s), including service providers, for use by university departments to accept payment through the Internet.

2. Financial Manager Obtains Authorization to Use University Standard Internet Payment System(s)

The Financial Manager must submit the E-Commerce Authorization E-Sign Form in order to use a University Standard Internet Payment system(s). The e-sign form will be routed to the Dean/Director, Division Budget Director, Director of Administrative Computing and Treasury Director for review prior to final authorization by the Vice President for Business and Financial Affairs.

3. Division Vice-President Approves Specialized Internet Payment Systems

In addition to the Vice President for Business and Financial Affairs’ approval, division vice presidents will approve systems for departments requiring specialized features and tools that are not provided by the standard system. These departments include, but are not limited to, the Associated Students Bookstore, WWU Box Office, Wade King Recreation Center and Parking Services. Specialized payment system software will be:

Specialized Internet Payment Systems

  1. Hosted and fully supported by the vendor
    or
  2. Located in Western’s central computing facility.

4. Director of Administrative Computing Ensures Secure Network

The Director of Administrative Computing ensures that payment software systems that reside on WWU’s network comply with PCI DSS network and computer data security standards.

5. Contract Administration Ensures Payment System Bid Documents and Contracts Include PCI-DSS Compliance Requirement

Contract Administration ensures that any payment system bid documents and any subsequent contract negotiated includes the requirement for PCI-DSS certified compliance.

6. Financial Manager Ensures Department Procedures Follow PCI DSS Best Practices

The department Financial Manager will ensure that PCI DSS best practices will be followed. These practices include, but are not limited to:

  1. Restricting access to payment system information to employees with a business need to know;
  2. Storing hard copies containing payment system information in a locked physical device to which access is restricted to employees with a business need to know; and
  3. Securing all software and hardware.

7. Financial Manager Ensures Reconciliation of Internet Payments

The department Financial Manager ensures that payments received by the system are reconciled to the fees, goods or services provided.

8. Treasury Director Ensures Deposit of Internet Payments to Bank and Recording of Payments in Financial System

The Treasury Director will consult with the Director of Administrative Computing, the department Financial Manager, and the payment system provider to ensure that payments received through the Internet are deposited in the university’s bank account and recorded appropriately in the financial system.

9. Department Pays Processing Cost

Departments will be charged processing cost as follows:

  1. Direct cost charged by the system vendor for specialized payment systems
  2. Transaction processing cost for the standard payment system

10. Treasury Director Provides Training on Standard Internet Payment System(s)

The Treasury Director provides training to departments authorized to receive payment through the university’s standard payment system(s). This will include procedures to comply with the PCI DSS best practices.

11. Financial Manager Ensures Training is Provided for Specialized Internet Payment System

The department Financial Manager ensures that system users in the department receive appropriate training. This will include procedures to comply with the PCI DSS best practices.

Policy Information