To provide the requirements for processing e-commerce transactions and any acceptance of credit card payments by administering entities for the University of Kansas Lawrence campus and its reporting units; to establish protocols to reduce the risk of exposure of cardholders’ personal financial information when such information is processed electronically through an e-commerce transaction; and to subject all e-commerce transactions to mandatory compliance with the Payment Card Industry (PCI) Data Security Standards (DSS).
All administering entities for the Lawrence campus and all reporting units, including faculty, staff, students, contractors, agents, and affiliated corporations that handle, process, and/or transmit credit cardholder information and echeck transactions on behalf of the University and/or operating within the University network are subject to this policy.
This policy also applies to all contractors, hardware and software suppliers, agents, or other third party service providers, who in the course of doing business on behalf of the University provide echeck, payment card acceptance or e-commerce processing, including without limitation: 1) Any application that incorporates a payment application, 2) Any service provider that accepts echeck and/or card payments on behalf of the University for business purposes and later remits the proceeds of payments directly to the University, 3) Any service provider that provides hosting of echeck and/or card processing transactions where the University is the final beneficiary of the proceeds of payments, and 4) Any credit card terminal, Point of Sale system, online virtual application, and/or device used to process echeck and/or card payments.
- The University’s Preferred E-commerce Payment Application
- Payment Card Industry (PCI) Compliance
- Handling of Credit Card, Cardholder, or Other Personal Financial Information
- Initiating New Electronic Check (Check 21) Activity
- Initiating New Credit Card and/or Electronic Check (eCheck) Activity
- Processing Devices
- Responsibilities of Merchant
- Compliance Requirements for Third Party Service Providers
- Breach, Data Compromise and/or Non-Compliance
The E-commerce Committee governs and advises on the PCI DSS program at the University, including monitoring and enforcement of this policy. The E-commerce Committee is responsible for annual review of PCI compliance status for the University through completion of quarterly network scans, an annual PCI Self-Assessment Questionnaire (SAQ), and staff PCI compliance training.
Collective oversight of the E-commerce Committee is jointly shared by the Chief Financial Officer & Vice Provost for Finance and the Chief Information Officer. The Committee assignment authority and committee chair appointment lies with the Chief Financial Officer & Vice Provost for Finance. The responsibilities of the E-commerce Committee and Information Technology are outlined on the E-commerce website: https://ecommerce.ku.edu/.
The University strongly encourages departments to use the services of the University’s authorized e-commerce payment application, TouchNet U.Commerce Central, which is under contract to support and uniformly process e-commerce transactions for the University through a secure gateway and hosted solution. By using TouchNet U.Commerce Central, merchants can manage and operate online storefronts, registration sites, and secure payment portals efficiently. To become a merchant using TouchNet U.Commerce, departments and campus organizations may complete an Information Request Form at https://ecommerce.ku.edu/.
The University has adopted the standards for compliance requirements and security assessment as outlined in the Payment Card Industry (PCI) Data Security Standards (DSS) as set forth by the PCI Security Standards Council.
These standards can be viewed at the following link for PCI Security Standards Council Document Library for PCI DSS: https://www.pcisecuritystandards.org/document_library
All payment applications, gateways, technology implementation associated with e-commerce or the generation of revenues through the acceptance of credit cards, debit cards and equipment must be PA-DSS and PCI-DSS compliant.
Individuals designated with responsibility for e-commerce transactions by authorized entities must comply with PCI-DSS. Some of those standards are:
All personal financial and credit card information must be treated as “highly sensitive data” and must be handled as specified under the standards. It is strictly prohibited to retain (or store electronically or manually) the following elements of personal identifiable information (PII):
- Full credit/debit card number,
- Card Validation Code (CVC, CVV2, CVC2),
- Customer’s pin number (PIN),
- Expiration date or contents of the magnetic strip of a payment card.
- Cardholder name in combination with any of the above information.
No credit card numbers or information may be transmitted or stored by means of any non-approved software application, personal computer, mobile device, e-mail account, facsimile, multi-functional device, or paper document.
No credit card information is to be requested or obtained through a non-secure environment.
The storage and retention of partial truncated credit card numbers is to be limited to that which is required for business, legal and/or regulatory purposes, as documented in the Electronic Data Disposal Policy and KU Records General Retention Schedule.
Due to inherent risks, a manual imprinter must not be used to process e-commerce transactions. Inherent risks, include but are not limited to human vulnerability in handling, securing and protecting data, capturing and storing PII, and other environmental control concerns such as access to data and destruction of carbon imprints and original document.
Failure to comply with the standards can result in serious consequences for the University, including exposure of personal financial information, assessment of substantial fines, possible legal liability, and the potential loss of the ability to accept e-commerce payments. Consequences for individuals processing e-commerce transactions for the University are specified in this policy under Consequences segment.
The use of personal financial information as evidenced by check or cardholder data for any purposes other than conducting University business is expressly prohibited.
Any employee, contractor, or agent who obtains access to personal financial information or cardholder data shall not sell, purchase, provide, or exchange the information in any form to any third party other than to an approved acquiring bank, depository bank, Visa, MasterCard, Discover Card, American Express, or other credit card company, or pursuant to formal governmental request. All requests to provide personal financial information to any other party requires prior authorization by The Comptroller’s Office. Cash advances on a credit card transaction are strictly prohibited as that type of transaction does not constitute University business.
Any department requesting to process physical checks electronically must meet with The Comptroller’s Office to discuss business purpose, viable process options, anticipated volume and revenue, related costs and related approvals for such business transactions. https://ecommerce.ku.edu/request-information-or-review
Any department requesting to accept credit card payments only and/or credit card payments plus electronic checks (eChecks) must meet with the E-commerce Committee to discuss business purpose, viable process options, anticipated revenue, related costs and related approvals for such business transactions. Once authorized to conduct e-commerce transactions pursuant to this policy, the requesting department is considered and referred to as a merchant and must follow all guidance regarding their merchant role. https://ecommerce.ku.edu/request-information-or-review
All credit card readers or processing devices requested for purchase must be ordered through The Comptroller’s Office in accordance with the State of Kansas Credit Card Acceptance contract. The cost of any equipment and supplies will be charged to the merchant.
Any credit card terminals for which the certification by the PCI Security Standards Council has expired or no longer meets industry specifications to support merchant services will be deemed non-compliant. All non-compliant equipment must be discarded or replaced, if a continued business use exists. Merchants must arrange for collection and delivery of any non-compliant equipment to the E-commerce Committee for proper disposal. To avoid significant data exposure risk, media sanitization is required. Certificate of media sanitization must be presented to The Comptroller’s Office after the merchant has promptly surrendered the terminal to KU IT eWaste.
The primary responsibilities of merchant are identified below, however, these may be augmented by additional guidelines or protocols issued by the E-commerce Committee with respect to the specific approvals:
- Allow a minimum of three months for a planning and implementation timeline to accommodate the E-commerce Committee’s review and approval for new or amended credit card and/or echeck payment acceptance arrangements.
- Initiate all inquiries, updates, conversations to utilize e-commerce processing with the E-commerce Committee using the email address: email@example.com. Acquire approval for all new arrangements and changes to arrangements that involve acceptance of payment cards or electronic checks, including services provided by third parties and/or any manner of connection to the University servers, infrastructure and networks.
- Review and comply with all University Procurement Services, The Comptroller’s Office, and Information Technology guidelines when engaging third party service providers of software, systems, equipment or services that include payment card acceptance. Ensure that PCI DSS specific requirements are incorporated into the process and documentation for competitive bids, new contracts or agreements, and renewal of contracts or agreements, and reviewed by the Office of General Counsel prior to execution.
- Access to process payment to a credit card terminal or virtual terminal will be secured and restricted to authorized and trained personnel only. Access must be strictly controlled and tracked by a management-level access person and will be subject to periodic audit. Each new staff with credit card processing related job function, or staff assuming such responsibilities, must complete PCI Compliance training.
- E-commerce transactions processed by merchant on behalf of the University must be for the purpose of conducting University business, such as for payment of fees, tuition, products and/or services of the University.
- No credit card data, banking data and/or personal financial information may be transmitted or stored by means of any non-approved software application, personal computer, mobile device, e-mail account, facsimile, multi-functional device, or paper document.
- Credit card payments processed by phone must be fully completed and transmitted while the customer is on the line. Credit card information must not be written down during the call or for later processing.
- Credit card business activity must be submitted through the Miscellaneous Deposit Form processed daily. Reconcile and verify credit card transactions as a part of normal accounting reconciliation process.
- Any merchant specifically contracting for a special payment application and/or equipment is responsible to ensure all requirements of compliance are maintained for PCI, contract specifications, and necessary vendor upgrades to continue and achieve compliance.
- Accept fiscal responsibility for any costs of acquiring and operating a card acceptance arrangement.
- Notify the Information Technology Security Office of any suspected security incidents, security breaches or data compromise, including suspected loss or theft of data.
- Complete an annual Self-Assessment Questionaire and E-commerce Merchant Agreement provided by the E-commerce Committee. Ensure all systems, equipment, contracts and business processes are compliant with policy.
- Comply and cooperate with any required internal or external PCI security assessment, audit and/or Internal Audit review.
- Assist the E-commerce Committee on an annual basis in requesting and securing from third party servicer proof of compliance.
- Inform the E-commerce Committee when the merchant decides it will no longer use operable credit card payment applications or credit card terminals.
- Inform the E-commerce Committee of change in staff and access roles so that users can be properly managed.
- Accept fiscal responsibility for any expenses and imposed fines associated with independent assessments and remediation of breach and/or non-compliant operations.
All third party service providers that provide processing for e-commerce transactions must have prior approval by the The Comptroller’s Office. Third party service providers must agree to be contractually obligated to comply with the compliance requirements in this policy and other applicable University policies. Third party service providers specifically adhere to the following:
- Provide upon initial contract and at least annually as long as the services contract is in place, enforceable and/or services continue to be rendered, an attestation or certification that:
- The supplier is PCI DSS compliant as certified by a Qualified Security Assessor (QSA);
- The supplier software application and payment application is certified compliant with the PA-DSS for developers;
- The supplier hardware, equipment and devices are certified compliant with the Pin Transaction Security (PTS) standards for manufacturers;
- The supplier devices are EMV (Chip and PIN) enabled, have End to End Encryption (E2EE) and/or Point to Point Encryption (P2P) to protect against fraudulent card attempts and attacks.
- Allow for review of Standard for Attestation Engagements SSAE No. 16 and provide the latest Attestation of Compliance or proof of PCI DSS certification upon request by the University.
- The University will not be responsible for any security breaches and will require third party service providers to indemnify the University for all costs and damages associated with security breaches caused as a result of negligence on the part of the service provider.
Matters of non-compliance shall be addressed as follows:
- If the merchant staff learns of non-compliance first, it must discontinue credit card processing and notify the KU Information Technology Security Office (ITSO) and E-commerce Committee. If ITSO or The Comptroller’s Office learns of non-compliance first, they will contact the merchant to discontinue credit card processing.
- Immediate notification must be made to the KU Information Technology Security Office and the E-commerce Committee. Phone: KU Information Technology Security Office (ITSO) – 785-864-9003. Email: firstname.lastname@example.org and email@example.com.
- The E-commerce Committee will coordinate further communication with the processor, hardware and/or software supplier, and any other identifiable entity to secure information and escalate the issue according to the procedures outlined in the IT Security Incident Response Policy: http://policy.ku.edu/IT/security-incident-response
- To contain the exposure of a security incident, the E-commerce Committee will escalate the situation to disable operations through merchant services and hardware and/or software supplier for the merchant depending on the nature of the breach, if network exposure may be at risk or if there exists potential for additional cardholder data exposure.
- The breach, data compromise and/or non-compliance situation will be assessed as to the nature, cause and impact regarding customers, operations and any immediacy to consider whether communications are warranted to involve law enforcement. ITSO will prepare an Incident Report and a list of compromised accounts. The Comptroller’s Office will coordinate any actions with contracted merchant services.
- E-commerce Committee and ITSO will work to coordinate and develop a plan to attain remediation. The remediation plan will be presented to ITSO leadership and The Comptroller’s Office leadership for initial vetting and to Administration for approval.
- A mutually agreeable timeline for the remediation will be established by the merchant and the E-commerce Committee.
- A Self-Assessment Questionnaire (specific to the scenario) will be completed by the merchant and subject to review and approval by the E-commerce Committee to document that remediation has occurred.
- Should remediation not be attained by the timeline established, the E-commerce Committee and the ITSO will consider further actions which may delay or not permit the merchant to resume operations.
- When the remediation plan is fully executed and the status of applications, equipment, contract requirements, and procedures are restored to a compliant position, the E-commerce Committee is responsible for determining operating status with an overriding decision of the Chief Financial Officer, Vice Provost for Finance and the Chief Information Officer.
- The merchant will enforce any additional safeguards or steps presented for further operational success.
As a consequence of a breach, data compromise or non-compliance, the merchant may incur increased costs due to fines imposed by card brands and/or potential loss of the contractual relationship to operate card processing.
A persistently non-compliant merchant is subject to suspension of card acceptance processing by the E-commerce Committee.
Exceptions to this policy may be granted only after a written request from the merchant has been reviewed and approved by the E-commerce Committee and then approved by the Chief Financial Officer, Vice Provost for Finance.
Faculty, staff, and student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment with, authority from, and/or relationship to the university.
Students who violate this University policy may be subject to proceedings for non-academic misconduct based on their student status.
Faculty, staff, student employees, and students may also be subject to the discontinuance of specified information technology services based on the policy violation.
Authorized entities that fail to follow the policy may potentially lose operating privileges and will be responsible for payment of any fines assessed due to a breach resulting from non-compliance. Fines imposed by credit card companies have ranged from a few hundred thousand to millions of dollars.
These definitions apply to these terms as they are used in this document. These definitions will periodically change as industry standards are modified.
Administration is refered herein as the governing authority within the University over the The Comptroller’s Office Accand Information Technology Security Office.
Affiliated Corporations are legal entities that have a branded and working business relationship to provide services to KU and to receive some administrative services from KU.
Application is computer software designed to perform a group of coordinated functions, tasks, or activities for the benefit of the user.
Authorized Entities are any individual or entity associated with the University that uses university information technology resources to create, access, store or manage University data to perform their business functions.
Banking data is any personally identifiable data associated with a banking institution account. This data could be an an account number, routing number (ABA), address, PIN number, name, social security number, driver’s license number or birthdate.
Card Brands are named companies such as American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. that work with acquiring banks to issue credit cards and cardholder services identifiable with their company name and logo on the cards.
Cardholder is the customer to whom a credit card or debit card has been issued or the individual authorized to use the card.
Cardholder Information is any personally identifiable data associated with the cardholder. This data could be an an account number, expiration data, name, address, social security number, or Card Validation Code (e.g., three-digit or four-digit value printed on the front or back of a payment card).
Certificate is an attachment to an electronic message used for security purposes. The most common use of a digital certificate is to verify that a user sending a message is who the individual claims to be, and to provide the receiver with the means to encode a reply.
Credit Card Terminal is a terminal that has a magnetic strip reader that captures cardholder information when a credit card’s magnetic strip slides past the reader. Generally this is done by sliding the card through a slot on the terminal. There is also a key pad for entering cardholder information manually.
Data Compromise is the exposure of sensitive or personally identifiable information (PII) resulting from either intentional security resulting from either intentional security breach (an ‘attack”) or human error.
Department is any entity within direct hierarchy of the University to include or not limited to a named school, named department, unit and/or affiliate that uses university information technology resources to create, access, store or manage University data to perform their business functions.
Digital Signature is a digital code that can be attached to an electronically transmitted message that uniquely identifies the sender. Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who the individual claims to be.
Electronic Check (Check21) is a paper check that is converted to a legitimate imaged “substitute” check for processing. Check 21 rules are established by a federal law, The Check Clearing for the 21st Century Act, designed to enable banks to handle more checks electronically with faster and more efficient processing. https://www.fdic.gov/consumers/assistance/protection/check21.html.
Electronic Check (eCheck) is an online payment utilizing checking account related data initiating ACH activity between banks.
E-commerce aka Electronic Commerce is business that is conducted over the Internet using any of the applications that rely on the Internet, such as e-mail, instant messaging, shopping carts, Web services, UDDI, FTP, and EDI, among others as a payment gateway.
Encrypt/Encryption is the scrambling or coding of information through the use of algorithms to stop the retrieval and use of information in transit or at rest (stored on a hard drive or mobile device).
Incident Report is a form or written record documenting exact details of the breach or non-compliant situation and/or circumstance that has occurred.
Media Sanitization is where equipment is wiped clean, purged in manner that renders the data unrecoverable or difficult to reconstruct.
Merchant is a department that has been approved to accept and process credit card payments.
Merchant Number is a number assigned from the credit card issuer to a merchant which uniquely identifies its credit card transactions.
Merchant Services is contracted entity with the State of Kansas that issues merchant number for credit card operations. This company facilitate the processing, settlement, reporting and billing for credit card activity.
Payment Card is any credit, debit, or pre-paid credit/debit card linked to the cardholder’s account at a financial institution, including those under the Visa, MasterCard, Discover Card and American Express brands.
Payment Application Data Security Standards (PA-DSS) is the PCI Council managed program that applies to hardware and software suppliers and others who develop payment applications that store, process, or transmit cardholder data and/or sensitive authentication data, in accordance with the PA-DSS requirements.
Payment Card Industry Data Security Standards (PCI-DSS) are the result of collaboration between the five major credit card brands to develop a single approach to safeguarding cardholder data. The PCI-DSS defines a series of best practices for handling, transmitting and storing cardholder data. The full text of the standard and other supporting documents are available at: https://www.pcisecuritystandards.org.
Personal Financial Information is information that can be used to uniquely identify an individual’s relationship with a financial institution divulging any personal resources to include assets or debt.
Personally Identifiable Information (PII) is information that can be used to uniquely identify, contact or locate an individual or that can be used in conjunction with other sources to uniquely identify an individual. In the case of payment card data, PII can be all printed and non-printed information contained on payment card that identifies the customer. For purposes of this document, PII includes personal financial information but is not restricted to name, address, credit card number, the card’s expiration date and its security code.
Pin Transaction Security Standards (PTS) is a set of PCI SSC compliance objectives for devices developed to capture payment card data to process authorized transactions using a personal identification number (Pin). Information regarding PTS Program is available at: https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices.
Processor provides payment processing, merchant, and related payment services to financial and nonfinancial institutions. They communicate to the card issuing entities to validate transactions and work with financial and nonfinancial institutions to settle payment transactions.
Qualified Security Assessor (QSA) is an independent security organization that has been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI-DSS.
Self-Assessment Questionnaire (SAQ) is a validation tool that assists merchants and service providers in self-evaluating PCI compliance every year.
Supplier is an entity that supplies goods and/or services to a company, primarily hardware and/or software to be used in e-commerce process.
TouchNet UCommerce Marketplace is a third party web application that provides a secure payment gateway for processing credit card payments online via a website application. This is the main university approved and supported payment gateway for merchants that accept credit card payments online.
University Network is the computer, data, and digital telecommunications network at the University which allows devices to share resources through data links using wires, cables or wireless media.
Virtual Terminal is a program that is accessed over the internet and enables credit card charges to be input online by the merchant.
04/12/2019: Policy published in the Policy Library, replacing the Internet-Based Credit Card Processing Policy (retired).