Internet-Based Credit Card Processing Policy
To protect against the exposure and possible theft of account and personal cardholder information that has been provided to KU Lawrence-campus offices during the course of business with the University; and to comply with credit card company requirements for transferring credit card information over the Internet.
The internet-based credit card processing policy is one of the documents that are governed by the KU eCommerce Infrastructure environment1. This environment has been created to support electronic business (eBusiness) done over the internet. This environment supports financial transactions supported by credit card transactions, digital signatures for approvals of credit card transactions, certificates that establish electronic identification, and other electronic methods needed to support electronic transmission of financial transactions.
This policy is applicable to any KU Lawrence administered unit that processes, transmits, or handles cardholder information in electronic format. Affiliated corporations are encouraged to comply.
All electronic-based transactions that involve the transfer of credit card information must be performed on the systems provided by Information Services for this purpose. All specialized servers that have been approved for this activity must be housed within Information Services and administered in accordance with the requirements of the eCommerce Server Compliance Requirements and the Cardholder Information Security Program (CISP). The Information Technology Security Officer and the Comptroller will be responsible for verifying compliance with industry best practices for conducting electronic payment transactions on the central server (see Appendix II: Cardholder Information Security Program (CISP)).
No credit card numbers should be transmitted or stored in any other system, personal computer, or e-mail account.
Exceptions to this policy may be granted only after a written request from the unit has been reviewed and approved by the Chief Financial Officer and Vice Provost for Finance and the Chief Information Officer.
Responsibilities of Information Services
Provide a central secure server for the purpose of transacting electronic payments, and for data storage, as required for compliance with credit card company regulations (see Appendix I: eCommerce Server Compliance Requirements).
Provide advice/how-to/tools to enable departments to clearly follow industry best practices for access, firewalls, patches, data storage, passwords, encryption, and security.
Investigate suspected security breaches and coordinate the response with the appropriate credit card agency, affected customers, and law enforcement as needed (see Cardholder Information Security Program (CISP) Security Audit Procedures and Reporting).
Responsibilities of the Comptroller’s Office
Monitor the use of credit card transactions for compliance with this policy and other University policy, state/federal laws and regulations, and contracts with financial institutions.
Approve each unit requesting to electronically accept credit cards, and perform an annual review of all approved units to ensure compliance.
Oversee credit card accounting for each approved unit.
Responsibilities of University Departments
Use only the central secure server provided by IS for the purpose of transacting electronic payments, and for handling cardholder information.
Reconcile and verify credit card transactions along with normal accounting reconciliation process.
Notify ITSO of any suspected security breaches.
Failure to meet the requirements outlined in this policy will result in suspension of electronic payment capability for affected units. Additionally, fines may be imposed by the affected credit card company, beginning at $50,000 for the first violation.
Persons in violation of this policy are subject to the full range of sanctions, including the loss of computer or network access privileges, disciplinary action, suspension, termination of employment, dismissal from the University, and legal action. Some violations may constitute criminal offenses under local, state, and federal laws. The University will carry out its responsibility to report such violations to the appropriate authorities.
Chief Information Officer
03/08/2019: Changed title from VP for Administration and Finance to Chief Financial Officer and VP for Finance.
06/05/2013: Added to Policy Librar.