• Home
  • Internet-Based Credit Card Processing Policy

Internet-Based Credit Card Processing Policy


To protect against the exposure and possible theft of account and personal cardholder information that has been provided to KU Lawrence-campus offices during the course of business with the University; and to comply with credit card company requirements for transferring credit card information over the Internet.

The internet-based credit card processing policy is one of the documents that are governed by the KU eCommerce Infrastructure environment1. This environment has been created to support electronic business (eBusiness) done over the internet. This environment supports financial transactions supported by credit card transactions, digital signatures for approvals of credit card transactions, certificates that establish electronic identification, and other electronic methods needed to support electronic transmission of financial transactions.

Applies to: 

This policy is applicable to any KU Lawrence administered unit that processes, transmits, or handles cardholder information in electronic format. Affiliated corporations are encouraged to comply.

Policy Statement: 

All electronic-based transactions that involve the transfer of credit card information must be performed on the systems provided by Information Services for this purpose. All specialized servers that have been approved for this activity must be housed within Information Services and administered in accordance with the requirements of the eCommerce Server Compliance Requirements and the Cardholder Information Security Program (CISP). The Information Technology Security Officer and the Comptroller will be responsible for verifying compliance with industry best practices for conducting electronic payment transactions on the central server (see Appendix II: Cardholder Information Security Program (CISP)).

No credit card numbers should be transmitted or stored in any other system, personal computer, or e-mail account.

Exceptions to this policy may be granted only after a written request from the unit has been reviewed and approved by the Chief Financial Officer and Vice Provost for Finance and the Chief Information Officer.

Responsibilities of Information Services

Provide a central secure server for the purpose of transacting electronic payments, and for data storage, as required for compliance with credit card company regulations (see Appendix I: eCommerce Server Compliance Requirements).

Provide advice/how-to/tools to enable departments to clearly follow industry best practices for access, firewalls, patches, data storage, passwords, encryption, and security.

Investigate suspected security breaches and coordinate the response with the appropriate credit card agency, affected customers, and law enforcement as needed (see Cardholder Information Security Program (CISP) Security Audit Procedures and Reporting).

Responsibilities of the Comptroller’s Office

Monitor the use of credit card transactions for compliance with this policy and other University policy, state/federal laws and regulations, and contracts with financial institutions.

Approve each unit requesting to electronically accept credit cards, and perform an annual review of all approved units to ensure compliance.

Oversee credit card accounting for each approved unit.

Responsibilities of University Departments

Use only the central secure server provided by IS for the purpose of transacting electronic payments, and for handling cardholder information.

Reconcile and verify credit card transactions along with normal accounting reconciliation process.

Notify ITSO of any suspected security breaches.


Failure to meet the requirements outlined in this policy will result in suspension of electronic payment capability for affected units. Additionally, fines may be imposed by the affected credit card company, beginning at $50,000 for the first violation.

Persons in violation of this policy are subject to the full range of sanctions, including the loss of computer or network access privileges, disciplinary action, suspension, termination of employment, dismissal from the University, and legal action. Some violations may constitute criminal offenses under local, state, and federal laws. The University will carry out its responsibility to report such violations to the appropriate authorities.


Chief Information Officer

Approved by: 
Chief Information Officer
Approved on: 
Thursday, June 10, 2004
Effective on: 
Friday, June 15, 2007
Review Cycle: 
Annual (As Needed)
eCommerce, Payment, Online, Credit Card
Change History: 

03/08/2019: Changed title from VP for Administration and Finance to Chief Financial Officer and VP for Finance.
01/30/2015: Updated.
06/05/2013: Added to Policy Librar. 

Information Access & Technology Categories: 
Information Technology

Can't Find What You're Looking For?
Policy Library Search
KU Today
One of 34 U.S. public institutions in the prestigious Association of American Universities
Nearly $290 million in financial aid annually
44 nationally ranked graduate programs.
—U.S. News & World Report
Top 50 nationwide for size of library collection.
23rd nationwide for service to veterans —"Best for Vets," Military Times