Oregon State University

104: e-Commerce

Fiscal Operations Manual
Section 100: Revenue (External) Depositing & Recording
Effective: 06/10/2002
Revised: 1/24/2013

The Business Affairs Office views electronic commerce as a natural extension of the business processes already conducted by the University. We encourage colleges and auxiliary departments to utilize electronic commerce to improve services and reduce costs to students, faculty, staff, and the public. For purposes of this policy, electronic commerce includes all business transactions accomplished using an electronic medium.

In all endeavors, the University shall protect and preserve the assets of the state, the integrity of the data, financial and confidential information about the customer, and customer trust and confidence in using electronic commerce. It is important that OSU entities processing credit card or electronic check payments take measures to safeguard sensitive customer information including credit card numbers. Failure to comply with Payment Card Industry (PCI) Data Security Standards (DSS) may result in financial loss, fines, suspension of credit card processing privileges, and/or damage to the reputation of the University.

  1. The Assistant Vice President and Controller of Business Affairs or designee shall approve all e-Commerce activities conducted at the University.
  2. The University Chief Information Security Officer (CISO) and the Director of Business Affairs are responsible for University debit/credit card security, the distribution of security policies and procedures, monitoring of system access and alerts, and incident response.
  3. University departments with approved credit card processing activities must maintain the following standards:
    1. Protect Customer Information
      • Use the University centrally hosted e-Commerce software application, or an Office of the State Treasurer (OST) approved, secure, and fully hosted third party payment processing service.
      • Link the University e-Commerce Privacy Policy on applicable websites.
      • Use credit card processing terminals approved by OST and programmed to mask card numbers on both merchant and customer copies of receipts.
      • Do not create an electronic file containing full credit card numbers (database, spreadsheet, word processor, image, etc.)
      • Do not send or receive complete credit card numbers using email or campus mail. Fax transmission is acceptable, and proper handling and storage requirements apply.
      • Avoid the retention of paper records containing complete credit card numbers.  If, for business reasons, you must store full card numbers, they must be in a locked cabinet or office with adequate key controls, and stored  for no longer than 36 months before securely disposing of them (confidential recycle, cross-cut shred, pulp, or incinerate).  Mark these records as ‘Confidential’.
      • Records containing partial card numbers should be retained for no longer than seven years.
      • Strictly limit access to paper records containing credit card and bank account numbers based on job function.  Where practical, limit access to full time staff.
      • Inventory paper records containing full or partial credit card numbers every six months to identify loss or theft of items.
      • Report security breaches and gaps to the Business Affairs Office immediately (see item #4 below).
    2. Properly Account for Funds
    3. Train Employees
      • Designate a unit information security officer or single point of contact for e-Commerce.
      • Train all employees involved in processing card transactions to protect card data. Ask employees to review this policy annually and when business processes change.
    4. Participate in Annual PCI Risk Assessment
    5. Use only Approved Third Party Vendors
      • The Business Affairs Office will assist University departments in processing credit card and e-check payments online using secure payment processing.  The first option by departments should be to utilize the University e-Commerce applications, as it is Payment Card Industry (PCI) compliant, and NACHA compliant.
      • In accordance with OST Cash Management Agency Manual 02 18 14.PO, all third party vendors must be approved in advance by OST.  To obtain approval vendors must complete the OST 3rd Party Vendor Prequalification Form.
      • Oregon law requires that state funds be deposited directly into a recognized Oregon depository within 24 hours.  For this reason, the uses of services such as PayPal or Square that do not deposit proceeds directly into an OST merchant account are prohibited.
    6. In the event of a breach in card data security, take the following steps:
      1. Immediately contain and limit the exposure of cardholder data and alert the Business Affairs Asst. VP/Controller or Bursar, and the CISO.  A response team will be assembled and conduct a thorough investigation of the suspected loss or theft of account information.
        • Do not access or alter compromised systems (e.g., do not log on or change passwords; do not log in as ROOT).
        • Do not turn off the compromised machine. Instead, isolate compromised systems from the network (e.g., unplug the network cable).
        • Preserve logs and electronic evidence.
        • Log all actions taken.
        • If using a wireless network, change SSID on machines that may be using this connection (with the exception of any systems believed to be compromised).
        • Be on high alert and monitor all systems with cardholder data.
  4. Provide Business Affairs and the CISO with a detailed report containing account information at risk and the source and timeframe of the compromise.
  5. Complete an Incident Report as soon as possible no later than three business days and provide to the Asst. VP/Controller of Business Affairs and the CISO. OST will be notified as will the payment processor (Elavon).  OST, USBank, Elavon, and/or Visa, MasterCard, Discover will determine and notify Business Affairs if an independent forensic investigation, compliance questionnaire, and vulnerability scan are required.
  6. Business Affairs’ protocol for response is:
  • If an incident occurs during normal business hours (8:00AM to 5:00PM), notify the Office of the State Treasurer (OST) by using the number listed below.  OST will then notify USBank, and coordinate all communication.  If the incident occurs outside of normal business hours, contact USBank directly by using the phone number listed below.
    • Internal Information Security group and Incident Response Team: Chief Information Security Officer, Asst. VP/Controller of Business Affairs, Director of Enterprise Computing Services, VP Finance and Administration, and Office of the General Counsel.
    • Office of the State Treasurer (OST) at 1-503-378-4000.  Notify the receptionist that you have experienced a merchant card breach and ask to speak with the Merchant Bank Liaison on the Banking Team or a member of the Relationship Management Services Team.
    • USBank at 1-800-725-1243.  Identify that you are a “National Account” with the State of Oregon, and provide them with your Merchant ID (MID) number. Notify the USBank Customer Service Representative that you have experienced a merchant card breach and ask that the incident be reported to the Risk Department.

The OSU Vice President for Finance and Administration or designee has authority for administering this policy.

Additional References

OUS Policy Guidelines for Electronic Commerce 40.005       
State of Oregon Division of Finance Oregon Identity Theft Protection Act

Contact Info

Site Maintained by: Office of Human Resources
Oregon State University, Corvallis, OR 97331
Contact us with your comments, questions and feedback
Copyright © 2009 Oregon State University | Disclaimer
Copyright ©  2014 Oregon State University