Effective June 10, 2002
Last Revised June 30, 2008
Who Should Read This Policy
Administrators for OSU entities that are processing credit card, online credit card, or electronic check payments should read and be familiar with this policy.
- Purpose & Background Information
- Additional Information
Purpose & Background Information
The Business Affairs Office views electronic commerce as a natural extension of the business processes already conducted by the University. We encourage colleges and auxiliary departments to utilize electronic commerce to improve service to students, faculty, staff, and the public, and to reduce the cost of providing these services. For purposes of this policy, electronic commerce includes all business transactions accomplished using an electronic medium.
In all endeavors the University shall protect and preserve: the assets of the state; the integrity of the data; financial and confidential information about the customer; and customer trust and confidence in using electronic commerce. It is important that OSU entities processing credit card or electronic check payments take measures to safeguard sensitive customer information including credit card numbers. Failure to comply with Payment Card Industry (PCI) rules may result in financial loss, fines, suspension of credit card processing privileges, and/or damage to the reputation of the university.
This policy provides guidelines for all credit card and ePayment processing activities at OSU.
- The Director of Business Affairs or designee shall approve all eCommerce activities conducted at the University.
- The University Chief Information Security Officer (CISO) and the Director of Business Affairs are responsible for university debit/credit card security, the distribution of security policies and procedures, monitoring of system access and alerts, and incident response.
- University departments with approved credit card processing activities must maintain the following standards:
a) Protect Customer Information
- Use the University centrally hosted eCommerce application, or an Office of the State Treasurer (OST) approved, secure, and fully hosted third party payment processing services.
- Do not create an electronic file containing full credit card numbers (database, spreadsheet, word processor, image, etc.)
- Avoid the retention of paper records containing complete credit card numbers. If, for business reasons, you must store full card numbers then do so for no longer than 36 months before securely disposing of them (confidential recycle, cross-cut shred, pulp, or incinerate). Mark these records as ´Confidential´.
- Records containing partial card numbers should be retained for no longer than seven years.
- Strictly limit access to paper records containing credit card and bank account numbers based on job function. Where practical, limit access to full time staff.
- Access to electronic records must be authorized in writing by the employee´s manager.
- Credit card processing terminals must be models approved by OST and programmed to mask card numbers on both merchant and customer copies of receipts.
- Physically secure paper records containing full credit card numbers in locked cabinets or offices with adequate key control.
- Inventory paper records containing full or partial credit card numbers every six months to identify loss or theft of items.
- Do not send or receive complete credit card numbers using email or campus mail.
- Report security breaches and gaps to the Business Affairs Office immediately (see item #4 below).
b) Properly Account
- Adhere to appropriate accounting standards as established by the Vice President for Finance and Administration.
- Following procedures outlines in the OSU Fiscal Operations Policy & Procedures Manual, including those related to: Sales of Goods & Services; Deposits; and Cash Handling.
- Uniquely serialize and fully journalize all transactions to provide a conclusive audit trail.
- Routinely reconcile all goods and services provided and received to the accounting records.
c) Employee Training
- Designate a unit information security officer or single point of contact for eCommerce.
- Train all employees involved in processing card transactions to protect card data and ask them to review this policy annually and when business processes change.
d) Annual Risk Assessment
- All university units processing credit cards will participate in an annual PCI risk assessment.
e) Third Party Vendors
- The Business Affairs Office will assist University departments in processing credit card and echeck payments online using payment processing. The first option by departments should be to utilize the University eCommerce applications hosted centrally, as it is Payment Card Industry (PCI) compliant, and NACHA compliant.
- In accordance with OST Cash Management Policy 02 18 14.PO, all third party vendors must be approved in advance by OST. To obtain approval vendors must complete the OST 3rd Party Vendor Prequalification Form.
- Oregon law requires that state funds be deposited directly into a recognized Oregon depository within 24 hours. For this reason the use of PayPal or similar services that do not deposit proceeds directly into an OST merchant account are prohibited.
f) In the event of a breach in card data security take the following steps
- The unit shall immediately contain and limit the exposure of cardholder data, alert Business Affairs, and conduct a thorough investigation of the suspected loss or theft of account information.
- Do not access or alter compromised systems (e.g., do not log on or change passwords; do not log in as ROOT).
- Do not turn off the compromised machine. Instead, isolate compromised systems from the network (e.g., unplug the network cable).
- Preserve logs and electronic evidence.
- Log all actions taken.
- If using a wireless network, change SSID on machines that may be using this connection (with the exception of any systems believed to be compromised).
- Be on high alert and monitor all systems with cardholder data.
- Provide Business Affairs with a report containing; account information at risk and the source and timeframe of the compromise. Complete an Incident Report as soon as possible. This must be completed within three business days, and provided to the Office of the State Treasurer. OST will forward it to U.S. Bank/NOVA. Visa and U.S. Bank/NOVA will determine and notify the agency and OST if an independent forensic investigation, compliance questionnaire, and vulnerability scan are required.
- Business Affairs will alert all necessary parties immediately.
- If an incident occurs during normal business hours (8:00AM to 5:00PM), notify the Office of the State Treasurer (OST) by using the number listed below. OST will then notify U.S. Bank, and coordinate all communication. If the incident occurs outside of normal business hours, contact U.S. Bank directly by using the phone number listed below.
- Internal Information Security group and Incident Response Team: Chief Information Security Officer, Director of Business Affairs, Director of Enterprise Computing Services, VP Finance and Administration, and Office of the General Counsel.
- Office of the State Treasurer (OST) at 1-503-378-4000. Notify the receptionist that you have experienced a merchant card breach, and ask to speak with the Merchant Bank Liaison on the Banking Team or a member of the Relationship Management Services team.
- U.S. Bank at 1-800-725-1243. Identify that you are a "National Account" with the State of Oregon, and provide them with your Merchant ID (MID) #. Notify the U.S. Bank customer service representative that you have experienced a merchant card breach, and ask that the incident be reported to the Risk Department.
- The OSU Vice President for Finance and Administration or designee has authority for administering this policy.
- eCommerce Request Forms
- OSU Cash Handling Guidelines http://oregonstate.edu/fa/businessaffairs/cashiers/cash_handling_handbook
- OSU FIS Manual http://oregonstate.edu/dept/budgets/FISManual/FISTOC.htm
- OSU Enterprise Computing eCommerce site http://oregonstate.edu/dept/computing/ecommerce/
- OUS Policy Guideline for Electronic Commerce
- State of Oregon Division of Finance Oregon Identity Theft Protection Act http://www.dfcs.oregon.gov/identity_theft/safeguard_data.html
- Oregon State Treasury Cash Management Policyhttp://www.ost.state.or.us/divisions/finance/cashmanagement/
- Payment Card Industry Data Security Standards (PCI DSS)