The primary objective of PCI DSS is to protect credit cardholder data. Compliance with the standard is required of all businesses that process, store or transmit credit cardholder data. The failure to comply with PCI DSS standards may result in the imposition of fines by the affected credit card company.
1. The Associate Vice President, Financial Operations and Business
Technology, or designee, shall approve each department or unit requesting
to accept credit cards, perform reviews to ensure compliance, monitor the
use of credit card transactions for compliance with this policy and other
University policies and contracts with financial institutions and
third-party vendors, and oversee credit card accounting for each approved
department or unit.
2. All transactions that involve the transfer of credit card data must be performed on systems provided or approved by the University for this purpose. Payment applications used to process credit cards must be certified to be compliant with PCI's Payment Application Data Security Standard (PA-DSS). This includes payment applications hosted off campus by third parties as well as those hosted on campus.
3. Financial Operations and Business Technology (FOBT) will maintain an inventory of all technologies used to process credit cards that are in scope for PCI DSS. Each department or unit may use only FOBT approved devices and software.
4. No credit card numbers or any documentation containing credit card numbers or cardholder data shall be transmitted or stored in any personal computer, email account or any other form of electronic media.
5. No paper documents, including but not limited to, paper receipts
and hand-written notes, containing credit card numbers or cardholder data
shall be permanently stored by an approved department or unit. Said
documents must be destroyed within two days of processing.
6. The Chief Information Officer or designee shall provide
advice/how-to/tools to enable departments and units to clearly follow
industry best practices for access, firewalls, patches, data storage,
passwords, encryption and security.
7. All suspected security breaches shall be reported to the Chief
Information Officer immediately. The Chief Information Officer shall
investigate suspected security breaches and coordinate the University's
response with the appropriate credit card agency, affected credit card
users, and law enforcement as needed and appropriate.
8. Individuals in violation of this policy are subject to the full
range of sanctions, including the loss of computing or network access
privileges; disciplinary action, including suspension and termination from
employment for employees and dismissal from the University for students;
and possible legal action. Some violations may constitute criminal
offenses under local, state and/or federal law and the University will
carry out its responsibility to report such possible violations to the
This policy shall be included in the WSU Policies and Procedures Manual and shared with appropriate constituencies of the University.
The Associate Vice President, Financial Operations and Business Technology, shall have primary responsibility for publication, dissemination and distribution of this University policy.
January 22, 2009
July 30, 2009
April 1, 2014
June 3, 2016
(See also Privacy of Financial Information at Section 20.18 of this manual.)