Preamble:
The primary objective of PCI DSS is to protect credit cardholder
data. Compliance with the standard is required of all businesses
that process, store or transmit credit cardholder data. The
failure to comply with PCI DSS standards may result in the imposition
of fines by the affected credit card company.
Policy Statement:
1. The Director of Financial Operations and Business
Technology, or the Director's designee, shall approve each department
or unit requesting to accept credit cards, perform an annual review of
all approved units to ensure compliance, monitor the use of credit card
transactions for compliance with this policy and other University
policies and contracts with financial institutions, and oversee credit
card accounting for each approved department or unit.
2. All transactions that involve the transfer of credit card data must be performed on systems provided or approved by the University for this purpose.
3. No credit card numbers or any documentation containing credit card numbers or cardholder data shall be transmitted or stored in any personal computer or E-mail account used by an approved department or unit.
4. No paper documents, including but not limited to, paper receipts and hand-written notes, containing credit card numbers or cardholder data shall be stored by an approved department or unit.
5. The Chief Information Officer, or the Chief Information
Officer's designee, shall provide advice/how-to/tools to enable
departments and units to clearly follow industry best practices for
access, firewalls, patches, data storage, passwords, encryption and
security.
6. All suspected security breaches shall be reported to the
Chief Information Officer immediately. The Chief Information
Officer shall investigate suspected security breaches and coordinate
the University's response with the appropriate credit card agency,
affected credit card users, and law enforcement as needed and
appropriate.
7. Individuals in violation of this policy are subject to the
full range of sanctions, including the loss of computing or network
access privileges; disciplinary action, including suspension and
termination from employment for employees and dismissal from the
University for students; and possible legal action. Some
violations may constitute criminal offenses under local, state and/or
federal law and the University will carry out its responsibility to
report such possible violations to the appropriate authorities.
Implementation:
This policy shall be included in the WSU Policies and Procedures
Manual and shared with appropriate constituencies of the
University.
The Director of Financial Operations and Business Technology shall have primary responsibility for publication, dissemination and distribution of this University policy.
Effective Date:
January 22, 2009
July 30, 2009
(See also Privacy of Financial Information at Section 20.18 of this manual.)