Skip to body

Resources and Reports

CWUP 2-70-040 Payment Card Policy

Reference: CWUR 7-70-050 Payment Card Procedures

(1) Policy

It is the policy of the University to allow acceptance of payment cards as a form of payment for goods and services upon written approval from the Director of Financial Services.  The University requires all Merchants that accept payment cards to do so only in compliance with the Payment Card Industry Data Security Standard (PCI DSS) and in accordance with the requirements outlined in this policy document and accompanying procedure.

The PCI DSS is a mandated set of requirements agreed upon by the five major credit card companies. These security requirements apply to all transactions surrounding payment cards and the merchants/organizations that accept these cards as forms of payment.

This policy and CWUR 7-70-020 Payment Card Procedure provides the requirements for processing, transmission, storage and disposal of cardholder data. This is to reduce the institutional risk associated with the administration of credit card payments by university departments to ensure proper internal controls and compliance with the PCI DSS.

(2) Scope

This policy applies to all university entities involved in payment card processing as well as all other external or internal agencies that store, process or transmits cardholder data and/or sensitive authentication data on behalf of the University.

(3) Authority

In accordance with the provisions of the PCI DSS the university is required to implement technical and operational safeguards designed to protect cardholder data.

(4) Roles and Responsibilities

The director of financial services is the business owner and approving authority for all merchant accounts and financial transactions. The chief information security officer, in collaboration with all major stakeholders, is responsible for the development and enforcement of this policy.

(5) Policy Maintenance

The chief information security officer and the director of financial services shall review and recommend any changes to this policy statement at least annually or more frequently as needed to respond to changes in the regulatory environment and internal business practices.

(6) Implementation

Failure by an individual to comply with the university payment card policy or procedure may result in disciplinary action up to and including termination for University employees, contract termination in the case of contractors or consultants, dismissal for interns and volunteers, or suspension or expulsion in the case of a student. Violations specific to the PCI DSS may result in:
• loss of the department or business unit's ability to accept credit cards as a form of payment; and
• fines of up to $500,000 per incident (as imposed by the payment card brand).
The University reserves the right to pursue appropriate legal actions as a result of a violation of the University payment card policy.

[Responsibility: VP of Operations; Authority: Cabinet/PAC; Reviewed/Endorsed by: Cabinet/PAC; Review/Effective Date: 06/04/2014; Approved by: James L. Gaudino, President]

Take the Next Step to Becoming a Wildcat.