13.14 / Security of Credit Card Data

  1. Purpose

    The purpose of this statement is to set forth University policy in compliance with the Payment Card Industry (PCI) Data Security Standard (DSS).


    The primary objective of PCI DSS is to protect credit cardholder data. Compliance with the standard is required of all businesses that process, store or transmit credit cardholder data. The failure to comply with PCI DSS standards may result in the imposition of fines by the affected credit card company.

  2. Policy

    1. The Associate Vice President, Financial Operations and Business Technology, or designee, shall approve each department or unit requesting to accept credit cards, perform reviews to ensure compliance, monitor the use of credit card transactions for compliance with this policy and other University policies and contracts with financial institutions and third-party vendors, and oversee credit card accounting for each approved department or unit.

    2. All transactions that involve the transfer of credit card data must be performed on systems provided or approved by the University for this purpose. Payment applications used to process credit cards must be certified to be compliant with PCI's Payment Application Data Security Standard (PA-DSS). This includes payment applications hosted off campus by third parties as well as those hosted on campus.

    3. Financial Operations and Business Technology (FOBT) will maintain an inventory of all technologies used to process credit cards that are in scope for PCI DSS. Each department or unit may use only FOBT approved devices and software.

    4. No credit card numbers or any documentation containing credit card numbers or cardholder data shall be transmitted or stored in any personal computer, email account or any other form of electronic media.

    5. No paper documents, including but not limited to, paper receipts and hand-written notes, containing credit card numbers or cardholder data shall be permanently stored by an approved department or unit. Said documents must be destroyed within two days of processing.

    6. The Chief Information Officer or designee shall provide advice/how-to/tools to enable departments and units to clearly follow industry best practices for access, firewalls, patches, data storage, passwords, encryption and security.

    7. All suspected security breaches shall be reported to the Chief Information Officer immediately. The Chief Information Officer shall investigate suspected security breaches and coordinate the University's response with the appropriate credit card agency, affected credit card users, and law enforcement as needed and appropriate.

    8. Individuals in violation of this policy are subject to the full range of sanctions, including the loss of computing or network access privileges; disciplinary action, including suspension and termination from employment for employees and dismissal from the University for students; and possible legal action. Some violations may constitute criminal offenses under local, state and/or federal law and the University will carry out its responsibility to report such possible violations to the appropriate authorities.

  3. Implementation

    This policy shall be included in the WSU Policies and Procedures Manual and shared with appropriate constituencies of the University.

    The Associate Vice President, Financial Operations and Business Technology, shall have primary responsibility for publication, dissemination and distribution of this University policy.

(See also Privacy of Financial Information at Section 20.18 of this manual.)