13.14 / Security of Payment Card Data

Effective: January 22, 2009Last Revised: September 28, 2020

  1. Initiating Authority

    1. The Senior Associate Vice President, Financial Operations and Business Technology, shall have primary responsibility for publication, dissemination and distribution of this University policy.
    2. This policy shall be included in the WSU Policies and Procedures Manual and shared with appropriate constituencies of the University.

  2. Purpose

    1. The purpose of this statement is to set forth University policy in compliance with the Payment Card Industry (PCI) Data Security Standards (DSS).
    2. The primary objective of PCI DSS is to protect payment cardholder data. Compliance with PCI DSS is required of all organizations that process, store or transmit cardholder data. The University's failure to comply with PCI DSS standards could result in severe consequences to the University, including the imposition of fines by the affected card brands, legal costs, fraud losses, and termination of the ability to accept Payment Cards.

  3. Policy

    1. The Senior Associate Vice President, Financial Operations and Business Technology, or his or her designee, shall approve each request to accept Payment Cards, perform reviews to ensure compliance, monitor the use of Payment Card transactions for compliance with University policies and contracts with financial institutions and third-party vendors, and oversee Payment Card accounting.
    2. All transactions that involve the transfer of Payment Card data must be performed on systems provided or approved by the University for this purpose. Payment applications used to process Payment Cards must be compliant with the PCI Security Standards Council's Payment Application Data Security Standard (PA-DSS). This includes payment applications hosted off campus by third parties as well as those hosted on campus.
    3. Financial Operations and Business Technology (FOBT) will maintain an inventory of all technologies used to process Payment Cards that are in scope for PCI DSS. Only FOBT-approved devices and software may be used.
    4. No card numbers or any documentation containing card numbers or cardholder data shall be transmitted or stored in any personal computer, email account or any other form of electronic media.
    5. No paper documents, including but not limited to, paper receipts and hand-written notes, containing card numbers or cardholder data shall be permanently stored by an approved department or unit. Said documents must be destroyed within two days of processing.
    6. The Chief Information Officer and Chief Information Security Officer or his or her designee shall provide advice/how-to/tools to enable departments and units to clearly follow industry best practices for access, firewalls, patches, data storage, passwords, encryption and security.
    7. All suspected security breaches shall be reported to the Chief Information Officer and Chief Information Security Officer immediately. The Chief Information Officer and Chief Information Security Officer shall investigate suspected security breaches and coordinate the University's response with the appropriate parties as needed and appropriate.
    8. Individuals in violation of this policy are subject to the full range of sanctions, including, but not limited to, the loss of computing or network access privileges; disciplinary action, including suspension and termination from employment for employees and dismissal from the University for students; and possible legal action. Some violations may constitute criminal offenses under local, state and/or federal law and the University will carry out its responsibility to report such possible violations to the appropriate authorities.

  4. Definitions

    For the purpose of this policy only, the following definitions shall apply:

    1. Payment Card: A Payment Card is part of a payment system issued by financial institutions, such as a bank, to a customer that enables the customer to access the funds in the customer's designated bank accounts or through a credit account. Such cards are known by a variety of names including bank cards, ATM cards, money access cards, client cards, cash cards and credit cards.

  5. Applicable Laws and Additional Resources

    1. WSU Policy 20.18 / Privacy of Financial Information