The purpose of this policy is to mitigate the risk to the University inherent in the acceptance and processing of credit card transactions, to assign the authority and responsibility for such transactions, and to insure compliance with applicable laws and regulations, such as those maintained by the Payment Card Industry Security Standards Council.
This document describes IT Services’ policies and practices for managing its secure platform for University hosted eCommerce, specifically payment card transactions, and the data related to eCommerce. This policy is intended to comply with the requirements of the Payment Card Industry Data Security Standard (“PCI DSS”). The PCI DSS is included by reference herein; however, IT Services will be the sole determinant of how PCI DSS will be applied within IT Services operations. This document will be annually reviewed and updated as appropriate to maintain compliance with the PCI DSS.
This policy applies to University computers and systems that obtain or transmit credit card information electronically.
This policy sets forth a general framework for meeting the University’s obligations to review, retain, and destroy University records consistent with laws, regulations, and internal University record keeping objectives that may change from time to time. This policy is intended to supplement rather than supersede the current document retention and destruction policies of any academic or administrative department of the University. Please contact the Office of Legal Counsel if any such existing policies conflict with the guidance in this policy.