Information Technology Services – Fred Miller, Chief Information Officer
Title: Credit Card Data Security Policy
Applicable: Furman University (Students, Staff, Faculty)
Contacts: Information Technology Service Center ext. 3277
Background: The Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard for organizations that handle credit card information. The major credit card providers require that all organizations that use credit cards must certify that they comply with the provisions of this standard annually.
Policy: Any systems or processes that require the use of a credit card must be in compliance with current Payment Card Industry Data Security Standard. Furman University is required to comply with all PCI-DSS terms for protecting credit card and related personally identifiable information (PII).
1. Furman complies with PCI-DSS by following the requirements of PCI-DSS Self Assessment Questionnaire B. Requirements of PCI-DSS Self Assessment Questionnaire B include:
a. Furman credit cards transactions may only be processed on-campus by imprint machines or dial-out terminals connected via a phone line to an approved credit card processor.
b. Standalone dial-out terminals may not be connected to any other systems on Furman’s campus.
c. Standalone, dial-out terminals may not be connected to Furman’s network.
d. Furman will not transmit cardholder data over its network.
e. Furman will retain only paper report or paper copies of receipts with cardholder data, and these documents are not received electronically,
f. Furman will not store cardholder data in any electronic format.
2. University credit card transactions may be processed by approved third party payment vendors that meet the PCI-DSS security and privacy requirements.
3. Any contract for information technology hardware, software, or services must be reviewed by the Director of Enterprise Systems for compliance with PCI-DSS and University PII standards before the contract is executed. Any contracts for systems, software, or services requiring the use of credit card transactions or other PII may only be executed on behalf of the University by the University’s Chief Information Officer.
4. A Furman-owned computer on Furman’s network may not act as a “virtual terminal” to process credit card transactions to an approved third party payment vendor.
5. No systems developed by ITS staff may collect or maintain personally identifiable information such as Social Security Numbers or credit card numbers.
6. The use of third-party build-your-own web form services (e.g., Wufoo) to collect credit card information, or other PII, is prohibited.
7. Exceptions to this policy may only be approved by the University’s Chief Information Officer.