University of Washington Policy Directory

Print This Page E-mail this Page
*Formerly part of the University Handbook
Administrative Policy Statement
35.1


Compliance Policy for Payment Card Industry Data Security Standards

(Approved by the Senior Vice President for Finance and Facilities by authority of Executive Order No. 5)



1.  Purpose

Departments and business units throughout the University of Washington (UW) have entered into merchant contracts with the Payment Card Industry (PCI) as part of their business transaction service sets. Because of rapidly evolving financial crimes and cyber-related security challenges, the payment industry, including American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International, has published specific "PCI Data Security Standards" in an effort to better secure payment account data in a globally consistent manner. All merchant contract holders are required to adopt and implement tools, practices, and policies to comply with these standards. Failure to comply may result in financial penalties, or security breaches.

This policy helps ensure PCI compliance requirements are met throughout all UW business units and departments. It also provides UW procedures for use, reporting requirements of contracted payment card services, and the process for obtaining and maintaining merchant contracts on the Acceptance of Credit Cards on Campus web page.

2.  Policy Definitions

Merchant: Any office, unit, department, or organization at the University of Washington that accepts credit cards as a form of payment for goods and/or services.

Merchant Contract Holder (MCH): Any UW business unit or department that holds a merchant contract with any PCI service provider(s). This includes terminal-based payment system owners and online web-based application system owners.

Merchant Level: PCI security standards provide four different levels of compliance activities that must be completed annually. These levels, (merchant levels 1–4) are based on the transaction volumes of a merchant. Essentially, merchants with the most transactions have the most compliance work to perform to stay in compliance. The specific compliance requirements for each merchant level can be found on the Merchant Levels and Compliance Validation Requirements Defined web page.

Online Privacy Policy: All websites that host payment transaction applications must have an online privacy policy that is easily located by the potential customer who visits the website. This privacy policy must clearly state the limitations of use, retention, and protection measures related to data that customers submit. It should also state what, if any, electronic monitoring, and HTTP cookie use the UW intends to perform with a visitor's electronic connection. The site must also provide contact information for customers to ask questions about the privacy policy.

OWASP Standards: Open Web Application Security Project (OWASP) secure coding standards are referenced in the PCI security standards for web application developers to use to avoid common coding vulnerabilities in the software development process.

PCI Security Standards: The information security standards, published by the PCI, that all MCHs are required to adopt and implement. Failure to comply may result in serious fines, penalties, and/or restrictions on merchant account activity.

Transaction Service Provider: The third party who provides a secured processing connection with the MCH's transaction processing bank.

3.  Policy

  • All UW MCHs, both terminal and web application-based, are required to comply with and support PCI security standards. All UW MCHs are required once a year to submit to UW Student Fiscal Services (SFS) completed PCI compliance surveys that will be sent to the MCH by SFS.

  • All UW merchant contractual agreements must be obtained through SFS.

  • All MCHs are required to use a UW-preferred transaction service provider.

  • All MCHs that offer Internet-facing payment services must certify that the security of their web forms or applications meet OWASP standards through secure code reviews and/or penetration testing.

  • UW internally hosted transaction service technology deployments must comply with all relevant UW security policies and standards in addition to PCI security standards.

  • An online privacy policy statement is required for websites that host PCI-related transactions and should include the UW's uniform content language provided by SFS.

  • If any existing or future UW MCH has specific needs or operational requirements that are exceptions to this policy, they must request a formal "exception" with SFS in writing. SFS will review the request and notify the requesting party if the exception is allowable and whether there any specific conditions that must be honored as part of the exception.

4.  Applicability

All current and future UW MCHs or temporary transaction service setups to accept credit card transactions for a specific activity or event are required to comply with this policy.

5.  Enforcement

Failure to comply with this policy may result in restrictions on use or closure of merchant account-related services, and disciplinary action.

6.  Additional Information

For additional information, contact Student Fiscal Services:

  • Location: 129 Schmitz Hall
  • Phone: 206–543–4694
  • Fax: 206–685–2942
  • Campus Mail: Box 355870
  • Email:sfshelp@u.washington.edu

April 30, 2009; May 13, 2009.