E-commerce Compliance Guidelines and KU Policies
Introduction to PCI
Payment Card Industry Data Security Standards, better known as PCI, is a set of guidelines developed by the major credit card companies (Visa, MasterCard, Discover, American Express, and JCB) to help companies and organizations that process credit cards prevent credit card fraud and breaches of cardholder information. Any organization that processes, stores, or transmits credit card numbers is required by the credit card companies to be compliant with the PCI standard. Organizations which fail to comply may lose the ability to accept credit cards as a form of payment.
Requirements of PCI
There are 12 specific requirements outlined by PCI. These requirements are arranged into six control objectives, or general goals of PCI. The PCI control objectives and requirements are outlined below:
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Requirement 12: Maintain a policy that addresses information security.
Credit Card Information & Guidelines
Credit card information is considered "personal identifiable information" as well as "personal financial information," and should be handled with the utmost care, security and confidentiality within University business processes.
Any department processing credit card transactions will be charged accordingly for any interchange fee, Merchant Service processor fee, settlement gateway fee and online system transaction and/or maintenance fee related to credit card payment processing.
Departments desiring to initiate payment options to accept credit cards by using a credit card terminal, online payment application or contracting for payment services should contact the E-commerce Committee before purchasing a machine, software or related hardware. It is imperative that KU units take all the proper steps for procurement and compliance.
KU Policies Related to E-Commerce
All e-commerce at KU must adhere to the policies below.
Security and Privacy
- Privacy Policy Select to follow link
- Data Classification and Handling Policy Select to follow link
- HIPAA Compliance Policy Select to follow link
- Gramm-Leach-Bliley Student Financial Information Security Program Select to follow link
- Information Technology Security Policy Select to follow link
- Information Access Control Policy Select to follow link
- IT Security Incident Response Policy Select to follow link
- Electronic Data Disposal Policy Select to follow link
Additional Related Policies
- Acceptable Use of Electronic Information Resources Select to follow link
- Records Retention Schedule Select to follow link
- Student Records Policy: Office of the University Registrar Select to follow link
- Investigative Contact by Law Enforcement, Policy and Procedures Select to follow link
- Minors on Campus Policy Select to follow link