Skip navigation College of Charleston
CofC Home About CofC Academic Programs Library Bookstore Athletics  
Cougar Trailpaw WebMail WebCT today@CofC Technology  
Treasurer
Tuition and Fees
Payment Plan
Instructions for Adding Authorized Users
1098T Information
Cancellation for Non-Payment Policy: Fall/Spring Semesters

Cancellation for Non-Payment Policy: Maymester/Summer

Legal Residency

Policies (Late Fees, Returned Payments, PCI Compliance, Cash Receipts)
Business Affairs
Treasurer

Student Loan Accounting/Past Due Balance
Contact Staff
 
Policies

Credit/Debit Card Policy

SECTION:                   Business Affairs

Subject:                        Credit Card Processing Policy

Date:                            July 1, 2007

Policy for:                     All Departments

Procedures for: All Departments

Authorized by:  Business Affairs

Issued by:                     Treasurer’s Office

 

1.  Executive Summary and Purpose
This credit card processing policy provides requirements and guidance for all credit card processing activities for the College of Charleston.

At the initial publication of the credit card processing policy the following sources were consulted and provided the basis establishment:  ISO 17799, Visa CISP, MasterCard and Discover Merchant Operating Regulations, and America Express Card Acceptance Agreement.

The credit card processing policy deals with access to the College of Charleston’s computing and network resources with regard to credit card processing.  The credit card processing policy pre-empts all other campus policies and procedures for all issues related to the scope of this policy.

2.  Scope

The credit card processing policy applies to:
All departments, affiliates, and employees of the College of Charleston who accept credit card payments for College business.
All external organizations contracted by the aforementioned parties to provide outsourced services for credit card processing for College business.
All departments, affiliates and employees of the College of Charleston who provide credit card processing services for third parties.

3.  Definitions

Account Number:  The unique number identifying the cardholder’s account which is used in financial transactions.

Cardholder data:  Cardholder data is any personally identifiable data associated with a cardholder.  Examples include but are not limited to an account number, expiration date, name, address, social security number, etc.

Sensitive Cardholder data:  Sensitive Cardholder data is defined as the account number, expiration data, CVC2/CVV2 (a three-digit number imprinted on the signature panel of the card), and data stored on track 1 and track 2 of the magnetic stripe of the card.

Cardholder Information Security Program (CISP):  CISP defines a standard of due care for securing cardholder data, wherever it is located.  CISP compliance has been required of all entities storing, processing, or transmitting cardholder data.

Credit Card Processing:  Act of storing, processing, or transmitting credit cardholder data.

E-Commerce Application:  Any network-enabled financial transaction application.

Employee:  Any employee as defined by the College of Charleston’s policies and procedures or the faculty manual.

ISO 17799:  The International Standards Organization document defining computer security standards.

POS Device:  Point of Sale (POS) computer or credit card terminals either running as stand alone systems or connecting to a server either at the College of Charleston or at a remote off site location.

Site Data Protection Program (SDP):  The formal data protection program mandated by MasterCard.  The SDP Program provides acquiring members with the ability to deploy security compliance programs, ensuring that online merchants and member service providers are adequately protected against hacker intrusions and account data compromises.

Web Development:  The design, development, implementation and management of the user interface of the e-Commerce application

4. Statement of Policy

Responsibility of College Departments

All departments that manage credit card holder data must adhere to strict procedures for ensuring that data is secure at all times.  Regardless of which credit card vendor is used, the College of Charleston faces steep penalties, including fines and lost business if credit card data is stolen.

All College of Charleston divisions and departments desiring to accept payment for financial transactions electronically via the Internet using e-commerce are required to process all transactions through approved gateways.  All gateways must ensure that all data and personal information related to credit card sales passes through specific, approved hardware and software that meets all criteria specified by the Cardholder Information Security Program (CISP).

Types of E-Commerce:

Web display only:  Under the form of, departments selling approved goods and services create an individual Web site to display product and service information.  However, the ordering, transfer or payment and shipping information are performed elsewhere such as through use of phone or mail.  Traditional methods for securing and providing the retention of personal and financial information on written records would apply.

E-Mail Transactions:  Web sites developed by departments may display product and service information.  However, visitors have the option of submitting order information to the seller via e-mail.  This method is acceptable for exchanging quantitative information and for communicating an interest to purchase.  E-mail must not be used to transfer confidential data/information such as credit card numbers, social security number, purchaser identification, or other sensitive information related to the purchaser.

Secured Restricted Gateway:  A secured restricted gateway combines a Web site to display products and services developed by the selling department and an electronic link to the approved Gateway software.  Using a secured restricted gateway is the required methodology for all College of Charleston e-commerce involving the acceptance of payments by credit card via the internet.

Products or services provided by e-commerce sites are limited to those that support the College of Charleston academic mission.

Approved Process

The approval process for all credit card processing activities will be as follows:

The Treasurer and Vice President of Fiscal Services or delegate(s) must approve all credit card processing activities at the College of Charleston before a unit enters into any contracts or purchase of software and/or equipment.  This requirement applies regardless of the transaction method used (e.g. e-commerce, POS device, or e-commerce outsourced to a third party).  Approved units must register their credit card processing information with the Treasurer’s Office, the
Vice President for Fiscal Services and the College IT Department.

All technology implementations (including approval of authorized payment gateways) associated with the credit card processing must be in accordance with the Credit Card Processing Procedures and approved by the Treasurer, VP, and IT Department prior to entering into any contracts or purchasing of software and/or equipment.

 

Sensitive cardholder data must not be stored in any fashion on the College of Charleston computers or networks.  Exemptions to storing card holder data must come from the Treasurer.

Third party vendors must suppress the use of mechanisms that collect or track customer information (e.g., web bugs, cookies, software buffers).

Maintaining Standards

Units approved for credit card processing activities must maintain the following standards:

All employees (business managers, operations personnel, and technical staff) involved in e-Commerce or POS transactions must understand all requirements as outlined in the Credit Card Processing Procedures.

All units should create, maintain and test (as required by CISP): business continuity and disaster recovery plans as well as incident response capabilities.

All servers and POS devices will be administered in accordance with the requirement of the Credit Card Processing Procedures.

Access to credit card processing systems and related information must be restricted to appropriate personnel.

Each department responsible for credit card processing must complete an Annual Self-Assessment Questionnaire and a Quarterly Network Scan by an approved independent scan vendor.  All systems processing cardholder data must comply with the credit card processing policy and the associated procedures.  The College IT Department and the Treasurer’s Office will assist in the initial self assessment.  To combat the loss of payment card information to hackers, e-commerce sites must comply with all security requirements as outlined in the Credit Card Processing Procedures to achieve certification.  Self-assessment and certification forms will be sent to the Treasurer.

Third party source code (HTML, CGI or script) should be provided to authorize individuals at the College of Charleston upon request.

A third party vendor must provide evidence of adequate liability insurance.

Only approved College of Charleston logos may be used on e-commerce sites existing within the College of Charleston domain.

5. Procedures

The Credit Card Processing Procedures provides details for implementation of the credit card processing policy.  The Credit Card Processing Procedures document carries the full force of the credit card processing policy.  The separation of policy and procedures allows for easier modifications to the procedures due to the changing nature of business, technology and security.

6. Revisions and Exceptions

The credit card processing policy may be revised only with approval of the Vice President of Fiscal Services for the College of Charleston.  The Vice President may grant exceptions to the credit card processing policy or revise the Credit Card Processing Procedures document by mutual agreement.

7. Compliance

Failure to comply with the credit card processing policy and the associated required procedures will be deemed a violation of College policy and will result in suspension of electronic payment capability for the affected departments.  Additionally, fines may be imposed by the affected credit card company, beginning at $50,000 for the first violation.  Technology that does not comply with the credit card processing policy and the associated required procedures is subject to disconnection of network services.

8. Communication

Upon approval, the credit card processing policy shall be published on the appropriate College of Charleston web site(s).  The following offices and individuals shall be notified in writing with any subsequent revisions or amendments made to the credit card processing policy.

Vice President for Fiscal Services
Chief Information Officer for Information Technology
Vice President for Business Affairs
Treasurer
Internal Auditor

 Ask CofC
Learning Cougar Trail
FERPA Family Rights and Privacy Act

 
 

News & Tips

Mailing Address:

Treasurer's Office
College of Charleston
66 George Street
Charleston, South Carolina 29424

Physical Address:

170 Calhoun Street

Phone Numbers:

(843)953-5572

Email Address:

Treasurer@cofc.edu
 
Go to Top
 
 
Copyright 2003© College of Charleston. All Rights Reserved.