Policies & Procedures
Payment Card Security Policy 2038
I. PURPOSE
Longwood University accepts credit/debit cards as payment for various goods and services. The purpose of this policy is to establish appropriate procedures to ensure that all applicable University units conduct business in accordance with Payment Card Industry Data Security Standards (PCI DSS). This policy applies to all academic and administrative units and employees of Longwood University who accept credit/debit card payments and all external entities contracted by Longwood to provide outsourced services for credit/debit card processing for University business.
II. POLICY
The PCI requirements apply to all systems that store, process or transmit cardholder data. Longwood University will review annually its card processing services to determine the extent to which cardholder data is being collected, processed, transmitted, stored and disposed. The University will support unit compliance with card processing procedures and industry standards governing credit card transaction processing, specifically Payment Card Industry Data Security Standards (PCI DSS). The University’s PCI Project Team is responsible for developing strategies to ensure PCI DSS requirements are met. This Team has been granted the authority to govern PCI decisions and approve credit card acceptance practices.
The approval process for all credit/debit card processing activities will be as follows:
- An Application to Process Credit Cards must be completed and submitted to the Bursar.
- The Vice President for Administration and Finance must approve all credit/debit card processing activities, regardless of transaction method used (e-commerce, POS device, e-commerce outsourced to a third party, etc.). Any agreements/contracts made with third parties relative to credit/debit card transaction processing must be approved by the Vice President for Administration and Finance; departments are prohibited from negotiating third-party credit/debit card activities.
- All technology implementation associated with credit/debit card processing must be approved by the University’s Information Security Officer, to include the purchase of software and/or equipment (excluding verifone devices).
Units approved for debit/credit card processing activities must adhere to established procedures to promote compliance with standards governing credit/debit card transaction processing. Such procedures are applicable to payments deposited with the State Treasurer, in local accounts or with the Longwood University Foundation. The Vice President for Administration and Finance may terminate credit/debit card collection privileges for noncompliance with established procedures.
Departments are responsible for ensuring all individuals involved with credit/debit card transactions are aware of the importance of cardholder data security. Specific responsibilities include (1) documenting departmental procedures, (2) ensuring that credit/debit card activities are in compliance with established University procedures, (3) annual validation of PCI compliance with their acquirer, and (4) ensuring that appropriate individuals complete annual credit card security awareness training. Any confirmed or suspected breach will be reported immediately to the Information Security Office.
Financial Operations is responsible for ensuring the annual validation of PCI compliance with the University's acquiring bank is completed, the annual review of departmental procedures and practices in connection with credit/debit card transactions, and consulting with Information Technology prior to implementing any new credit/debit card transaction process.
Information Technology is responsible for verifying appropriate technical system security controls in accordance with PCI Data Security Standards and regular monitoring and testing of the Longwood University network. The Information Security Office is responsible for establishing security incident response and escalation procedures and initiating such procedures when necessary to ensure timely and efficient handling of all incidents.
Approved by the Board of Visitors, December 3, 2010.
Revised and approved by the Board of Visitors, March 22, 2013.
Revised and approved by the Board of Visitors, June 23, 2014.
Revised and approved by the Board of Visitors, April 01, 2016.
Revised and approved by the Board of Visitors, September 15, 2017.