Credit and Debit Card Security Policy
Longwood University accepts credit/debit cards as payment for various goods and services. The purpose of this policy is to establish appropriate procedures to ensure that all applicable University units conduct business in accordance with Payment Card Industry Data Security Standards (PCI DSS). This policy applies to all academic and administrative units and employees of Longwood University who accept credit/debit card payments and all external entities contracted by Longwood to provide outsourced services for credit/debit card processing for University business.
The PCI requirements apply to all systems that store, process or transmit cardholder data. Longwood University will review annually its card processing services to determine the extent to which cardholder data is being collected, processed, transmitted, stored and disposed. The University will support unit compliance with card processing procedures and industry standards governing credit card transaction processing, specifically Payment Card Industry Data Security Standards (PCI DSS).
The approval process for all credit/debit card processing activities will be as follows:
- An "Application to Process Payment Cards" (xlsx) must be completed and submitted to the Director of Cashiering and Student Accounts.
- The Vice President for Administration and Finance must approve all credit/debit card processing activities, regardless of transaction method used (e-commerce, POS device, e-commerce outsourced to a third party, etc.) Any agreements/contracts made with third parties relative to credit/debit card transaction processing must be approved by the Vice President for Administration and Finance; departments are prohibited from negotiating third-party credit/debit card activities.
- All technology implementation associated with credit/debit card processing must be approved by the University’s Information Security Officer, to include the purchase of software and/or equipment (excluding verifone devices).
- Sensitive cardholder data may not be stored on any Longwood University computer device or network. All exceptions must be in writing and signed by both the Vice President for Administration and Finance and the Vice President for Information Technology.
Units approved for debit/credit card processing activities must adhere to procedures established to promote compliance with standards governing credit/debit card transaction processing. Such procedures are applicable to payments deposited with the State Treasurer, in local accounts or with the Longwood University Foundation. The Vice President for Administration and Finance may terminate credit/debit card collection privileges for noncompliance with established procedures.
Departments are responsible for ensuring all individuals involved with credit/debit card transactions are aware of the importance of cardholder data security. Specific responsibilities include (1) documenting departmental procedures, (2) ensuring that credit/debit card activities are in compliance with established University procedures, (3) annual validation of PCI compliance with their acquirer, and (4) ensuring that appropriate individuals complete annual credit card security awareness training. Any confirmed or suspected breach will be reported immediately to the Information Security Office.
Financial Operations is responsible for ensuring the annual validation of PCI compliance with the University's acquiring bank is completed, the annual review of departmental procedures and practices in connection with credit/debit card transactions, and consulting with Information Technology prior to implementing any new credit/debit card transaction process.
Information Technology is responsible for verifying appropriate technical system security controls in accordance with PCI Data Security Standards and regular monitoring and testing of the Longwood University network. The Information Security Office is responsible for establishing and initiating security incident response and escalation procedures and initiating such procedures when necessary to ensure timely and efficient handling of all incidents.
Approved by the Board of Visitors, December 3, 2010.
Revised and approved by the Board of Visitors, March 22, 2013.