Purpose
To establish organizational level security standards for the protection of Cardholder Data and compliance with Payment Card Industry Data Security Standards.
Scope
This policy covers all University campuses and applies to all OU entities that collect, store, process, or transmit Cardholder Data, provide for its oversight, or support an entity that does.
Accountability
This policy is approved by the University President and enforced by the Chief Information Officer (CIO). Internal Audit, or other departments, may periodically assess compliance with this policy and may report violations to the appropriate governing stakeholders and/or the Board of Regents.
Definitions
See Information Technology and Security Definitions.
Policy Statement
University entities that collect, store, process, or transmit Cardholder Data must be approved and authorized by the Office of the Bursar for processing payment card transactions. All OU entities that collect, store, process or transmit Cardholder Data, provide for its oversight, or support an entity that does will comply with all requirements of the PCI DSS and the respective Campus Payment Card Security Standard.
Procedures
Documentation
All material supporting information and evidence collected and/or used as part of the compliance process will be formally documented and securely maintained.
Consequences of Non-compliance
Failure to comply may result in the termination of a merchant's ability to accept payment cards and/or fines assessed by the Office of the Bursar.
References
Revision, Review, and Approval History
- July 2012: Baseline created
- July 2012: Approved by the Office of the President
- November 2024: Applied updated policy style sheet