Payment Card Acceptance and Data Security
Policy Summary
Credit and debit cardholder data information is regulated information that must be appropriately secured. The university is required to be compliant with the Payment Card Industry (PCI) Data Security Standards, and is committed to providing a secure environment to protect against both loss and fraud related to cardholder information. This compliance included securely processing, storing, transmitting, and disposing of card and debit cardholder information.
Related Regulations
The purpose of this policy is to promote protection of cardholder data in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). Failure to comply with the PCI-DSS standards may result in fines, loss of ability to process payment cards, and reputational damage to the university.
Who is Governed by this Policy
- Students
- Staff
- Faculty
- External entities that intend to use GW Technology Services
Policy
Cardholder data is designated as regulated data per the Data Classification and Protection Guide. University offices and members of the university community involved in processing payment card transactions are responsible for protecting such data, and for following the information security practices and policies set forth herein, including those referenced under the Related Information section below. Treasury Management is responsible for issuing all credit card merchant identification accounts, for arranging GW-approved payment card acceptance services, and for approving payment card procedures. University offices may not collect, process, store, transmit or display payment card information, or procure merchant services that perform such actions, without advance approval from Treasury Management. This requirement applies to all payment card transactions whether conducted in person, via telephone, fax, mail, internet, or through a university-approved third-party vendor on behalf of a unit. University offices with a business need to process payment card transactions must contact Treasury Management in advance of accepting any payment to obtain a merchant identification account, training, and the appropriate GW-approved secure payment processing method(s). Any university office that manages or contracts with external users, including but not limited to tenants, caterers, business establishments, volunteer organizations, or event organizers that intend to use external payment card services, must also contact Treasury Management to request a review and approval. Use of the GW wired or wireless networks for accepting payment cards is strictly prohibited. Treasury Management and GW IT will work together to ensure the external payment card service is acceptable to the university.
Definitions
Cardholder Information: Any information pertaining to credit or debit card, including but not limited to: card number, cardholder name, card verification (CVC, CVV, or CID) number, expiration date, personal identification number (PIN), password, etc. Credit or debit cards include but are not limited to those issued by Visa, Mastercard, Discover, Diners Club, and American Express. The GWorld Card is not a Payment Card.
Procedures
Related Information
- Deposit of Checks, Cash and Credit Card Receipts Policy
- Cybersecurity Risk Policy
- Privacy of Personal Information Policy
- Opening Bank Accounts Policy
- Records Management Policy
- Signing of Contracts and Agreements Policy
- Payment Card Industry Data Security Standard Council (PCI-DSS)
Contacts
Contact | Phone Number | Email Address |
---|---|---|
Treasury Management | 202-994-1721 | [email protected] |
Information Technology | 202-994-4948 | [email protected] |
Responsible University Official: Director of Treasury Operations
Responsible Office: Treasury Management
Origination Date: June 7, 2011
Last Material Change: December 2, 2019
More information describing university policies is outlined in the University Policy Principles.
Noncompliance with this policy can be reported through this website.