Payment Card Acceptance and Data Security Policy

Policy Summary

Credit and debit cardholder data is regulated information that must be appropriately secured. The university is required to be compliant with the Payment Card Industry Data Security Standards (PCI DSS), and is committed to providing a secure environment to protect against both loss and fraud related to cardholder data. This compliance includes securely processing, storing, transmitting, and disposing of credit and debit cardholder information. 

Related Regulations

The purpose of this policy is to promote protection of cardholder data in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). Failure to comply with the PCI-DSS standards may result in fines, loss of ability to process payment cards, and reputational damage to the university. 

Who is Governed by this Policy 

• Students
• Staff
• Faculty
• External entities that intend to use GW Technology Services

Policy

Cardholder data is designated as regulated data per the Data Classification and Protection Guide. University offices and members of the university community involved in processing payment card transactions are responsible for protecting such data, and for following the information security practices and policies set forth herein, including those referenced under the Related Information section below. Treasury Management is responsible for issuing all payment card merchant accounts, for arranging GW-approved payment card acceptance services, and for approving payment card procedures. University offices may not collect, process, store, transmit or display payment card information, or procure merchant services that perform such actions, without advance approval from Treasury Management. This requirement applies to all payment card transactions, whether conducted in person, via telephone, fax, mail, internet, or through a university-approved third-party vendor on behalf of a unit. University offices with a business need to process payment card transactions must contact Treasury Management in advance of accepting any payment to obtain a merchant identification account, training, and the appropriate GW-approved secure payment processing method(s). University offices approved to accept payment cards are subject to review(s) of compliance and must maintain compliance with PCI DSS, university policy, state and federal laws, contractual obligations, and rules of the university's banks and financial institutions at all times. Any university office that manages or contracts with external users, including but not limited to tenants, caterers, business establishments, volunteer organizations, or event organizers that intend to use external payment card services, must also contact Treasury Management to request a review and approval. Any confirmed or suspected compromise of cardholder data and/or the Cardholder Data Environment (CDE) must be immediately reported to the university by completion of a Data Incident Form. 

Definitions

Cardholder Information: Any information pertaining to a credit or debit card, including but not limited to: card number, cardholder name, card verification (CVC, CVV, or CID) number, expiration date, and personal identification number (PIN). Credit and debit cards include, but are not limited to, those issued by Visa, Mastercard, Discover, Diners Club, and American Express. The GWorld Card is not a Payment Card. 

Procedures

• GW Payment Card Acceptance and Data Security Standards

Forms 

• Data Incident Form

Related Information

• Deposit of Checks, Cash, and Credit Card Receipts Policy
• Cybersecurity Risk Policy
• Acceptable Use of IT Resources Policy
• University Access to Accounts and Electronic Information Policy
• Privacy of Personal Information Policy
• Opening Bank Accounts Policy
• Records Management Policy
• Signing of Contracts and Agreements Policy 

Contacts

Contact	Phone Number	Email Address
Treasury Management	202-994-1721	treasurygwu [dot] edu
GW IT	202-994-4948	ithelpgwu [dot] edu