Payment Card Acceptance and Data Security

 

Policy Summary

Credit and debit cardholder data information is regulated information that must be appropriately secured.  The university is required to be compliant with the Payment Card Industry (PCI) Data Security Standards, and is committed to providing a secure environment to protect against both loss and fraud related to cardholder information. This compliance included securely processing, storing, transmitting and disposing of card card and debit cardholder information.   

Related Regulations

The purpose of this policy is to promote protection of cardholder data in accordance with the Payment Card Industry Data Security Standard (PCI-DSS).  Failure to comply with the PCI-DSS standards may result in fines, loss of ability to process payment cards, and reputational damage to the university. 

Who is Governed by this Policy 

  • Students
  • Staff
  • Faculty
  • External entities that intend to use GW Technology Services

Policy

Cardholder data is designated as regulated data per the Information Security Policy.  University offices and members of the university community involved in processing payment card transactions are responsible for protecting such data, and for following the information security practices and policies set forth herein, including those referenced under the Related Information section below.  Treasury Management is responsible for issuing all credit card merchant identification accounts, for arranging GW-approved payment card acceptance services, and for approving payment card procedures.  University offices may not collect, process, store, transmit or display payment card information without advance approval from Treasury Management.  This requirement applies to all payment card transactions whether conducted in person, via telephone, fax, mail, internet, or through a university-approved third-party vendor on behalf of a unit.  University offices with a business need to process payment card transactions must contact Treasury Management in advance of accepting any payment to obtain a merchant identification account, training, and the appropriate GW approved secure payment processing method(s).  Any university office that manages or contracts with external users, including but not limited to tenants, caterers, business establishments, volunteer organizations, or event organizers that intend to use external payment card services, must also contact Treasury Management to request a review and approval.  Use of the GW wired or wireless networks for accepting payment cards is strictly prohibited.  Treasury Management and GW IT will work together to ensure the external payment card service is acceptable to the university. 

Definitions

Cardholder Information: Any information pertaining to credit or debit card, including but not limited to: card humber, cardholder name, card verification (CVC, CVV, or CID) number, expiration date, personal identification number (PIN), password, etc. Credit or debit cards include but are not limited to those issued by Visa, Mastercard, Discover, Diners Club, and American Express.  The GWorld Card is not a Payment Card. 

Procedures

GW Payment Card Acceptance and Data Security Standards

Related Information

Deposit of Checks, Cash and Credit Card Receipts Policy 

Gift Processing Policy 

Information Security Policy 

Opening Bank Accounts Policy 

Records Management Policy 

Signing of Contracts and Agreements Policy 

Payment Card Industry Data Security Standard Council (PCI-DSS) 

Contacts

Contact Phone Number Email Address
Treasury Management 571-553-4216  [email protected]
Information Technology 202-994-4948  [email protected]

Responsible University Official: Vice President, Finance and Treasurer
Responsible Office: Treasury Management

Last Reviewed: December 2, 2019

 

Non-compliance with this policy can be reported through this website.