Policy Number: 12-027

E-Commerce Policy

Category: Information Technology

Responsible Executive: Vice President and Chief Information Officer

Responsible Office: Vice President and Chief Information Officer

  1. Purpose To define a governance model that will ensure the privacy and security of payment card data stored, processed, or transmitted by the University of Florida, together with the approach to th development, approval and maintenance of resulting payment card policies and standards.

  2. Applicability This policy covers all payment card usage for the entire UF enterprise, including the University of Florida and Direct Support Organizations (DSOs), as defined in the UF Annual Financial Report.

  3. Definitions
  4. Policy Statement

    Terms of Use

All credit card usage at the University of Florida must be approved by Treasury Management (TM). New credit card merchant applications must be signed by a Manager, Dean or Department Head and approved by Treasury Management. Departments must have acceptable infrastructure and resources in place, such as:

  • Must use banking institutions and accounting processes approved by applicable governing board
  • Must agree to meet Payment Card Industry (PCI) defined requirements, as noted in  the UF Directives and Procedures (storage, processing and transmission of card holder  information)
  • Must preserve the confidentiality of cardholder information
  • Must have acceptable internal controls (i.e. timely reconciling, dual controls, etc.)

2) Credit Card Information Storage It is permitted to store in paper format only the following elements of credit card information:

  • The last four digits of the Primary Account Number (PAN)
  • Cardholder’s name
  • Expiration Date

The storage of this information in electronic format is only allowed if approved by Treasury

Management, and the Primary Account Number must be rendered unreadable.”

3) Processing Methods

Allowable processing methods are:

  • Online payments (E-Commerce)
  • Swiping machines (face-to-face, mail order/telephone order)
  • Mobile devices
  • Approved third party vendors – Any contract with a third party vendor must include the vendor’s obligation to provide an Attestation of Compliance on demand at all times.

4) PCI Standards and Audit/Monitoring Requirements

The University will establish a single Qualified Security Assessor (QSA) relationship for theentire UF enterprise. All UF merchants will use this relationship unless an alternative QSA isapproved by Treasury Management. At minimum, UF unit/departments accepting paymentcards must submit an annual PCI Self-Assessment Questionnaire and are subject toaudit/review. Applicable IP addresses are subject to vulnerability scanning, to be performedno less than quarterly as per applicable PCI requirement. However, monthly scans are highlyrecommended.

5) Training

All UF enterprise employees, and student workers of entities defined in the scope of this policy, as well as personnel of third party vendors operating on university property who process, store or transmit credit card information must complete the appropriate on-line UFPCI training module at hire and annually.

Additional Resources

E-Commerce Policy (December 6, 2013)

History

Effective Date:

1/1/2014