Effective Date: June 2008
Updated: August 2009
This policy defines the requirements for systems and technologies that utilize, capture, and store credit card information in support of e-commerce for the University.
Reason for the Policy
The University uses e-commerce to conduct business which must adhere to the mandatory security standards and control requirements for protecting cardholders’ information.
Primary Guidance to Which This Policy Responds
This policy responds to the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS requirements for enhancing payment account data security was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the adoption of consistent comprehensive industry-wide compliance requirements.
Responsible University Office & Officer
The office of Columbia University Information Technology Security is responsible for the maintenance of this policy, and for responding to questions regarding this policy. The Chief Information Security Officer (CISO) is the responsible officer.
This policy was established in March 2008. This policy was updated in August 2009 to include provision for web front-ends (i.e., website or webpage) using credit card information in support of e-commerce for the University.
Who is Governed by This Policy
This policy applies to individuals, schools, departments, centers, institutes, and programs (“University Departments”) that sell goods, services, information, or gifts and accept credit cards as a form of payment.
Who Should Know This Policy
Senior business officers, department administrators, all finance and administrative staff who accept credit cards as a form of payment; all technical staff that support business units which accept credit cards as a form of payment.
Exclusions & Special Situations
For full policy text, please see link in right hand menu