Emory University Home Page Emory Careers Emory Directory Emory Finance and Administration Site
Emory Logo Information Technology at Emory LogoStandard Navigation
Home TabProducts & Services
Add to Favorites Bar

You haven't marked any favorite pages yet.

Log in to retrieve stored favorites

  Login  |  Overview
Euclid
  Search  |  Overview
Exchange-University
  Login  |  Overview
Exchange-HealthCare
  Login  |  Overview
HelpDesk
  Login  |  Overview
LearnLink
  Login  |  Overview
OPUS
  Login  |  Overview
Passwords
  Change  |  Reset
PeopleSoft HR
  Login  |  Overview
SimonWeb Paging
  Login  |  Overview
WebMail
  Login  |  Overview

E-Commerce and Credit Card Security Standards

Spam Filtering: Overview

 

 

Home | Security Guidelines and Policies

E-Commerce and Credit Card Security Standards

The UTS Security Team offers security assessments for any web based credit card applications or services being performed at Emory. This assessment includes a review of the risks, vulnerabilities and provides suggestions for improving security over credit card processing.

To request a security assessment for e-commerce, contact the Security Team:

SecurityTeam-L@listserv.emory.edu.  

In light of the recent security breaches at other higher educational institutions, the Security Team recommends that:

* Credit card numbers should not be stored locally
* Credit card numbers should be stored in encrypted format on a secured server.

E-Commerce Policy

All Emory divisions, departments, and centers desiring to accept payment for financial transactions electronically via the Internet using e-commerce are required to process all sales transactions through the Finance Department implemented Web payment gateway (SurePay). This gateway ensures that all data and personal information related to credit card sales passes through specific, approved hardware and software, that meets all criteria specified by the Visa Cardholder Information Security Programs. These requirements are for all credit card transactions, not only visa payments.

All departments making credit card sales must develop an interface to this SurePay gateway through development standards specified by the Office of Finance and Administration.

Types of E-Commerce

Web display only: Under this type, departments selling approved goods and services create an individual Web site to display product and service information. However, the ordering, transfer of payment, and shipping information is performed elsewhere such as, through use of phone or mail. Since the transfer of personal and financial information does not occur on-line via the Internet, traditional methods for securing and providing for the safety and the retention of personal and financial information on written records would apply.

Email Transactions: Web sites developed by departments may display product and service information. However, visitors have the option of submitting order information to the seller via email. This method is acceptable for exchanging quantitative information and for communicating an interest to purchase. Email must not be used to transfer confidential data/information such as credit card number, social security number, purchaser identification, or other sensitive information related to the purchaser.

Secured Restricted Gateway: This type combines a Web site to display products and services developed by the selling department and an electronic link to the SurePay Gateway software. This is the required methodology for all Emory e-commerce involving the acceptance of payments by credit card via the Internet.

Business Plan Review and Approval Process for Proposed E-Commerce Applications

All proposed business plans involving credit card sales over the Internet for payment of goods and services must be reviewed by the Credit Card Team that includes UTS Security, Finance, Controller's Office personnel. This group will review each proposal for intended business purpose, consistency with the University's Missions, and selling department ability to support an e-commerce activity.

Prior to development of an e-commerce application including those developed by outside contractors, the selling department must submit a business plan as noted above to initiate the committee review. The plan must include the following information:

* A description of the products or services to be sold
* Intended customer base
* The anticipated transaction volume per month and annual
* Any proposed outside advertising to be included on the departmental sales Web page must be consistent with Emory web standards and advertising guidelines.
* Approval by the responsible Center Head or Director along with the name, phone number, or email address of a departmental representative who can be contacted by the Credit Card Team, for technical, procedural, or financial questions that may arise during the review

Following review and approval by the Credit Card Team the University Cashier's Office will notify the requesting department of approval, determine the appropriate accounts and revenue object codes to be credited for sale proceeds, and issue a unique merchant ID or E-Commerce profit center identifier for the selling department.

The Finance Department will contact IT representatives in the selling department to review departmental interfaces to the SurePay Gateway and ensure that credit card processors understand and adhere to the Cardholder Information Security Program (CISP) specified by Visa.

As of March 27, 2002 the major points of CISP include:

* The installation of a secure local firewall in the selling department
* A program to regularly update security patches
* Encryption of all stored data immediately
* Encryption of data sent over the Internet
* Regularly updated anti-virus software
* Restricted access to business data
* Assignment of a unique ID to each user having access to the system
* Modification, if necessary, to vendor provided system defaults
* Ability to track access to data by user ID
* Regular tests of internal security system
* Maintenance of an internal technology security policy consistent with the Emory Information Technology Security Policy
* Restricted access to all cardholder data

More information can be found on the Visa USA Web site at: http://www.usa.visa.com/business/merchants/cisp_index.html

Changes to the Departmental E-Commerce Business Plan

Each Department conducting e-commerce for credit card sales on the Internet must complete an annual self-review and report proposed changes to their approved Business Plan. Significant changes to the departmental Web site, products or services to be sold, intended customer base, anticipated transaction volume, outside advertising, application software, or changes in the departmental contacts responsible for the e-commerce business plan must be reviewed and approved by the Credit Card Team prior to implementation. Proposed changes should be routed to the Cashier's Office.

Business Processing Assistance

The Cashier's Office will assist departments engaged in credit card sales in the proper procedures for processing credit card transactions. Selling departments will be assessed the bank service fee on all credit card sales transactions. Bank service fees range between 2.0% and 3.0% per transaction. These costs should be figured into the cost of departmental sales. In addition, departments are responsible for Georgia Sales and Use Tax if applicable. Questions on the applicability of Sales and Use Taxes, and related reporting requirements should be addressed to University Tax Services group.

Enforcement

E-commerce Web servers not in compliance with this policy will be removed from service. Staff who manage non-compliant e-commerce Web servers, their supervisors, and unit administrators may be subject to penalties and disciplinary action, both within and outside the University. Violations will be handled through the University disciplinary procedures applicable to the relevant unit or employee.