PCI Compliance - The College at Brockport Payment Card Policy

Main Page Content

Purpose

The purpose of this policy is to help assure that The College at Brockport is:

  1. Acting as good stewards of personal information entrusted to it by its constituents
  2. Making ongoing efforts to protect the privacy of its constituents
  3. Complying with Payment Card Industry Data Security Standards
  4. Minimizing the potential for a security breach resulting from unauthorized and inappropriate use of cardholder information.

Policy

The College prohibits employees, including student workers, from processing any credit card transactions on behalf of customers using the Brockport IT network (both wired and wireless connections). This restriction also applies to all 3rd party organizations, vendors, and service providers operating on the College at Brockport campus. Credit card transactions on behalf of customers using any College-issued workstations (desktop, laptop, tablet, mobile device) are prohibited.

The approved mechanisms for college departments that need to process credit card transactions electronically are:

  • Enable patrons to use Self-Service options so department is not processing credit card transactions on their behalf:
    • Utilize the College's payment gateway (NelNet) where appropriate
    • Utilize an alternate PCI-compliant payment gateway that doesn't utilize the campus network and is approved by the Payment Card Oversight Committee
    • Utilize a Payment Card Oversight Committee authorized POS device that connects to the College's traditional phone lines or over an authorized cellular network

Faculty, staff, students, and visitors should use College workstations and the IT network only for purposes approved by The College at Brockport. Unless specifically noted, the transmission of an individual's personal information including credit card information for non-business reasons using College workstations is done at the user's own risk.

  • Compliance with the Payment Card Industry Data Security Standards (PCI DSS) is required of all College at Brockport employees and departments that accept, process, transmit, or store payment cardholder information.
  • Only College at Brockport employees, including student workers, who are properly trained may accept and/or access cardholder information, devices, or systems which store or access cardholder information.
  • Only PCI DSS compliant equipment, systems, and methods may be utilized to process, transmit, and/or store cardholder information. Similarly, all 3rd party vendors utilized by the College must provide evidence of annual PCI compliance both prior to entering into a contract, and on an annual basis thereafter.
  • Each College at Brockport employee, including student workers, with access to cardholder information is responsible for protecting that information in accordance with PCI DSS and College policy and procedures.
  • The events and circumstances of a suspected security breach which could negatively affect cardholder information or the College's compliance with PCI DSS must be immediately reported and investigated in accordance with College policy.
  • Vendors and service providers operating on the College at Brockport campus that accept credit cards must execute a contract addendum affirming evidence of their annual compliance with PCI DSS. Non-College at Brockport employees who are acting on the College at Brockport's behalf must comply with PCI DSS, and provide annual evidence therein.

Because of the substantial penalties and fines that can be levied against the College at Brockport, as well as the ethical obligation of the College to protect customer information, PCI compliance is of the utmost importance. Please refer to the PCI website, http://www.brockport.edu/support/information_security/pci/, for PCI contact and other information.

Last Reviewed: 11/2019

Last Reviewed by: PCI Oversight Committee

Last Updated 7/1/20

Close mobile navigation