Type of Policy
Administrative
Effective Date:
Last Revised:
Review Date:
Policy Owner
Georgia Tech CyberSecurity
Contact Name
John Karrh
Contact Title
Governance Risk & Compliance Manager
Contact Email
johnkarrh@gatech.edu
Reason for Policy

This policy provides requirements and guidance for all credit card processing activities for the Georgia Institute of Technology (Georgia Tech).  This policy preempts all other campus policies and procedures for all elements within the scope of this policy.

Policy Statement

This approval process applies to all merchant credit card processing activities at Georgia Tech:

The Associate Vice President of Financial Services (or delegate) must approve all credit card processing activities at Georgia Tech prior to entering into any such contracts or purchasing equipment. 

This requirement applies regardless of the transaction method used (e.g. online processing at Georgia Tech, outsourced to a third party, swipe terminals).

All technology implementation associated with the credit card processing must be approved by the Vice President of Information Technology (or delegate) prior to entering into any contracts or purchasing equipment. 

Storage of cardholder data on Georgia Tech systems is not allowed.”
All environments that process or transmit cardholder data are contractually obligated to and must comply fully with the Payment Card Industry Data Security Standards (PCI DSS).  All units that process or transmit cardholder data must undergo an initial and annual PCI DSS compliance assessment by Georgia Tech Cyber Security.  Any items of non-compliance found during the assessment must be remediated before processing of credit cards is allowed to resume.

The use of non-traditional credit card-type merchant services (such as Square, PayPal, etc.) and supporting technology for Georgia Tech business are not allowed without prior approval by the Associate Vice President of Financial Services and the Vice President of Information Technology (or their delegates).

Violations of this policy should be reported through the Ethics Point process.

Scope

The scope of this policy includes all credit card merchant activity at Georgia Tech.  All environments, units, technologies, and people associated with Georgia Tech merchant IDs and/or that support credit card merchant activity at Georgia Tech must abide by this policy. 

This policy does not apply to non-credit card financial tools (such as Buzzcards). 

This policy does not apply to end-user use of credit cards, including procurement cards (PCards), or any other such instance where Georgia Tech is not acting in a merchant capacity and/or supporting merchant activity.

Procedures

The following are procedures to be followed prior to accepting credit cards in a merchant capacity at Georgia Tech:

  • Document the business need for accepting credit card transactions in that particular unit, method, or location.
  • Meet with Financial Services for justification and approval of the business case.
  • Meet with Cyber Security to evaluate options and costs for implementation (using existing facilities, implementing separate facilities, or outsourcing transaction processing).
  • Meet with the Vice President of Information Technology or designee for technical approval of implementation.
  • Meet with Georgia Tech Legal Affairs to ensure that all contracts meet federal, state, and contractual requirements.
  • Meet with Cyber Security on an annual basis to re-affirm PCI DSS compliance
Policy History

Revision Date

Author

Description

10-02-2018

Cyber Security

Simplified and aligned policy with current regulatory environment.