e-Commerce

Approved by:                   Northeastern State University Executive Cabinet
Responsible Official:         Business Affairs
     (918) 444-2160
History:                         Adopted – July 25, 2017
Related Policies:                 Departmental Depositing of Cash, Checks and Currency
PCI Compliance
Additional References:    PCI Security Standards Council
Forms:

POLICY

PURPOSE

The policy establishes guidelines for Northeastern State University’s e-Commerce. 

DISCLOSURE STATEMENT

  1. Following NSU Policies and Procedures, Oklahoma laws and applicable federal laws, NSU strives to protect personal privacy and the confidentiality of information. Departments engaging in e-Commerce are responsible for safeguarding confidential information used in the processing of e-Commerce activity. 
  2. Cardholder information can never be transmitted across a network unsecured. Secure Socket Layer [SSL] is the minimum security measure required to transmit cardholder data. Emailing unencrypted credit card numbers is never acceptable. 
  3. Special considerations and additional security requirements from a Payment Card Industry Data Security Standards (PCI DSS) standpoint are necessary when connecting to a wireless network for e-Commerce activities. For these reasons, Northeastern State University has not authorized the use of any wireless network for e-Commerce activities. 
  4. The major regulatory body associated with credit card transactions is the PCI Security Standards Council (www.pcisecuritystandards.org) and promulgates the rules and regulations NSU adheres to in the credit card environment. (move this earlier in the list since it explains PCI).

SPECIAL WORDING

e-Commerce: Business transactions over electronic means including the internet and other means for  electronic interactions such as automated phone banks, touch screen kiosks, or even ATMs. Transactions can include debit/credit cards as well as electronic transfer of funds via ACH. Payment Card Industry Data 

Security Standard [PCI DSS]: A consolidated standard from the major credit card issuers detailing merchant requirements when accepting credit/debit cards; including Visa, MasterCard, American Express, Discover, and JCB. The requirements include network, security (physical/logical), and monitoring components, among others. 

Cardholder Data: Cardholder data  include personally identifiable information associated with a user of a credit/debit. Primary account number [PAN], name, expiration date, and card verification value 2 [CVV2] are included in this definition.

POLICY 

  1. Any e-Commerce associated with Northeastern State University must have a basis in University mission. Unrelated e-Commerce activity cannot utilize the University network or associated systems. 
  2. Any transaction, system, application, or process associated with e-Commerce (including credit/debit card transactions) will be performed in compliance with the PCI DSS, NSU standards and procedures for e-Commerce, and ongoing approval of the Bursar Services. 
  3. E-Commerce activity will be performed within the centralized solution provided by Northeastern State University administration unless a written exception is granted by the Bursar services. 
  4. Bursar Services has oversight responsibility for institutional provisions that define e-Commerce, e-Commerce standards and procedures, and enforcement of Payment Card Industry Data Security Standards at Northeastern State University. 
  5. This policy applies to all University departments, employees, approved vendors, consultants, and other persons associated with the University wishing to conduct e-Commerce via any and all media and delivery mechanisms. 
  6. Individual units within the University may define 'conditions of use' for information resources under their control. These statements must be consistent with this overall policy, but may provide additional detail, guidelines, and/or restrictions. Such policies may not relax or subtract from this policy. Where such 'conditions of use' exist, enforcement mechanisms defined therein shall apply. These additional policies  are subject to review and approval by the Bursar Services.  
  7. Failure to comply with this policy may have the following consequences: 
a. Revocation of credit card acceptance for the affected unit. 
b. Fines assessed to NSU will be the responsibility of the branch or department that incurs the fine.
c. Legal action by injured parties. 

d. Prosecution for criminal violations.

PROCEDURE(S)

INFORMATION COLLECTED

For the purposes of this policy ‘information’ refers to information related to eCommerce.

The University collects user information  through NSU websites and services. Two general types of information are collected, namely personal information and aggregate data. 

Personal Information - As used in this policy, the term “personal information” means information that specifically identifies an individual (such as a name and email address), demographic, and other information directly linked to an individual.

Aggregate data - Aggregate data is information from which individual user identities have been removed and data has been summarized . In other words, no personal information is included in aggregate data. NSU may share aggregate data about users with third parties for various purposes, including to help NSU better understand our customer needs and improve our services and for advertising and marketing purposes.

The following are the specific types of information NSU collects from users:  

Information from Users. The University collects information from users on our website and when users register for and use our services. Examples include the following:

Registration and Profile Information. When users register for eCommerce for NSU services or update their profile, the University may collect various kinds of information about users including name, email address, other profile information provided and demographic information.

Payment Information. If  users choose to make an online payment to their NSU account, NSU’s payment processing vendor collects credit card information or ACH information and a billing address.

Automatically Collected Information. NSU automatically receives certain types of information when a users interact- with University web pages, services and communications. For example, it is standard for a web browser to automatically send information to all websites users visit, including the University’s. Transmitted information includes IP addresses, access times, browser type and language, and referring website addresses. NSU may also collect information about the operating system used, account activity, and files and pages accessed or used. 

Cookies. The University may also use certain kinds of technology such as cookies to collect information. Among other things, the use of cookies enables us to improve our websites and emails by seeing which areas and features are most popular, to count the number of computers accessing the Website, to personalize and improve user experiences, to record user preferences, and to allow users to visit our website without re-entering their member ID and/or password. A cookie is a small amount of data which is sent to the browser from a website’s computers and stored on the computer’s hard drive. Most browsers automatically accept cookies as the default setting. Users can modify browser settings to reject NSU cookies or to prompt you before accepting a cookie by editing browser options. However, if a browser is set to not accept cookies or if a user rejects a cookie, some portions of the website and services may not function properly. For example, a user may not be able to sign in and access certain Web page features or services.

USE OF PERSONAL INFORMATION (ECOMMERCE)

In general, NSU uses personal information to process requests or transactions, to provide information or services requested, to inform about other information, to facilitate the use of, and administration and operation of, the website and services and to otherwise serve NSU users. For example, we may use personal information:

  • to request feedback and to enable us to develop, customize and improve the Website and services
  • to contact users 
  • for other purposes about which we notify users 

SHARING OF PERSONAL INFORMATION (ECOMMERCE)

NSU reserves the right to share aggregated demographic information about our customers, payments, and traffic. NSU will not give, sell, rent, share, or trade any personal information or any data that is stored using our services to any third party except as outlined in this Policy or with consent. We may disclose information to a third party to (a) comply with laws or respond to lawful requests and legal process, (b) protect NSU, agents, customers, and others including to enforce our agreements, policies and terms of use or (c) in the good faith belief that disclosure is needed to respond to an emergency or protect the personal safety of any person.

NETWORK AND INFORMATION SECURITY

NSU uses commercially reasonable efforts to maintain the security of your personal information. All identifier and transactional information collected by our third party servicer are stored on a secure server. Any sensitive information is encrypted. Your private account information is stored on a server that is protected both physically and electronically.

Our third party servicer servers are NOT directly connected to the Internet. They sit behind a firewall, which is designed to make private financial information available only to messages from authorized computers.

When a user communicates with our third party servicer through a computer's Web browser, Secure Sockets Layer (SSL) automatically protects the interactions. Before logging into the third party servicer site, a server checks to make sure an approved browser is being used. NSU’s third party servicer only supports browsers that use SSL 3.0 or higher.

Every payment transaction is assigned a unique receipt number, which is used by NSU, our third party servicer and the user, for reconciliation and tracking purposes. Each transaction is also tracked by NSU’s identifier and the date/time of the transaction.

UPDATING AND ACCESSING PERSONAL INFORMATION (ECOMMERCE)

If personal information changes in any way, NSU invites the user to correct or update that information as soon as possible. Updates to profile information may be made by logging into your account at any time.