E-commerce: Electronic Protection of Cardholder Information Policy

Effective Date: June 2008

Policy Statement

This policy defines the requirements for systems and technology that capture and store credit card information in support of e-commerce for the University.

Reason for the Policy

The University uses e-commerce to conduct business which must adhere to the compulsory security standards and control requirements for protecting cardholders' information.

Primary Guidance to Which This Policy Responds

This policy responds to the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS requirements for enhancing payment account data security was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the adoption of consistent comprehensive industry-wide compliance requirements.

Responsible University Office & Officer

The office of Columbia University Information Technology Security is responsible for the maintenance of this policy, and for responding to questions regarding this policy.  The Chief Information Security Officer (CISO) is the responsible officer.

Revision History

This policy was established in March 2008.

Who is Governed by This Policy

This policy applies to all Columbia University departments using systems and technology that capture and store credit card information in support of e-commerce for the University

Who Should Know This Policy

Individuals in the business and technology support units who are responsible for the business, systems, and technology that capture and store credit card information in support of e-commerce for the University should be familiar with this policy.

Exclusions & Special Situations

None

Policy Text

For full policy text, please use link in right menu.