Policy Steward: 
Director of Business Services
Format Updated: 
University Policy & Standards Converted: 
Revision Date: 
Thursday, March 30, 2017

This information replaces FIS 104 e-Commerce




This policy and additional supporting documents provide the requirements for processing, transmission, storage, and disposal of cardholder data for payment card transactions in order to reduce the institutional risk associated with the administration of credit card payments by University departments and to ensure proper internal control and compliance with the Payment Card Industry Data Security Standard (PCI DSS).

The Oregon State University e-Commerce Policy applies to all faculty, staff, students, organizations, third-party vendors, individuals, systems, and networks involved with payment card handling. This includes transmission, storage, and/or processing of credit card numbers, in any form (electronic or paper), on behalf of Oregon State University. For purposes of this policy, electronic commerce includes all business transactions accomplished using an electronic medium.

Failure to comply with this policy and supporting documents will result in the loss of payment card processing privileges.


The OSU Vice President for Finance and Administration or designee has authority for administering this policy.


It is the policy of Oregon State University to allow acceptance of payment cards as a form of payment for goods and services upon written approval from the Assistant Vice President and Controller of Business Affairs or designee. Oregon State University requires all departments that accept payment cards to do so only in compliance with credit card industry standards and in accordance with the procedures outlined in this policy and other supporting documents.

In all endeavors, the University shall protect and preserve the assets of the state, the integrity of the data, financial and confidential information about the customer, and customer trust and confidence in using electronic commerce. It is important that OSU entities processing credit card or electronic check payments take measures to safeguard sensitive customer information including credit card numbers. Failure to comply with Payment Card Industry (PCI) Data Security Standards (DSS) may result in financial loss, fines, suspension of credit card processing privileges, and/or damage to the reputation of the University.

In addition:

  • Departments will utilize e-commerce solutions that are Payment Card Industry (PCI) and National Automated Clearinghouse Association (NACHA) compliant.
  • All service providers and third party vendors that provide payment card servces must be PCI-DSS compliant.
  • In accordance with Oregon State Treasury Third Party Vendor Requirements, all third party payment card vendors must be approved in advance by Oregon State Treasury (OST).
  • A Merchant Manager for each Merchant ID must be designated by the department/unit. See Roles and Responsibilities for description of Merchant Manager duties.
  • All merchants must comply with Payment Card Industry (PCI) Data Security Standards (DSS) requirements at all times. All merchants will continuously monitor and enforce the use of controls specified in the PCI Data Security Standard (PCI DSS).
  • Any fees associated with the acceptance of payment cards will be charged to the merchant.
  • Adhere to appropriate accounting standards as established by the Vice President for Finance and Administration.
  • All employees involved in processing payment card transactions will be trained before processing transactions.

In the event of a breach in Credit Card Security follow the protocol for Credit Card Security Incident Response Procedures.

Procedures and Other Supporting Documents

e-Commerce at OSU

Payment Card Procedures