E-Commerce

Cardholder Data Collection & Processing Procedures

Last modified 4/17/2024

The University collects cardholder data for the exclusive purpose of processing card transactions, and procedures must be followed for the collection, processing, and disposal of cardholder data. For information on cardholder data retention, see the cardholder data retention procedures.

E-Commerce Sites

Cardholder data may be collected on payment processor capture pages, such as TouchNet, as part of an E-Commerce payment flow. University websites may redirect to E-Commerce Committee sanctioned payment card capture pages and must be PCI-compliant. Vendor websites may redirect to E-Commerce Committee-sanctioned payment card capture pages or a vendor-managed payment card capture page; vendor websites for these purposes must be PCI-compliant.

University employees must only enter cardholder data into virtual terminals (PCI-compliant laptops and desktops) that are labeled for payment card use. Payment card virtual terminals shall only be networked to the University Payment Card (PCI) network while being utilized to collect cardholder data. The University does not provide non-employees with virtual terminals for the purpose of cardholder data collection or processing.

Payment card virtual terminals and their Sophos RED network devices must be physically secured when unattended by a University employee. Recommended methods for physically securing terminals include storage inside of a locked container or inside of a locked room.

Visit E-Commerce Contracts for details on procuring new E-Commerce vendors.

Visit the Touchnet Payment Gateway for requesting or utilizing TouchNet.

Payment Card Terminals

Cardholder data may be collected via payment card terminals supplied by Payment Card Support. Terminals may be networked using cellular towers, or Ethernet over the University Payment Card network. Transactions occurring on credit card terminals use an encrypted connection directly to the payment processor.

Payment card terminals shall only be used by University employees. Payment cards must be used by the person to whom the card is issued and must be signed. The allowed collection types in order of preference are NFC (contact-less), EMV chip (dip), magnetic stripe (swipe), and manual entry (card-not-present).

Payment card terminals and their Sophos RED network devices (if present) must be physically secured when unattended by a University employee. Recommended methods for physically securing terminals include storage inside of a locked container or inside of a locked room.

Requesting a Terminal

Other Allowed Collection Methods

University departments and personnel must accept cardholder data using any of the following E-Commerce Committee-approved procedures:

  • Physical media:
    • Mail
  • University-owned analog phones
  • University-owned cellular phones
  • JetPay/NCR Voyix provided Payment card terminals
  • Payment Card laptops or desktops when using a payment card capture page:
    • Touchnet

University departments and personnel must use a payment card laptop, desktop, or terminal to process Cardholder data collected through physical media or phones.

Disallowed Collection and Processing Channels

University departments and personnel cannot collect, transmit, store, or process cardholder data with the following methods:

  • Email
  • SMS (texting)
  • Ethernet or Wi-Fi-connected phones:
    • University Cisco phone system
  • Digital storage:
    •  Flash drives, hard drives, or cell phones
  • Instant messaging technologies:
    • Teams, Jabber, Slack, or Facebook Messenger
  • Any allowed methods without following proper procedures
  • A non-employee user entering cardholder data on an employee's computer
  • Ethernet-connected fax machines or network-connected virtual fax services:
    • RightFax
  • Any unencrypted service that is not explicitly allowed by the E-Commerce Committee
  • An employee on a University-managed or -contracted website if the site targets University customers
  • Payment gateways, processors, or websites not approved by the E-Commerce Committee, including but not limited to:
    • Square, Venmo, or Paypal

Physical Media Security

If circumstances dictate that ISU departments/personnel possess cardholder data on physical media, such as paper, the following rules apply to the collection, processing, and storage of physical media containing cardholder data:

  • Cardholder data on physical media must not be left unattended, such as on a desk
  • Unattended physical cardholder data must be secured in a locked room or container
  • Physical media with cardholder data must be stored separate from other non-cardholder data media such that cardholder data can be easily identified, protected, and destroyed
  • Physical cardholder data must not be moved off-campus without being supervised and in a secure container
  • Cardholder data is not distributed to personnel without a business need to see or use such data