eCommerce Guidelines
Baylor ITS provides several mechanisms for conducting eCommerce. Those systems are critical components of Baylor University's IT infrastructure, handling large numbers of transactions and large amounts of money. Baylor's eCommerce systems are selected, managed, and implemented:
- to solve specific business challenges, and
- to meet particular standards in terms of security and risk management.
Baylor ITS commits to the following standards and procedures and will work to ensure the broadest application of these across the university.
- Unless special provisions are made, Baylor ITS will only support eCommerce conducted on Baylor University's accounts. All merchant accounts will be under the control of Baylor University or University-owned related entities and managed by Baylor University Financial Services. Baylor ITS will not develop or support eCommerce for merchant accounts that belong to or are managed by a third party.
- All transmission of sensitive financial data (e.g. credit card numbers, bank account numbers, etc.) will utilize SSL in order to encrypt the data while in transit across networks.
- Baylor will comply with all PCI DSS standards in the course of conducting eCommerce.
- Baylor requires that third-party software be PA DSS compliant. Where Baylor writes or commissions software development, all software will be PA DSS compliant.
- Beyond PCI DSS and PA DSS, Baylor ITS is committed to an approach where the handling, processing, and storage of the data required to facilitate eCommerce (especially credit card and bank account numbers) will be handled by secured off-site third-party servers. This means that Baylor intends that credit card and bank account numbers never pass through any Baylor written programs or be stored (even temporarily) on Baylor-owned or controlled servers.
- Prior to enabling any eCommerce application (prior to processing any transactions), Baylor ITS will require clear notice from the Baylor Tax & Compliance Accounting office as to any requirement to collect sales tax. Further, Baylor ITS will rely upon the Tax & Compliance Accounting office to make any determination as to other tax implications of putting a transaction online.
- Baylor University is not a retail merchant. Therefore, Baylor ITS does not create or maintain systems that are typically used in support of retail eCommerce. The systems to insure compliance with laws related to timing for acceptance of payment in relation to shipment of goods, sales tax collection, order fulfillment, shipping cost calculations, and more simply are not within the scope of Baylor ITS to support. Therefore, Baylor ITS will not support the sale of material goods (e.g. a t-shirt, a book or a DVD) via eCommerce when that sale will require shipping the product. Sales of materials that are for pickup on campus may in some cases be supported. The risks and challenges are simply too great.
- ITS will not endorse or support departments in contracting with third-party vendors for eCommerce solutions. Any attempt to use an external system must be cleared by General Counsel and Cashiers regardless of the volume/value of transactions involved.
This guideline should not be construed such that every request for eCommerce can be met with Baylor's current systems. Because Baylor's eCommerce systems were selected and implemented to solve specific business challenges, it is possible that some requests or needs for eCommerce cannot be met with the current systems.
These guidelines will in no way diminish or reduce any other University policies or ITS guidelines. These guidelines should be viewed in light of and in addition to other University policies and ITS guidelines.
Rationale for Guideline
The movement of commerce to the Internet brings tremendous opportunities in terms of efficiency, geographic reach, and ease of use for both consumers and merchants. However, this move also brings a number of challenges and risks. The intent of these guidelines is to outline steps that will mitigate Baylor's risks with regard to eCommerce. These risks include the following:
- Identity theft;
- Non-compliance with industry regulations (PCI DSS and PA DSS); and
- Non-compliance with local, state, or federal laws (including tax laws).
(Note: While Baylor University is a non-profit corporation and enjoys certain exemptions for taxes when Baylor acts as a merchant for the sale of many goods we are still required to collect and remit sales taxes. This is a complicated area of law and accounting. Moving transactions to the Internet further complicates this situation for the university.)
Scope of Guideline
As the title of this guideline indicates, the scope of this guideline is to address eCommerce (see definitions) where Baylor is the merchant. Although some of the principles from this guideline may apply, Point of Sale (see definitions) transactions are not covered in this guideline. Further, for the purposes of this guideline, authorizations for payroll deduction are not considered to be eCommerce.
Definitions
eCommerce: Abbreviation for electronic commerce. eCommerce is the activity of buying or selling of products on online services or over the Internet. For the purposes of this document eCommerce is specifically the payment component of the interaction. Further, eCommerce for the purpose of this document involves the use and transmission of information permitting the merchant to receive funds directly from a financial institution (bank account number, credit card number, etc.). Authorization for payroll deduction is not eCommerce for the purposes of this guideline.1
PCI DSS: Abbreviation for Payment Card Industry Data Security Standard. [PCI DSS is the] framework developed by the PCI Security Standards Council for developing a payment card data security process that includes measures for security incident prevention, detection and reaction. PCI DSS is responsible for establishing a minimum set of requirements for protecting cardholder data.2
PA-DSS: PA-DSS is the [PCI Security Standards ] Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS3. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data and/or sensitive authentication data, in accordance with the PA DSS4 requirements document.
SSL: Abbreviation for Secure Sockets Layer. SSL is a secure protocol developed for sending information securely over the Internet. Many websites use SSL for secure areas of their sites, such as user account pages and online checkout.5
Point of Sale: The point of sale, or POS, is the location in a merchant’s establishment at which the sale is consummated by payment for goods or services received. It is also where many retailers offer their store’s credit card applications to consumers.6
Adopted July 2009.
Modified May 13, 2019
1 eCommerce definition is copied from Wikipedia. ("E-Commerce."; Wikipedia, Wikimedia Foundation, 2 May 2019, en.wikipedia.org/wiki/E-commerce.)
2PCI DSS definition is copied from the creditcard.com glossary. (https://www.creditcards.com/glossary/term-payment-card-industry-data-security-standard-pci-dss/)
3PA DSS definition is copied from the PCI Security Standards Council's web site. (https://docs-prv.pcisecuritystandards.org/PA-DSS/Standard/PA-DSS_v3-2.pdf)
4The PA DSS requirements document (https://www.pcisecuritystandards.org/documents/PA-DSS_v3.pdf)
5SSL definition is copied from techterms.com. (https://techterms.com/definition/ssl)
6Point of Sale definition is copied from the preamble to the PCMAG.COM online encyclopedia. (https://www.creditcards.com/glossary/term-point-of-sale-pos/)