Baylor ITS provides several mechanisms for conducting eCommerce. Those systems are critical components of Baylor University's IT infrastructure: handling large numbers of transactions and large amounts of money. Baylor's eCommerce systems are selected, managed and implemented:
Baylor ITS commits to the following standards and procedures and will work to insure the broadest application of these across the university. (Some of these statements may be redundant or overlap. However, they are included here so as to make clear Baylor ITS' intent.)
This guideline should not be construed such that every request for eCommerce can be met with Baylor's current systems. Because Baylor's eCommerce systems were selected and implemented to solve specific business challenges, it is possible that some requests or needs for eCommerce cannot be met with the current systems.
These guidelines will in no way diminish or reduce any other University policies or ITS guidelines. These guidelines should be viewed in light of and in addition to other University policies and ITS guidelines.
The movement of commerce to the Internet brings tremendous opportunities in terms of efficiency, geographic reach, and ease of use for both consumers and merchants. However, this move also brings a number of challenges and risks. The intent of these guidelines is to outline steps that will mitigate Baylor's risks with regard to eCommerce. These risks include the following:
(Note: While Baylor University is a non-profit corporation and enjoys certain exemptions for taxes, when Baylor acts as a merchant for the sale of many goods we are still required to collect and remit sales taxes. This is a complicated area of the law and accounting. Moving transactions to the Internet further complicates this situation for the university. )
As the title of this guideline indicates, the scope of this guideline is to address eCommerce (see definitions) where Baylor is the merchant. Although some of the principles from this guideline may apply, Point of Sale (see definitions) transactions are not covered in this guideline. Further, for the purposes of this guideline, authorizations for payroll deduction are not considered to be eCommerce.
eCommerce: Abbreviation for electronic commerce. A way of doing real-time business transactions via telecommunications networks, when the customer and the merchant are in different geographical places. For the purposes of this document eCommerce is specifically the payment component of the interaction. Further, eCommerce for the purpose of this document involves the use and transmission of information permitting the merchant to receive funds directly from a financial institution (bank account number, credit card number, etc.). Authorization for payroll deduction is not eCommerce for the purposes of this guideline.1
PCI DSS: Abbreviation for Payment Card Industry Data Security Standard. [PCI DSS are the] security procedures from the PCI Security Standards Council for merchants that accept credit cards online. It includes guidelines for user authentication, firewalls, antivirus, encryption, truncating account numbers, programming maintenance and vulnerability testing.2
PA-DSS: PA-DSS is the [PCI Security Standards ] Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS3. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data and/or sensitive authentication data, in accordance with the PA DSS4 requirements document.
SSL: Abbreviation for Secure Sockets Layer. [SSL is] the leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending [or transporting] credit card and other personal data.5
Point of Sale: Capturing data at the time and place of sale. Point of sale systems use computers or specialized terminals that are combined with cash registers, bar code readers, optical scanners and magnetic stripe readers for accurately and instantly capturing the transaction.6
Adopted July 2009.
1eCommerce definition is informed by and partially copied from the Telecom Glossary 2000 associated with the revisions to American National Standard t1.523-2001. (http://www.its.bldrdoc.gov/projects/devglossary/_e-commerce.html)
2PCI DSS definition is copied from the preamble to the PCI DSS entry in the PCMAG.COM online encyclopedia. (http://www.pcmag.com/encyclopedia_term/0,2542,t=PCI+DSS&i=59104,00.asp)
3PA DSS definition is copied from the PCI Security Standards Council's web site. (https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml)
4The PA DSS requirements document (https://www.pcisecuritystandards.org/documents/PA-DSS_v3.pdf)
5SSL definition is copied from the preamble to the SSL entry in the PCMAG.COM online encyclopedia. (http://www.pcmag.com/encyclopedia_term/0,2542,t=SSL&i=51944,00.asp)
6Point of Sale definition is copied from the preamble to the PCMAG.COM online encyclopedia. (http://www.pcmag.com/encyclopedia_term/0,2542,t=point+of+sale&i=49444,00.asp)