I. Scope:
This policy applies to all University staff, employees, students, organizations, contractors, affiliates, and individuals involved with the transmission, storage (electronic or physical), or processing of Payment Card data, including any entities or systems that can impact the security of that data. This includes all payment card activities conducted at any George Mason University campus or location.
II. Policy Statement:
This policy provides guidance to ensure the university complies with the Payment Card Industry Data Security Standard (PCI DSS) and to prevent unauthorized disclosure of customer account data. Failure to protect customer account data may result in financial loss, suspension of Payment Card processing privileges, fines, and damage to the university’s reputation. The University is committed to continuously protecting all Payment Card transactions and ensuring ongoing monitoring and risk mitigation across all systems involved in payment processing.
University entities may operate as merchants accepting Payment Card transactions for goods and services only after receiving approval from the Vice President for Finance or their designee.
All entities that accept or expect to accept Payment Card payments must do so strictly in accordance with this policy and in compliance with the PCI DSS.
Entities accepting Payment Cards must sign an agreement acknowledging their responsibilities, as well as their understanding of the security requirements (PCI DSS and institutional data security policies and standards) that must be followed. This agreement may be updated from time to time as requirements change. Failure to comply with the agreement’s requirements may result in the revocation of the entity’s authorization to accept card payments.
Entities must accept only Payment Card brands authorized by the Vice President for Finance or designee, and agree to operate in accordance with the contract(s) the university holds with its Acquiring Bank(s), Service Provider(s), and the Card Brands. This is to ensure that all transactions are in compliance with the PCI DSS, State and Federal Regulations, National Automated Clearing House Association (NACHA) rules, service provider contracts, and relevant policies regarding security and privacy.
Cardholder Data (CHD) must not be stored after authorization in physical or electronic form in any university facility or on any university system without specific approval by the Vice President for Finance or designee.
Cardholder Data received via end-user messaging technologies (e.g., e-mail, instant messaging, chat, etc.) must not be used to process payments. If CHD is received via messaging technology, the recipient of the CHD must follow approved procedures to respond to and securely destroy the Cardholder Data appropriately.
All equipment, software, and services used in any way for payment processing must be approved by the Vice President for Finance or designee.
All payments received must be directed into an approved bank account. The type and nature of the electronic transaction (e.g., ACH, Credit Card, Point of Purchase, wire, etc.) will dictate where the transaction will be deposited.
III. Definitions:
Cardholder Data (CHD): Personally identifiable data about the cardholder gathered as a direct result of a payment card transaction. At a minimum, it consists of the full primary account number (PAN). It may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date, and/or service code.
Payment Card: Refers to credit and/or debit cards.
IV. Compliance:
PCI DSS Compliance is an ongoing process, not a one-time event. The PCI DSS emphasizes “Business as Usual” (BAU) compliant processing, and performing continuous compliance activities in an ongoing manner 24 hours a day, 7 days a week, 365 days a year. Individuals found to have violated this policy, whether intentionally or unintentionally, may be subject to disciplinary action, up to and including termination. Violations of this policy, whether intentional or unintentional, could result in limitations on an entity’s payment card acceptance privileges.
The Vice President for Finance may terminate Payment Card collection privileges for any entity not in compliance with this policy.
V. Timetable for Review:
This policy, and any related procedures, shall be reviewed and revised, if necessary, annually.
VI. Amendments:
Amendments will be approved by the Senior Vice President and Chief Operating Officer and Provost and Executive Vice President.
VII. Dates:
This policy became effective on December 13, 2006.
Revised: January 9, 2013
Revision approved: June 9, 2016
Revision approved: June 24, 2019
Revision approved: March 10, 2026
Page last updated: March 23, 2026