Procedures are in the process of being updated.
E-commerce standards and procedures
The Internet is continuing to change the way business is conducted between the University of Waterloo and its customers. The University's customer services and its internal Financial and information technology departmental support infrastructure is adapting to this changing environment. The most common recent request is to accept credit card payments over the Web. The following guidelines highlight the most critical issue in providing this service, i.e. to ensure that the trusted relationship between Waterloo and its customers is conducted in the most secure, confidential and reliable method possible.
E-commerce site standards
Web sites which offer the electronic payment of goods and services must be developed and maintained using procedures identified by Information Systems and Technology and Finance.
- All electronic sites must comply with the Payment Card Data Security Standard.
- Electronic commerce sites must have mechanisms to ensure information transmitted electronically and stored electronically is protected from unauthorized access.
- Departments that provide electronic commerce sites may be subject to an external security audit at the expense of the department.
- Departments that provide electronic commerce sites may be subject to an internal audit of business and technical processes.
- All University of Waterloo faculties, departments, and centres desiring to accept payment for financial transactions electronically via the Internet using e-commerce are required to process all sales transactions through the Finance approved e-commerce credit card processing service. Departments must not enter into separate banking or payment processing arrangements.
- Departments that provide electronic commerce sites or use other services of the the Finance approved e-commerce credit card processing service are responsible for payment of all setup, transaction, and other fees.
- All e-commerce sites must comply with terms and conditions outlined in the applicable merchant account and credit card processing service provider (PDF) agreement(s).
- Credit card information must be securely transmitted, stored and managed. Credit card information must travel in an encrypted format rather than in clear text format like e-mail and simple html forms.
- Departments are responsible for retaining transaction records for audit purposes for a period of seven years.
- Departments are responsible for safeguarding the confidentiality of sensitive data relating to the sale or purchase of goods and services. Information gathered about purchasers must be maintained in a secure manner and restricted to individuals who have a valid reason to know. Departments must comply with information privacy legislation and with University policies on information privacy.
- Information gathered about customers must only be used for the purpose which the information was given as per University of Waterloo's privacy guidelines.
- E-commerce activities must adhere to all existing policies, procedures, and guidelines. The following is a list of relevant documents:
- University of Waterloo Statement on Electronic Commerce
- The Personal Information Protection and Electronic Documents Act
- University of Waterloo Protection of Privacy and Freedom of Information Guidelines
- Statement on Use of University of Waterloo Computing and Network Resources
- IST Information Security Policy and Standards
- University of Waterloo Policy 17 regarding Quotation and Tenders
- Statement on security of University of Waterloo computing and network resources
- Policy 73 Intellectual Property Rights
- Policy 15 -- Bookings - Use and Reservation of University Facilities for Activities Not Regularly Timetabled - Section IX Sale of Merchandise and Services
E-commerce Web servers not in compliance with this policy will be removed from service. Staff who manage non-compliant e-commerce Web servers, their supervisors, and unit administrators may be subject to penalties and disciplinary action, both within and outside the University. Violations will be handled through the University disciplinary procedures applicable to the relevant unit or employee.