Synopsis:
E-Commerce privacy and security: Guidelines for University departments

Solution:
This policy applies to all Princeton University departments authorized to sell goods and services, and collect payments over the internet. Where practices diverge from these guidelines, the relevant department or unit should inform customers of the nature and extent of the differences.

Treatment of Customer Information
Princeton web sites, or web sites of the University's business partners, covered by this policy may request personal information from customers in order to complete a transaction, for example, a customer's name, phone number(s), physical address, shipping address (if different), email address, credit card number and expiration date. Other information may be collected at individual points of sale. This information must only be used to execute the immediate transaction, and will be provided to other parties only as necessary to complete their transaction. Princeton departments or groups must not provide any of customer personal information to third parties without the permission of the customer (except to conduct the transaction itself) and will not sell any personal information to third parties for purposes of marketing, advertising or promotion.

Network Security
Any computer transaction transmitted over the network that contains any piece of confidential information must be encrypted using the Secure Sockets Layer (SSL) network protocol with a key length of 128 bits or more. With 128-bit SSL, information passing between the browser and the Web site is encrypted or scrambled in a way that makes it extremely difficult for anyone who intercepts the information to read it. Examples of confidential information include:

• passwords
• social security numbers
• credit card numbers
• bank account numbers
• financial information
• drivers license numbers
• information protected by various pieces of legislation (e.g., FERPA, HIPAA, Gramm-Leach-Bliley)
• information deemed by its Information Guardian or by University policy to be confidential

Implementing SSL on a system requires that a digital certificate be obtained for each server on which an SSL-protected application resides, The procedure for obtaining digital certificates is described in the next section. Additionally, University departments or groups who accept credit card payments over the Internet should not store credit card information on any University server. Any deviations from this guideline must be approved by the University's information technology security officer and the Treasurer's Office.

For information on procuring a web server certificate, please see Solution 9700.

Current University Standard
Princeton University has selected two business partners to authenticate credit card payments: Verisign, and YourPay.com. Because of the pricing structure, Verisign makes sense if you will be processing a large volume (over 1000 transactions) per month while YourPay.com is more cost efficient if you are processing a smaller volume of transactions. Both partners are approved to work with PNC Bank who handles the Internet merchant processing.

There may be appropriate instances where University departments or groups need to deviate from the PNC/Verisign/YourPay.com standard. Prior to signing any agreement with a business partner both the University's information technology security officer and the Treasurer's Office must approve the agreement.