Reviewed by UEC May 4/2005; Effective May 4/2005
Approval Authority: Vice-President Finance and Administration
Signature: Gary Brewer
Description: Specifies the requirement for authority for engaging in eCommerce and the responsibilities and administrative processes related to eCommerce applications on York University web sites.
The Internet has changed the way business is conducted between the University and its customers. Because of the complications and obligations which arise doing business on the Internet, the University must authorize the use of the Internet for the University’s business. The Finance Department (through Treasury) and Computing and Network Services (CNS) (through Information Security) will approve and co-ordinate all electronic transactions carried out over the Internet in the normal course of University business. Units carrying on eCommerce will follow the guidelines and procedures set out herein.
Electronic Commerce (eCommerce) — the electronic transmission, processing and storage of financial transactions through an appointed financial institution.
Financial transactions — includes but is not limited to sales, refunds, acceptance of payments, settlement of financial transactions and internal distribution connected with those activities.
Financial Costs — include but are not limited to merchant discount rates and eCommerce transaction charges.
Credit cards — include VISA, MASTERCARD, and AMEX unless otherwise agreed or specified.
Scope of the guidelines and procedures
The guidelines and procedures apply to all eCommerce applications carried out by University employees, or agents in the ordinary course of University business.
Authorization and implementation of eCommerce activity
All use of eCommerce transactions for the ordinary course of University business must be pre-authorized by Treasury who will establish the necessary banking relationships for the University.
CNS Information Security shall serve as a central point of contact for overseeing the implementation of all University eCommerce applications.
The Finance Department and CNS shall reserve the right to review Web content at any time.
Eligible E-Commerce Users
Unless specifically given authority to do so, only authorized revenue collection operations of the University shall be authorized to conduct financial transactions through the Internet.
Guiding Principles of E-Commerce by the University
1. All customer information collected or stored by the University’s systems shall comply with applicable Federal and/or Provincial privacy legislation and University policy on Access to Information and Protection of Privacy.
2. The University will not use or retain confidential information and/or personal data for purposes other than is required for the authorized transaction.
3. To protect the confidentiality of credit card information, E-commerce transactions shall be limited to authorized applications configured in secure web sites. The transmission of credit card information data by e-mail is not permitted.
Responsibility of the Faculty, Department or Operating Unit
The Faculty or comparable operating unit (the unit) which conducts eCommerce shall be responsible for providing effective support for all facets of the eCommerce application and for related costs, which costs shall include, but not be limited to: fees for credit card transactions (merchant discount fee and eCommerce transaction fee), hosting services, equipment costs, CNS support, and Treasury reconciliation activities.
Responsibility of Treasury
- review requests for an eCommerce application
- authorize or decline to authorize any such request on the basis of a cost/ benefit analysis,
- make related banking or financial transaction arrangements for authorized applications.
- provide guidelines and instructions to users for recording eCommerce transactions in the University’s Financial System.
Responsibility of CNS Information Security
Information Security shall:
- review all systems proposed to host eCommerce sites
- suitably configure sites and provide security features to ensure authorized access.
- establish acceptable security standards for eCommerce data, including methods of transmission and guidelines for retention.
Procedure for eCommerce Applications
1. The Faculty or comparable operating unit will prepare a request to Treasury supported by a business case for the eCommerce application, including technical requirements, budget, administrative impact, and any other relevant information.
2. Treasury will review the request, make a decision, and convey the decision whether to authorize the application or not authorize it, to the applicant unit. If the decision is to not authorize the request, reasons will be given.
3. Upon authorization, the applicant unit will contact CNS Information Security to discuss implementation of the eCommerce application on the Web.
4. Information Security will work with the unit to ensure that the host systems are configured to ensure only authorized access and that a plan is in place to maintain the system security.
5. The Web/system development, configuration and maintenance will be performed by the unit’s appropriate computing/technical support group.
6. Once designed and configured, and prior to implementation, the eCommerce site, its configuration and operational details will be reviewed by CNS Information Security, Treasury and the Department of Internal Audit.
7. Once in operation, the configuration and maintenance of the eCommerce site and related systems shall be subject to ongoing monitoring by CNS Information Security, and to review for effectiveness by Treasury.
8. The unit shall retain and securely store transaction records for seven years for audit purposes, or for such longer time as is required by Treasury.