1.01
Oklahoma State University views electronic commerce as an additional outlet for contact with future alumni, faculty, staff, and the public. OSU encourages Colleges and auxiliary departments to utilize electronic commerce as a component of current business functions and interactions.

1.02
The use of bankcards, commonly referred to as credit cards or debit cards, is a common and widely accepted practice of conducting payment transactions. Oklahoma State University allows and encourages departments within the university to establish themselves as credit card merchants to more fully participate in e-commerce at OSU.

1.03
For purposes of this policy, electronic commerce includes all business transactions accomplished using an electronic medium, excepting business-to-business e-commerce typically referred to as Electronic Data Interchange (EDI).

2.01
Oklahoma State University embraces the use of technology assisted commerce and believes that innovative processes related to electronic commerce are an important part of customer service.

2.02
It is imperative that the University establish a protocol for the e-commerce process. This will include (but is not limited to) setting up an electronic storefront, developing security processes and checklists, implementing customer privacy policies, establishing merchant agreements, accepting credit card transactions, processing settlements, depositing receipts, conducting reconciliations, and paying of credit card fees.

2.03
The Office of the Vice President of Administration and Finance and the office of the CIO will have oversight responsibility for institutional provisions that define electronic commerce.

2.04
Oklahoma State University will abide by the following standards in developing, establishing, and operating electronic commerce programs:

1. Meet the University's FERPA requirements
2. Meet institutional requirements for processing funds
3. Meet the accounting requirements of the State of Oklahoma and Oklahoma State University inclusive of GAAP requirements, audit trails, and efficient reconciliations
4. Provide secure domains for the processing of electronic commerce.
5. Provide secure domains for sensitive information captured in the daily operation of electronic commerce.
6. Meet the University's requirements for World Wide Web publishing, internet applications, and portal compatibility.
7. Comply with all OSU-system IT security policies.
8. E-Commerce system will be delivered as OSU system resources.

3.01
This policy is applicable to all University departments wishing to conduct e-commerce via any and all media and delivery mechanisms.

3.02
Individual units within the University may define ‘conditions of use' for information resources under their control. These statements must be consistent with this overall policy but may provide additional detail, guidelines, and/or restrictions. Such policies may nor relax or subtract from this policy. Where such ‘conditions of use' exist, enforcement mechanisms defined therein shall apply. These additional policies will be subject to review and approval by the Office of the Vice President for Administration and Finance and the office of the CIO.

General requirements for electronic commerce

4.01
All e-commerce applications should comply with the following requirements:

1. Secure websites to comply with University requirements.
2. Restrict non-university advertising to applications which are approved by the Office of the Vice President for Administration and Finance and the office of the CIO.
3. Appropriate archiving and record retention.
4. Any third-party to establish financial bond for insurance purposes
5. OSU will not hold the third-party harmless for damages
6. Open books to OSU auditors
7. Adherence to all of OSU's current policies and procedures.
8. Development of an internal control policy regarding the protection of the data associated with the electronic commerce application.

4.02
Developing process and adherence to University policy.

1. Departments that wish to participate in electronic commerce must protect the University, the data of the University, and confidential and financial information of the customer.
2. Adequate internal controls appropriate to electronic commerce must be established and adhered to as with any other process already established at Oklahoma State University .
3. Any electronic commerce activity implying official affiliation with OSU will be under the direct management of the department of Financial Information Management or certified by the department of Financial Information Management. This management structure includes all campuses and ancillary operations including, but not limited to, alumni, foundation, and athletics.

4.03
Internal control and security – Financial Information Management, operating under the Office of the Vice President for Administration and Finance, and the System Security Office, operating under the office of the CIO, will be responsible for security, security planning, and application rules.

1. Assignment of responsibility for application and security
2. Development, implementation, and maintenance of application and security plans.
3. Initial and periodic reviews of application by the System Security Office and Financial Information Management for security concerns, internal control violations, and non-adherence to OSU's policies.

4.04
Accepting Credit Card Payments

1. Each unit must comply with credit card processing procedures and application processes established by the Office of the Bursar.
2. Each unit that receives approval to accept credit card payments through a web site must, at a minimum, capture the following information from each customer transaction:
   a.  Amount of purchase
   b.  Card number and expiration date
   c.   Name as it appears on card
   d.   Mailing address
   e.   Sales Tax, if applicable
   f.   Total amount charged
3. Credit card numbers must not be retained on university web sites.