Purdue University
Search For: in

Purdue Home | Business Services | ECCO

ECCO

spacer
topmenu.gif
General Information Business Information Merchant Card Purchasing Card

Procedural Statement

This document provides the framework for developing an e-commerce initiative to sell goods and/or services to Purdue University customers.  The objective of the e-commerce framework is to provide enough flexibility in implementation approaches to assure timely responses while at the same time providing the standardization that is needed to assure financial integrity, data confidentiality, and system reliability.

In accordance with the policy and procedure established by the Board of Trustees, it is the responsibility of the dean, director, chancellor, and head of school, division, department and office for each area to assure that all fees and charges of any kind have been previously approved by the Board of Trustees or, if appropriate, the executive vice president and treasurer or his designee.  The Board of Trustees delegates to the executive vice president and treasurer, or his designee, responsibility and authority to establish and approve certain fees and charges on the West Lafayette and regional campuses.  Rate approval requests are submitted in accordance with the procedures established in the Business Procedure Manual.  A similar type of request must be submitted for approval to enter into an e-commerce activity.  The requests must be submitted to the comptroller.  For the academic areas at the West Lafayette campus, the business manager for each area coordinates and reviews these requests.  The financial vice chancellors will coordinate for regional campuses.

A sample format for the request follows.  In addition, a transmittal letter describing the activity in appropriate detail is required.  The information submitted should include the organization, purpose, clients, controls, and accounting involved.  The transmittal letter should be noted and approved by the appropriate departmental individuals.

Format Narrative

  1. Describe the products or services to be offered and the rationale for offering them via e-commerce.

  2. Describe the business process to handle the additional workload from the e-commerce function, including the accounting, maintenance, and reconciliation of general ledger accounts and the credit card operation.

  3. Indicate whether the operation currently accepts credit cards.

  4. Provide the last approved rate request for the product or service or include the new rate request.

  5. Identify the hardware requirements and hardware location.

  6. Identify the source of technical support.

  7. Identify areas or departments that need to be involved in the development and implementation of your e-commerce initiative; examples may include Management Information, Investments, Accounting, or Purchasing.

  8. Identify the working group to develop the initiative.

After the project has been approved, but prior to placing the application into the production environment, a "final walk through" of the e-commerce business processes and computer application will be conducted. This walk-through will serve as the approval for implementation.

The remainder of this document is intended to assist you in developing the request for approval to enter into e-commerce and to follow the above procedures.

A diagram depicting the flow of information and business processes is included as Attachment 1.PDF document

 

Checklist

Functional Operations Questionnaire

The following questions and statements are provided to develop responses to the first two items of the e-commerce request.

  1. What products or services will be offered over the Web?  How complex is the “store?”

  2. What are the objectives in offering e-commerce (increase revenue, reduce costs, better service, etc.)?

  3. Will customers be able to choose the amount they pay – or will payment in full be expected?

  4. Does sales tax need to be collected?

  5. Will a customer be able to complete an application or order form and then send payment separately in the mail?  If so, how will you match up the electronic application or order form and the payment?

  6. What “help” will your Web page provide to assist customers in making their purchase?

  7. What kind of “receipt” will a customer receive once they’ve made their purchase?

  8. The electronic cash register “balances” out based on a 24-hour day from midnight to midnight.  This may require a change in your current reconciliation timing and processes.

  9. Do you currently accept credit cards “over the counter?”  If so, your reporting will need to distinguish between each type of credit card accepted through the Web and each type of credit card accepted over the counter.  A separate accounting document will need to be prepared on a daily basis for each card type and for each format.  You must balance at least once per day creating the potential for multiple accounting documents.  Is the required staffing available to do this?

  10. Credit card sales over the Web must be reconciled to income and credit card receipt records.  What reports are available within the department’s application to do this?  Will the reports need to be modified to assure the appropriate information is captured?  Daily reconciliation of credit card sales and monthly reconciliation of income is standard.

 

Computing Environment

Servers, Software, Data, and Security

Purdue University’s e-commerce system includes several software components as well as multiple physical servers. 

The Matrix of Implementation Options (Attachment 2 PDF document) for e-commerce illustrates the alternatives for development of the software components, maintenance of the software components, installation of the servers, maintenance of the servers, and operation of the servers and software.  Considerations to assist the choice of an implementation option are given below.

  1. The following issues should be considered to determine the server that will be used, and who will manage the server.

  • Security requirements must be considered for each server in the system.

  • The operating system for any server housing an e-commerce application must comply with the University’s control objectives for that operating system (i.e. NT, UNIX, etc.).

  • Appropriate back-up and system recovery procedures must be in place for all servers.

  • If availability approaching 24 hours a day, seven days week is required, redundant servers
    (for all components) may be required.

  • Server operating procedures must provide effective system controls.

  1. Application issues that must be considered include the following:

  • Responsibility for creation of the application, maintenance of the application, operation of the application, and storage of the data must be defined for all components of the system.

  • If the data collected from this Web application are entered into an existing University computer system, modifications may be needed to that system.  Responsibility for development and maintenance of interfaces must also be established.  For example, it may be necessary to maintain additional data to facilitate reconciliation of payment information.

  • Policies and procedure for e-commerce must be followed regardless of the options chosen for development, maintenance, and operation.

  • Web sites must conform to the standards set by the Office of Publications.

  • Management Information’s e-commerce Internet Payment Service (IPS) must be utilized for credit card processing.

  • The application must include a customer confirmation feature.

  • The application must include instructions for the customer on how to resolve problems in operation of the application.

  • The application must provide effective application controls.

  • Appropriate back-up and recovery procedures must be in place for the application.

  • The application should be written using an Oracle database if there is a need for real-time data integration between the payment function and the application supporting the purchase of goods or services because the IPS system uses a feature of the Oracle database to support real-time integration between systems.  Additional development would be required in the payment server to integrate a system using any other type of database, and would be considered on an exception basis.

  1. The following data requirements must be considered:

  • No data should be stored on a Web server.  Data may be stored on either the application server or on a separate data server.

  • Credit card numbers may not be stored in any database regardless of the server on which data are stored.

  • All University business procedures and policies regarding data must be observed (see Executive Memorandum C-34).  Specifically note:  (1) the security requirements for data follow the data regardless of location, (2) data are made available to other parties on a need-to-know basis, and (3) University data cannot be sold.

  • Appropriate back-up and recovery procedures must be in place for the data.

  1. The following security issues must be considered:

  • Verification and authentication procedures must provide the ability for customers to request the certificate of the server to authenticate the identity of the merchant.

  • Secure Socket Layer (SSL) must be used to establish a secure private channel between the workstation and the Web server.

 

External Resource Management and Contract Provisions for Vendors Developing the Web Site

External Resource Management:  Establishing the Business Relationship

The business relationship with a vendor that will either (a) develop the application and hand it over to the University for operation or (b) develop, maintain, and operate the application, must be carefully considered and will require the negotiation of a contract that will clearly document the business relationship between the vendor and the University.

In general, the vendor must be able to meet the basic criteria for consideration as a Purdue University vendor.  The vendor must be responsible, reliable, and offer the best product at the best price, unless there is justification satisfactory to the director of purchasing services that sole source procurement is appropriate.

When the application is developed by a third-party vendor and delivered to the University for operation, the following issues must be considered and resolved:

  • Does the application adhere to policies established by the University for managing, storing, and securing the data?

  • When and how will the application be delivered to Purdue?

  • Who will be responsible for modifications and continued maintenance?

  • Have procedures been established that are auditable by Internal Audit or Management Information (MI) for continued operations?

When the application is developed and operated by a third-party vendor, the management issues listed below must be considered and resolved.  Sole operation of an e-commerce activity by a third-party vendor will be approved on an exception basis only.

  • Who will manage the on-going relationship with the vendor and monitor adherence to Purdue policies?

  • How are modifications to the system made?

  • Who has determined and approved the scope of the application?

  • How will modifications to the system be made?

  • Is the third-party vendor financially sound and reliable?

  • Why is a third-party vendor operating the application rather than the University?

Contract Provisions

Any third-party vendor relationship, whether solely for development or for development and operation, will be the subject of a contract between the University and the vendor.  The contract shall include the following elements:

  • A statement of our policies/guidelines shall be included as an appendix to the contract.  The appendix shall include Executive Memorandum C-34, selected sections from the NT Control Objectives for Servers or UNIX Control Objectives for Servers, and E-Commerce Technical Interface Specifications.

  • Audit rights with regard to invoices, security, disaster recovery, etc.

  • Performance

  • Measurement criteria to be applied to developers product.

  • Development and documentation of a business continuation plan.

  • Technology required for the application will be stated in the contract.

  • Management responsibilities will be defined.

  • Purdue responsibilities for monitoring the vendor relationship, either by the department or MI, will be defined.

  • The developer/vendor must adhere to EEOC guidelines, maintain system criminal conviction checks, etc. 

  • The developer must carry adequate liability insurance.

  • The contract will cover the following control issues:

  • Developer will maintain the confidentiality and integrity of the University data.

  • Data and customer records are legally owned by Purdue and developer/vendor has no rights or ownership for this information and may not sell or distribute the information.

  • MI and Internal Audit will audit the network and physical controls established by the developer/vendor.

  • Developer/vendor will provide copies of security documentation.

  • Purdue ownership of source code and other materials developed for the University. 

  • Use and protection of University marks and logos.

  • Payment and delivery schedules.

  • Other appropriate terms and conditions.

 


Last Updated on March 17, 2008