As a service provider in connection with its FeePay® application, Sourcewell Technology (SWT) acknowledges that it is subject to compliance with certain PCI DSS (Payment Card Industry Data Security Standard) requirements. SWT is not a payment processor or payment service provider under PCI DSS and therefore, is not obligated to comply with PCI requirements applicable solely to payment processors or such providers. SWT does not store, process or transmit sensitive authentication data (SAD) or cardholder data (CHD). Nor does Primary Account Number (PAN) data transverse SWT networks and/or servers.
SWT licenses FeePay to school districts (as SWT customers) so that school district parents (as FeePay end users) can pay for student meals and school-related activities and fees online through the FeePay application. SWT receives and stores tokens (which are random numeric identifiers) assigned to parents’ FeePay accounts from within the FeePay Payment application. Tokens do not include the names of parents, students, PAN, or any other personally identifiable data about the credit cards. Each time a parent uses the FeePay Payment application for financial transactions, SWT transmits the token to a third-party payment service provider (PSP) via encrypted communication. The PSP uses the token to process parents’ payments via merchant accounts owned by school districts. To the extent that SWT’s storage and transmission of the tokens could impact the security of parents’ cardholder data: SWT limits FeePay data to tokens; limits access to tokens by firewalls, passwords; limits internal access on a need-to-know basis; transmits the tokens in an encrypted format; and, follows similar processes and procedures included in its Security Policies and Master Service Agreement, copies of which are available upon request.