Securing Credit Card Data
- Treat card information as confidential and allow access on a need-to-know basis only. Per University record retention guidelines, charge slips and statements should be retained for four years in a locked secure location. When the retention period has ended all documents need to be destroyed with a cross cut or higher security shredder. If using an outside vendor like Shred-It, ensure that contracts state the third party is tracking and shredding in a PCI compliant manner.
- Receiving credit and debit card information via fax machine is discouraged. However, if it is required to perform University business, the fax machine should be a plain-paper machine and must be kept in a secured location; fax machines that are part of a multi-function printer should not be used to accept payment card data. Only those employees with a need to know should have access to that fax machine. After the transaction is processed, the document must be destroyed in a PCI DSS-compliant manner or, if retention is required, the cardholder data must be redacted before the document is stored. Sending credit and debit card information with visible cardholder identification (e.g. account number, expiration date, name) information via fax machine is prohibited. Daily settlement receipts emailed to the Bank Liaison with no visible cardholder identification information is acceptable. Receiving credit and debit card information via email is prohibited.
- PCI DSS 12.7 requires merchants to screen potential employees prior to hire to minimize the risk of attacks from internal sources. This screening is only required for those employees with access to multiple credit or debit card numbers at any one time. For employees functioning as cashiers who only have access to one card number at a time when facilitating a transaction, this is a recommendation only and not required. However, departments should consider background checks for those employees handling this confidential information. Examples of screening include background, previous employment, criminal record, credit history, and reference checks.
- When displaying credit card information, only the first six and/or last four digits may be displayed. The three digit security code on the back of a credit card is never to be stored in any form. Magnetic stripe data is never to be stored in any form.
- Credit card information should not be stored without a legitimate business reason. If a business unit believes they have a legitimate business reason, the storage of the credit and debit card information must adhere to the strict requirements of the PCI DSS. Exceptions must be approved by Treasury Services. The storage of credit and debit card information on portable devices is strictly prohibited. Portable devices include but are not limited to: thumb drives, laptops, USB flash drives, and compact discs.