University Credit Card Storage Policies

According to policy, the University prohibits storing credit card information in any form, whether physical or electronic. To align with the PCI-DSS (Payment Card Industry Data Security Standard) Policy 1510: Accepting and Processing Credit Cards for University Business: Accepting and Processing Credit Cards for University Business, merchant account owners are required to conduct quarterly reviews to verify that their staff and systems do not retain credit card data. Regular audits will be conducted to verify merchant compliance with this policy.

Policy 1510 states:

University departments are prohibited from storing credit card information (PAN, service code, and expiration date) in any paper or electronic format. Under no circumstances is credit card information stored within any storage medium (ex., paper copy, electronic files, CD-ROM, flash drive, etc.). Neither University employees nor University information systems are authorized to store credit card information. Quarterly, department merchants must investigate and locate all unauthorized storage of credit card information. Departments should conduct staff interviews and review both paper and electronic records for any unreported credit card data storage. Any electronic record of a credit card must be immediately and permanently deleted. A paper copy of credit card information should be securely shredded and rendered unrecoverable.

Review the University’s credit card storage policies:

Policy 1510 Accepting and Processing Credit Cards for University Business

Policy 2708: Managing University Records

Quarterly Investigations for Stored Credit Card Information:

Here are some suggestions on how to create your quarterly investigation procedures:

• Develop and document credit card operating procedures:
  • Create a process document outlining how credit card information is obtained and transmitted by your staff. Provide the document to the relevant team members. If your credit card processing method is completely outsourced and you never get credit card information, state this in your process document so that your staff understands that credit card information is never directly handled.

• Interview your staff:
  • Ask staff to confirm how credit card information is obtained and transmitted for payment processing.
  • Is credit card information immediately processed when received, or is it held for any length of time?
  • Is credit card information ever stored on file (even occasionally or randomly)?
    
    
    • If stored, where is it stored? (On paper? Electronic storage?)
    • If stored, how is this sensitive information protected? What are the procedures?
    • If stored, is a log maintained to track how many credit cards are in your department’s possession?
    • If stored, how long is the information kept? Why?
    • If stored, how is the information destroyed and rendered unrecoverable when no longer needed?

• Do staff responses align with your documented procedures? If not, re-train staff on your operational procedures.

• Maintain a log of your quarterly investigations for credit card information:
  • Document investigation results for future reference. See the attached log template in this knowledge base article.

Destroying Credit Card Information:

Paper copy: Shred the document in a cross-cut shredder. If your department outsources shredding services to a third party, you may place the document into the locked shredding box.

Electronic copy: Open a Service Now ticket with the Central A/R office so that appropriate steps can be taken to delete this information securely.

Credit Card Investigation Audits & Attestation

Periodic audits will be conducted to ensure that merchant account owners conduct investigations quarterly. Merchants will be required to return a signed attestation document (see attached PDF in this knowledge base article) at the time of the audit.

Please open a ticket if you have any questions or concerns related to the information within this knowledge base article.