University Credit Card Storage Policies

By policy, the University prohibits the storage of credit card information in any format (physical or electronic). In an effort to align University policy with the PCI-DSS (Payment Card Industry Data Security Standard) Policy 1510 mandates merchant account owners to perform quarterly investigations to ensure that their staff and systems are not storing credit card information. Periodic audits will occur to ensure that merchants are complying with this policy.

Policy 1510 states:

University departments are prohibited from storing credit card information (PAN, service code, and expiration date) in any paper or electronic format. Under no circumstance is credit card information to be stored within any storage medium (ex. paper copy, electronic files, CD-ROM, flash drive, etc.). Neither University employees nor University information systems are authorized to store credit card information. On a quarterly basis, department merchants must investigate and locate all unauthorized storage of credit card information. Departments should conduct staff interviews and review both paper and electronic records for any unreported credit card data storage. Any electronic record of credit card must be immediately and permanently deleted. Paper copy of credit card information should be securely shredded and rendered unrecoverable.

Review the University's credit card storage policies:

Policy 1510 Accepting and Processing Credit Cards for University Business

Policy 2708: Managing University Records

Quarterly Investigations for Stored Credit Card Information:

Here are some suggestions on how to create your quarterly investigation procedures:

• Develop and document credit card operating procedures:
  
  • Create a process document outlining how credit card information is obtained and transmitted by your staff. Provide the document to relevant team members. If your credit card processing method is completely outsourced and you never obtain credit card information; state this in your process document so that your staff understands that credit card information is never directly handled.

• Interview your staff:
  
  • Ask staff to confirm how credit card information is obtained and transmitted for payment processing.
  • Is credit card information immediately processed when received or is it held for any length of time?
  • Is credit card information ever stored on file (even occasionally or randomly)?
    
    • If stored, where is it stored? (On paper? Electronic storage?)
    • If stored, how is this sensitive information protected? What are the procedures?
    • If stored, is a log maintained to track how many credit cards are in your department's possession?
    • If stored, how long is the information kept? Why?
    • If stored, how is the information destroyed and rendered unrecoverable when no longer needed.

• Do staff responses align with your documented procedures? If not, re-train staff on your operational procedures.

• Maintain a log of your quarterly investigations for credit card information:
• 
  
  • Document investigation results for future reference. See the attached log template in this knowledge base article.

Destroying Credit Card Information:

Paper copy:

• Shred the document in a crosscut shredder. If your department outsources shredding services to a third party, you may place the document into the locked shredding box.

Electronic copy:

• Open a Service Now ticket with the Bursar's office so that appropriate steps can be taken to securely delete this information.

 

Credit Card Investigation Audits & Attestation

Periodic audits will be performed to ensure that merchant account owners are conducting investigations on a quarterly basis. Merchants will be required to return a signed attestation document (see attached PDF in this knowledge base article) at the time of the audit.

Please open a ticket if you have any questions or concerns related to the information within this knowledge base article.