Credit Card Security FAQ's

Who does the credit card environment policy cover?

It covers everyone involved with gathering, processing or storing the credit card information we collect within the University.

What does the credit card environment policy cover?

It covers all the credit card and cardholder information that is gathered throughout the University
  • How we process credit card transactions
  • What we do with all of the credit card receipts and reports
  • What we do with the credit card information we gather
  • How we dispose of the information after it has served its business purpose

Who should have access to our customers' credit card information?

Only individuals with a "need to know" purpose should have access.
  • Never attach receipts with the full credit card number to the web deposit that is sent to the Treasurer's Office.
  • Never e-mail or electronically transmit full credit card numbers, unless they are encrypted

How long do we have to retain credit card data?

  • Visa, MasterCard and Discover allow customers' to dispute charges up to 18 months from the date of the original transaction.
  • American Express allows disputes up to 12 months from the date of the original transaction.

How do we protect cardholder data we accumulate and store?

  • Store only the most necessary information
  • Never store the full credit card number unless there is a specific business purpose
  • Store information in a secure area, preferably in a locked container marked "Confidential"
  • Limit access to the secure storage area - only employees or third-parties that require access to the area should be allowed
  • An employee with legitimate access should always accompany other employees or third-parties needing access to the storage area

What are the risks to the University if we fail to follow the PCI Standards?

  • Disciplinary actions
    • Fines
    • Penalties - both for the University and individually
    • Loss of the privilege to accept credit cards /li>

What is your responsibility?

Do your best to protect the cardholder data. Treat it as if it were your own. The ability to accept credit cards is a privilege not a right.

What is the simplest way for me to comply with the credit card environment policy?

Keep the policy handy, consult and follow it! Here are a few simple rules:
  • Process cardholder data in a timely manner
  • Properly destroy all cardholder data that will not be retained
  • Retain or store only the necessary cardholder information
  • Never retain or store the full credit card number
  • Never collect the three digit CVV code
  • Do not e-mail unencrypted credit card information
  • Do not collect customer PIN numbers
  • Make sure access to the stored data is limited and the data is secured and protected

What about the credit card information included with the Deposit of Funds Form?

  • Do not send cardholder receipts with the web deposit - Treasurer's Office does not need or want that detailed information.
  • Attach and send only a transaction summary, settlement, batch or close report with individual card type subtotals to the Treasurer's Office.
  • Include the applicable merchant ID # on the DOF form. The Treasurers Office has a record of all the merchant ID #'s.
  • The completed DOF form should show the total deposit by credit card type with an attached report that supports the information entered on the form.

Whom do I contact with questions or in the case of an emergency?

  • Bank of America Customer Service 1-800-430-7161
  • ITS Customer Support 977-4000
  • Treasurer's Office: Mindy Brown 977-2466 or Maggie Nikolai 977-7161