Credit Card Security Tip Sheet

Credit Card Data Usage and Retention
  • Storage and retention of credit card data must be the minimum length necessary to meet University and/or regulatory requirements.
  • University policy prohibits retaining or storing the cardholder's full credit card number, the three digit CVV code or the PIN verification value.
  • At a minimum, the credit card number must be rendered unreadable for all stored or retained data.
  • Media or storage containers with cardholder data must be labeled as "confidential".
  • Cardholder data may not be sent via email, unless it is encrypted.
  • Cardholder data must be secured against unauthorized removal and stored in a secured area.
  • Any movement of cardholder data must be communicated to and pre-approved by the Treasurers Office.
Physical Access
  • All physical areas containing cardholder data must have limited access.
  • The preferred method of storage of cardholder data is a locked container.
  • These areas must not be accessible to the public.
  • All visitors to these areas must be escorted at all times by an employee with legitimate access.
  • It is the department's responsibility to ensure the visitor's access to the area is authorized and logged for audit purposes.
  • Visitors include employees, temporary employees, consultants, or contractors.
Third-Party Access
  • Third parties with access to cardholder data must be contractually obligated to comply with the payment card industry security requirements.
  • The third party must provide documentation to the University of their compliance level.

Credit Card Deposit Processing

  • The completed web deposit should show the total credit card deposit by credit card type and the supporting documentation should agree to the completed form.
  • Scan web deposit and transaction summary, settlement batch or close report with the individual card type subtotals to
  • Do not send cardholder receipts with the web deposit.