Credit Card Processing Guidelines
The purpose of this document is to describe the responsibilities inherent with the collection, processing, storage, or dissemination of credit card data.
- All credit card processing is subject to review by the Committee on Privacy and Information Management. This includes credit card payments received via: web forms; walk-in, phone calls, faxes, or mail; and off-site events.
- Cardholder information must not be accepted through an e-mail. A reply should be sent to the sender with instructions on the proper procedures for submitting the information; however, the reply e-mail should not include the cardholder information. The original e-mail should be promptly and permanently deleted from the university account.
- No cardholder information is allowed to be stored electronically on any device (e.g. computer hard drives, CDs, disks, and other external storage media). This includes reports from hosted credit card processing vendors.
- The PIN and CVV2 or card verification code (on the back of the card) is NEVER allowed to be stored.
- POS (point of sale) or card swipe terminals must be approved by the Committee on Privacy and Information Management and used only with dial-out connections or internet terminals with approved secure configurations.
- Access to cardholder information must be limited to those individuals whose job requires access.
- Any media, including paper copies that contain cardholder information, must be treated as confidential. Cardholder data should be removed and shredded immediately after processing.
- Any paper copies of cardholder information must be securely stored in a locked safe when not in use.
- Do not publicly display cardholder information or leave it unattended and do not disclose cardholder information to others.
- When paper copies of cardholder information are no longer necessary, they must be shredded using a crosscut shredder.
- Employees and students handling cardholder information must go through a background check and must acknowledge understanding of these Southwestern Credit Card Processing Guidelines. Generally, students should not have access to cardholder information. As PCI compliance training is developed, anyone handling cardholder information will be required to attend such training on an annual basis.
- Delete all pre-existing cardholder information from electronic databases, including computer hard drives, CDs, disks, and other external storage media, using PGP shredder or other IT approved mechanism.
- All workstations used for entering cardholder information into online web forms must have prior approval and run approved firewall and anti-virus/malware software.
For further information or assistance with sensitive personal information (SPI) protection, please see or call Brenda Thompson, Associate Vice-President for Finance and Accounting, Controller at 512-863-1956 or firstname.lastname@example.org.