Finance and Administration

PCI Compliance Q&A

  • Credit/debit card number, cardholder name, expiration date, and security code.

  • In all instances, the cardholder should be strongly encouraged to make any credit card transaction themselves with their own personal equipment for their safety and security. Website addresses can be provided to go to for on-line payment. In the rare instance where a document is received that contain cardholder data, it  should be stored in a locked safe  with access limited to only those who need the information. This data should be destroyed immediately after processing by cross-shredding as soon as possible.

  • No. Southwestern computers may not be used to store or transmit cardholder data, even if the objective is to purchase University products or services. Only University-approved PCI-compliant hardware, as defined by the University’s Committee on Privacy and Information Management, may be used for these tasks. To request a review of a specific need of this type or for any question related to this information, contact Brenda Thompson, Associate Vice-President for Finance and Accounting, Controller at 512-863-1956 or thompso2@southwestern.edu.

  • No. Southwestern computers may not be used to enter cardholder data into a Southwestern web/online form for another person, even if the objective is to purchase University products or services. Only University-approved PCI-compliant hardware, as defined by the University’s Committee on Privacy and Information Management, may be used for these tasks.

  • Depending on the situation, this may be allowed. If this is part of your job responsibilities, you must complete the University PCI training (including periodic refreshers and updates) and/or consult with the University’s Committee on Privacy and Information Management to understand what is required to maintain PCI compliance. When making payments over the phone, the credit card information should never be written down, but instead typed directly into the online site while the cardholder is on the phone.

  • No. Cardholder data should never be sent, received, or stored via email systems due to security concerns.

  • Accepting credit card information through the mail is strongly discouraged since their is a high risk that someone can steal this personal information during the mail delivery process prior to it arriving at SU. Depending on the situation, this may be allowed. To request a review of a specific need of this type, contact Brenda Thompson, Associate Vice-President for Finance and Accounting, Controller at 512-863-1956 or thompso2@southwestern.edu.

  • Storefronts or check-outs that require credit card payments can be set up for events using CashNet.  Please contact Melissa Williamson to get a site set up at 512-863-1617 or williamm@southwestern.edu. You  need to allow a minimum of one week, preferably two, to complete this task.  The CashNet eMarket set-up request online form can be found at this link .

  • All new software applications being considered by campus departments must go through a technology and business office review.

     IT review:

    • Todd K. Watson, Associate Vice President for Information Technology

    Business office review:

    • Brenda Thompson, Associate Vice President for Finance & Accounting, Controller

    If credit card acceptance is a part of the desired functionality, the security review of the application will trigger an evaluation by the University’s Committee on Privacy and Information Management. The requestor will be notified of the outcome of these reviews.