Business Services Division

BookstoreBuilding, Suite 3700 – Campus Zip 6063

916-278-6672

Payment Card Industry(PCI) Compliance Procedures

for Credit Card Information

In response to the rising tide of identity theft, the PCI Data Security Standard was developed to protect cardholders and the payment card industry from the damaging and costly consequences of data breaches. The following University Enterprises Inc. (UEI) procedures must be followed when handling credit card information from third parties in order to be in compliance with the California State University (CSU)system- and campus-wide PCI compliance protocols.

Definitions

  1. Third Parties – customers, vendors, students, faculty, and any other person/entity that is not UEI.
  1. Credit Card Information – complete or partial credit card numbers[*], security number on the reverse side of the credit card, expiration date of the credit card.

Compliance Procedures

  1. All hard copy documentation of third-party credit card information must be destroyed after 90 days from the date of receipt by use of a cross-cut shredder. During the 90 day retention period, third party credit card information must be secured in a locking file.
  1. If credit card information appears on a document with other information that must be retained, the credit card information must be removed within the 90 day retention period. Acceptable methods of removal are:
  2. “Black out” (with a black marker) the credit card information, photocopy the form and destroy the original by use of a cross-cut shredder. Simply “blacking out” credit card information does not comply with CSU protocol because numbers can sometimes be read through black marker. Photocopying after blacking out the credit card information will ensure that the information is unreadable.
  3. Physically remove the portion of the document that contains credit card information and destroy by use of a cross-cut shredder. The remainder of the document can be retained now that it does not contain third party credit card information.
  4. Where possible, limit the number of employees who accept, handle and have access to third party credit card information.
  1. Terminals used for credit card transactions must be stored in a locked space when not in use.
  1. Desktops used to store credit card information must be secured with a password.
  1. Devices that collect credit information will be visually checked by the supervisor on duty prior to the equipment being used for the day. Any indication of tampering on any equipment should be reported as listed in the incident reporting section.

In the event of a suspected data breach, misuse or the theft of cardholder data, a department supervisor / manager must be contacted. The supervisor is required to send a notification of the breach to the campus Information Security Office and University Enterprises, Inc., Business Services. In the event a supervisor / manager is not accessible, contact the Information Security Office and University Enterprises, Inc. directly. Once a request has been sent all activities that may delete, modify or corrupt logs and audit records should be immediately terminated. The Information Security Office will follow up with the investigation of the incident.

  1. DO NOT transmit third party credit card information via email.
  1. Annual certification from management and staff that they have read and understand these procedures is required no later than April 30 each year. The term “management” can be Directors, Principal Investigators, Project Directors, Department Heads, etc. as determined appropriate to meet compliance standards to fit the makeup of each division, department or program within UEI.

The following is from the PCI Compliance Guide(

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID). The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC ( an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).

Payment Card Industry (PCI) Compliance Procedures

for Credit Card Information

SIGNATURE FORM

______

Project/Department/Account Name Account Number(s)

The undersigned certify that they have read, understand and will use the University Enterprises, Inc. PCI Compliance Procedures. Annual certification from management and staff is required no later than April 30 each year. The PCI Compliance procedures and signature form will be posted on the UEI/SPA website. Each project is responsible for accessing the form on the website each year to ensure access to the most current content. The term “management” can be Directors, Principal Investigators, Project Directors, Department Heads, etc. as determined appropriate to meet compliance standards to fit the makeup of each division, department or program within UEI.

Signature / Title
Type/Print Name / Date
Signature / Title
Type/Print Name / Date
Signature / Title
Type/Print Name / Date
Signature / Title
Type/Print Name / Date

Please use and attach additional sheets as necessary.

Rev 4/15

[*]Hard copy documentation containing only the last four digits of a credit card number must be destroyed after three years.