Credit Card FAQs
I am interested in accepting credit card payments. How do I get started?
What do I do if sensitive cardholder data is compromised?
Who do I contact if I have questions?
How are credit cards processed?
Cardholder data is transmitted electronically to a payment card processor. The processor receives authorization and payment from the cardholder's bank. Funds are deposited into a University bank account.
What is the PCI DSS?
PCI DSS is the Payment Card Industry Data Security Standard. PCI DSS offers a single approach to protecting sensitive data for all card brands. Designed to create common industry security requirements, this standard is a result of collaboration between VISA, MasterCard, and other card companies.
Why do I need to be compliant with PCI DSS?
Essentially, the PCI standards say that if there is a breech, and the merchant is NOT PCI DSS compliant at the time of the breech, significant punitive fines - up to $500,000 per incident - can be imposed. In addition, a higher level of industry oversight may be imposed and/or the entire University's ability to accept ANY credit cards may be terminated. If the merchant is PCI DSS compliant at the time of the breech, NO punitive fines will be imposed. In other words, all merchants at the University can be impacted by the NON-compliance of just one merchant.
Why was PCI DSS created?
PCI DSS was created primarily to address e-commerce credit card transactions, but it applies to non-e-commerce transactions, too. As technologies rapidly change, the networks and processes that support credit card transactions must change, too. Compliance is required of all merchants and service providers that store, process, or transmit cardholder data. Compliance applies to all payment channels: card present (card is physically processed at the point-of-sale), card-not-present (key-in cardholder data from phone, mail, fax, paper record), and ecommerce (customer-facing website). The ultimate goal is to protect cardholder data and sensitive authentication data from unauthorized use, or a 'breach'.
What is Cardholder Data?
Cardholder Data encompasses all of the information stored/encoded/imprinted on the payment card. There are three main groups of data to keep in mind when processing payment cards: payment card data, sensitive authentication data, and personally identifiable data.
- Cardholder Data (CHD)
- Primary Account Number (PAN)
- Expiration Data
- Cardholder Name
- Sensitive Authentication Data (SAD)
- Magstripe Full Track Data
- Card Verification Value/Code (CVV/CVC)
- PIN Number (Bank Card)
- Personally Identifiable Information (PII)
- Name
- Address
- Email/Phone Number
Never store Sensitive Authentication Data for ANY reason.
Storage of Cardholder Data must be documented with a legal business reason with an outlined procedure of: where the information is stored while not in use, staff who have authorized access, quarterly plan to review which data should be kept/destroyed, and a secure disposal process with a cross-cut shredder.
Personally Identifiable Information should be kept secure to protect customer privacy. If your receipts or reports contain PII, make sure there are controls in place to prevent unneeded exposure (stored in cabinet), withhold PII from receipts (if possible), disable "merchant copy" receipts if receipt information is stored electronically. While this is not technically "Cardholder Data" by itself, there still needs to be controls in place to protect the customer's privacy. Reports or receipts that are no longer needed (that contain PII) should be securely destroyed with a cross-cut shredder.
Is compliance with the PCI DSS mandatory?
Yes, if your department wishes to utilize credit cards in its business practice.
Will funds be made available centrally for creating my merchant account?
No, if a department wishes to process cards, they must absorb the cost.
If I have questions about the PCI DSS, who should I contact?
Where do I obtain information on credit card security standards?
Who has to complete credit card training?
Anyone who handles credit card data needs to complete credit card and cash handling training.
Who do I contact to receive training?
For training of a new merchant, contact the
PCI Team. For training in an area where a merchant is already active, contact the responsible representative for that merchant. If the merchant representative is not known, contact the PCI Team.
Can I store cardholder data for later processing?
The storage of cardholder data for later processing is discouraged and limited to those with a documented and legitimate business reason (ex: remote located without network connection, POS device issues/downtime). Electronic storage of cardholder data of any kind is not permitted unless the card data has been "tokenized" by a third party (would no longer be considered cardholder data). Paper documents that contain cardholder data are the only permitted method for storing cardholder data, if it has been documented and approved by the PCI Team. We have the ability to setup scheduled recurring billing with one of our payment gateways that handles/tokenizes the cardholder data on our behalf for safe reprocessing, if the purpose of storage is to process another transaction with a customer's payment card at a later date. Contact the PCI Team for more information on recurring billing.
Where should I store my paper documents with credit card information?
Cardholder data must not be left out in the open for others to view. When not in use, cardholder data must be secured in a locked cabinet with limited access to only those that have completed the PCI Training and whose job description includes handling cardholder data. Verify that the keys/combo are not standard to other locking cabinets or safes (i.e., S100 keys).
How should I protect the cardholder credit card data?
Protect cardholder printed data (on paper or received by fax or mail) against unauthorized access. Take note to the location of the printers and fax machines. Does their location allow for public access of printed documents? Limit those who open the mail that could contain credit card payments to those individuals whose job requires such access.
Do I need to store the card-validation code (three-digit value printed on the signature panel of a card)?
No, do not store the card validation code.
How long should I keep paper documents with credit card information?
Keep cardholder information storage time to a minimum. Limit your storage amount and retention time to that which is required for business, legal, and/or regulatory purposes. Once the credit card transaction has been processed, you will not need to store the full credit card account data. Returns should be processed using the credit card transaction number provided by your payment processor.
Who should have access to the credit/debit card processing system and its information?
Only people who have it as part of their job responsibility to handle credit card transactions for their department (or unit). In addition, anyone who will be given access to this information must complete the required credit card training.
Do I have to complete the Self-Assessment Questionnaire every year?Yes, the Self-Assessment Questionnaire must be completed annually for PCI Compliance.
Who reconciles my revenue transactions?
Each merchant is reconciling their revenue to verify that the credit card transactions processed are being posted to their General Ledger account.
I have new employees I want to process credit cards, what do I need to do?
The Merchant Representative is required to perform training for the new employee. The new employee will need to be added to the Staff List in the Merchant Teams folder and take the required training in Canvas that fits the employee's new role.
I want to add/change my account information for where my transactions are posted in General Ledger, who do need to contact?
Skip to main content
