1,030: Payment Card Industry Compliance Policy

Last Revised: September 2011

The Payment Card Industry Data Security Standard (PCI-DSS) Program is a mandated set of security standards that were created by the major credit card companies to offer merchants and service providers a complete, unified approach to safeguarding cardholder data for all credit card brands.

The PCI-DSS requirements apply to all payment card network members, merchants and service providers that store, process or transmit cardholder data. The requirements apply to all methods of credit card processing; the most comprehensive and demanding of which apply to e-commerce websites and retail POS systems that process credit cards over the Internet. For more information about this standard visit the official PCI Security website.

View the University's policy. All employees, contractors, vendors and third-parties that use, maintain or handle the University's information assets must follow this policy. The University is committed to these security policies to protect information utilized by the campus in attaining its business goals.

Responsibilities of Campus Departments

Credit card data is confidential information and access to this data should be limited and granted only on a business need to know basis. This access should be terminated whenever an employee changes job duties or terminates employment.

Campus departments are responsible for ensuring that reference checks are done on all classified and professional employees hired. Campus departments are also responsible for requesting that Human Resources conduct background checks including pre‐employment, criminal, and credit history on all potential employees who will have access to systems, networks, or data that contain credit card information. Cashiers who process transactions with the cardholder present are not required to have the additional background checks. If a new hire or new transfer will have access to hard copy credit card data or a newly hired IT person has access to systems, networks or data, the additional background checks need to be requested by the department.

The Purchasing Department ensures third parties, with whom cardholder data is shared, are contractually required to adhere to the PCI‐DSS requirements and to acknowledge they are responsible for the security of the cardholder data which they process.

The Controller's Office verifies that all employees responsible for processing credit card payments complete a security awareness training upon hire and at least annually. View the on-line training. If training is not completed, then the department's merchant number will be deactivated.

PCI requirements for credit card receipts

All departments that accept payment via credit card must be aware of and follow the university's information security policy by completing the university's online PCI training annually.

Departments may receive credit card numbers by phone, fax or mail. Credit card data may not be kept in any electronic format unless the format and method of storage has prior approval from the UNR Network Security Department. Credit card numbers may be stored on a hard copy which is kept in a locked, secure location with limited access.

Credit card numbers may not be received via email as this is not a secure transmission method. If an email is received do not process the payment. Respond to the sender that the payment cannot be processed through an email request. Make sure the credit card number does not appear in your response. Immediately delete the original email containing the credit card number.

Departments must obtain written permission from the Controller's Office to use their own credit card imprint machine. For temporary use of a credit card imprint machine, contact the Controller's Office.

Credit card data is sensitive and confidential and should only be retained in a locked, secure location as required for business purposes and must be shredded after 120 days. When credit card data is no longer needed or after 120 days, whichever comes first, the data must be destroyed using an approved method such as sanitizing, incinerating, pulverizing or shredding. The Network Security Department can provide assistance with data destruction if needed.

Web sites or web applications

Before a web site or web application may be established to accept credit card payments, the department must obtain approval in writing from the Network Security Department. Once Network Security agrees with the proposed web application, the department may obtain a new merchant ID number by contacting the Controller. The Controller will obtain a merchant ID number from Wells Fargo and give it to the department to be used for testing the web application. Once the department has the application set up, they must obtain final approval from the Network Security Department before they may put the web application into production. The Network Security Department will notify the Controller in writing that the application is PCI compliant.

Destruction of credit card numbers in copies, scanners and printers

Before a computer or any type of communications equipment (photocopy machines, scanners, and printers with hard drives) can be sent to a vendor for trade-in, servicing, surplus or disposal, all confidential or sensitive information must be destroyed or removed according to approved removal methods such as sanitizing, incinerating, pulverizing or shredding.

Retention of credit card documents for audit, investigation or litigation

If your department is involved in an audit, investigation, or litigation all destruction of records in your custody must cease. When you are notified that the audit, investigation or litigation has ended or been resolved you may destroy documents according to this policy.