University at Buffalo - The State University of New York
Skip to Content

How can YOU protect cardholder data?

If you use Payment Card readers that transmit and receive Cardholder Data via telephone lines and/or store Cardholder Data on paper, comply with the following requirements.

Paper Records

  • During business hours, restrict cardholder data to a controlled-access area. After business hours, keep cardholder data in a locked container (file cabinet, vault). Only those who have a business need to access cardholder data should have keys, combinations, and other access to the data.
  • Dispose of Cardholder Data in a secure manner as your business need for it expires. For example, use a cross-cut shredder or shredding service.
  • Store only essential data:
  • Cardholder credit card numbers must be truncated to the last 4 digits
  • Never retain the cardholder verification values or codes (CVV codes)
  • Do not store the PIN or the full contents of any track from the magnetic stripe
  • You must complete the PCI Questionnaire annually and send it to the Financial Services Office.

Payment Card Processing with Computers

  • You must complete the PCI Questionnaire annually and send it to the Financial Services Office.
  • Your computers and network must be scanned quarterly for vulnerabilities by Security Metrics, UB's approved PCI scanning vendor.
  • Do not use the UB wireless network to store, access, process, transmit, or receive cardholder data.
  • Cardholder data must be stored only on a server dedicated to processing Payment Card transactions, protected by a dedicated hardware firewall, and subjected to quarterly security scans. Never store Cardholder data on a Web server, workstation, laptop, tablet, PDA, or on portable media such as a USB drive, even if the data are encrypted.
  • Dispose of Cardholder Data securely as soon as your business need for it expires.
  • Avoid sending or receiving Payment Card information via E-mail. If you must send Payment Card information via E-mail, the data must be encrypted.
  • Access to Cardholder Data must be granted on a need to know basis.
  • Systems that store Cardholder Data should be set up to deny access to all users except those specifically allowed to access the data for business needs.