How can YOU protect cardholder data?

If you use Payment Card readers that transmit and receive Cardholder Data via telephone lines and/or store Cardholder Data on paper, comply with the following requirements.

Paper Records

  • During business hours, restrict cardholder data to a controlled-access area. After business hours, keep cardholder data in a locked container (file cabinet, vault). Only those who have a business need to access cardholder data should have keys, combinations, and other access to the data.
  • Dispose of Cardholder Data in a secure manner as your business need for it expires. For example, use a cross-cut shredder or shredding service.
  • Store only essential data:
  • Cardholder credit card numbers must be truncated to the last 4 digits
  • Never retain the cardholder verification values or codes (CVV codes)
  • Do not store the PIN or the full contents of any track from the magnetic stripe
  • You must complete the PCI Questionnaire annually and send it to the Financial Services Office.

Payment Card Processing with Computers

  • You must complete the PCI Questionnaire annually and send it to the Financial Services Office.
  • Your computers and network must be scanned quarterly for vulnerabilities by Security Metrics, UB's approved PCI scanning vendor.
  • Do not use the UB wireless network to store, access, process, transmit, or receive cardholder data.
  • Cardholder data must be stored only on a server dedicated to processing Payment Card transactions, protected by a dedicated hardware firewall, and subjected to quarterly security scans. Never store Cardholder data on a Web server, workstation, laptop, tablet, PDA, or on portable media such as a USB drive, even if the data are encrypted.
  • Dispose of Cardholder Data securely as soon as your business need for it expires.
  • Avoid sending or receiving Payment Card information via E-mail. If you must send Payment Card information via E-mail, the data must be encrypted.
  • Access to Cardholder Data must be granted on a need to know basis.
  • Systems that store Cardholder Data should be set up to deny access to all users except those specifically allowed to access the data for business needs.