Published September 18, 2019
The University at Buffalo is committed to compliance with the Payment Card Industry Data Security Standards (PCI DSS) to protect credit card data regardless of where that data is processed or stored. All members of the university community must adhere to these standards to protect our customers and maintain the ability to process payments using payment cards.
The university prohibits the retention of complete payment card primary account numbers (PAN) or sensitive authentication data in any university system, database, network, computer, tablet, cell phone, or paper file. Storing truncated numbers, in approved formats (first six digits or last four digits) is permissible.
This policy provides guidance about the importance of protecting credit card data and customer information. Failure to protect customer information may result in financial loss for customers, suspension of credit card processing privileges, fines, and damage to the reputation of the unit and the university.
This policy applies to those involved with payment card handling including faculty, staff, students, third-party vendors, individuals, systems, networks, and other parties with a relationship to the university including auxiliary service corporations, alumni associations, student associations and governments, Research Foundation (RF), UB Foundation (UBF) and any unit using third-party software to process credit card transactions. This includes transmission, storage, and processing of payment card data, in any form (electronic or paper) on behalf of UB.