The University at Buffalo is committed to compliance with the Payment Card Industry Data Security Standards (PCI DSS) to protect payment card data regardless of where that data is processed or stored.
Departments that accept payment cards must handle and process all card information in a secure manner in accordance with university policy and the payment card industry standards.
Do - Properly destroy all hardcopy forms containing cardholder data (cross cut shred, incinerate or pulp). Placing in a secured bin provided by a disposal service is acceptable.
|Don’t - Store cardholder data unless truncated (first six digits OR last four digits)|
Do - Physically secure all hardcopy cardholder data pending processing.
|Don’t - leave cardholder information unattended on a desk, screen, or in any public area|
Do – Only retain cardholder data received by phone or mail long enough to complete the transaction, then destroy the hardcopy.
|Don’t - Send cardholder data outside of approved areas|
Do – Have a unique user name and password for your work and only use it for work purposes, not personal
|Don’t – Share your user name, password or credentials|
Do – Restrict access to devices to people duly approved and who need the access for their job.
|Don’t – Install, move, replace or return devices without verification with Financial Management|
|Do – Verify the identity and credentials of all unknown persons prior to granting them access to modify or troubleshoot devices.||Don’t – Use any computer or mobile device to enter cardholder data that is not specifically configured and dedicated to processing payments.|
|Do – Keep an up to date list of all credit card processing devices and inspections.||Don’t – Enter cardholder data online as the customer.|
|Do - Report immediately to your supervisor and the Information Security Officer if you suspect tampering with a device or credit card information has been lost, stolen, exposed, or otherwise misused.||Don’t – Request or send any cardholder data by email, fax, chat, instant message, SMS, or any similar end-user messaging technology.|
|Don’t – Store any contents of the magnetic stripe|
If cardholder data is received via email, fax or voicemail:
If Financial Management has approved the need for cardholder data to be distributed internally, it must be physically secured; this includes using locked transmittal bags.