Payment Card Industry (PCI) Compliance - Credit Card Handling Chart

The University at Buffalo is committed to compliance with the Payment Card Industry Data Security Standards (PCI DSS) to protect payment card data regardless of where that data is processed or stored.

Departments that accept payment cards must handle and process all card information in a secure manner in accordance with university policy and the payment card industry standards.

Read the Payment Card Industry (PCI) Compliance Policy

Download

Credit Card Handling Chart

Mobile Users: Swipe to scroll table

Credit Card Handling Chart
DO	DON'T
Do - Properly destroy all hardcopy forms containing cardholder data (cross cut shred, incinerate or pulp). Placing in a secured bin provided by a disposal service is acceptable.	Don’t - Store cardholder data unless truncated (first six digits OR last four digits)
Do - Physically secure all hardcopy cardholder data pending processing.	Don’t - leave cardholder information unattended on a desk, screen, or in any public area
Do – Only retain cardholder data received by phone or mail long enough to complete the transaction, then destroy the hardcopy.	Don’t - Send cardholder data outside of approved areas
Do – Have a unique user name and password for your work and only use it for work purposes, not personal	Don’t – Share your user name, password or credentials
Do – Restrict access to devices to people duly approved and who need the access for their job.	Don’t – Install, move, replace or return devices without verification with Financial Management
Do – Verify the identity and credentials of all unknown persons prior to granting them access to modify or troubleshoot devices.	Don’t – Use any computer or mobile device to enter cardholder data that is not specifically configured and dedicated to processing payments.
Do – Keep an up to date list of all credit card processing devices and inspections.	Don’t – Enter cardholder data online as the customer.
Do - Report immediately to your supervisor and the Information Security Officer if you suspect tampering with a device or credit card information has been lost, stolen, exposed, or otherwise misused.	Don’t – Request or send any cardholder data by email, fax, chat, instant message, SMS, or any similar end-user messaging technology.
	Don’t – Store any contents of the magnetic stripe

If cardholder data is received via email, fax or voicemail:

Destroy the sensitive data or message
Contact the sender to inform them that this method is not secure
Ask for the information over the phone or other compliant and secure media
Inform the sender UB will not accept information using this method in the future

If Financial Management has approved the need for cardholder data to be distributed internally, it must be physically secured; this includes using locked transmittal bags.

Contact for Questions

Contact An Expert
Contact	Email
Tricia Canty	tscanty@buffalo.edu
Financial Management	PCI_COMPLIANCE@buffalo.edu
PCI Compliance Committee	PCI@buffalo.edu

Payment Card Industry (PCI) Compliance - Credit Card Handling Chart

Download

Contact for Questions

Emergency

Announcements for All Services

UB Holiday Calendar

About Us

Policy

Records Management

Internal Audit

COELIG Filing and Training

Internal Controls Practices

Catalogs

UB Online Directory

HR For Faculty and Staff

HR For Student Employees

Careers at UB

Employee Assistance

Training and Development

Wellness and Work Life Balance

Managing People

Managing Facilities

Managing Money

Resource Planning

Managing Procurement

Traveling for Business

Parking and Transportation

Print Services

Campus Mail

Related Websites

Information for Suppliers

For Administrative Services Staff

Website Comments