Payment Card Industry (PCI) Compliance - Credit Card Handling Chart

The University at Buffalo is committed to compliance with the Payment Card Industry Data Security Standards (PCI DSS) to protect payment card data regardless of where that data is processed or stored.

Departments that accept payment cards must handle and process all card information in a secure manner in accordance with university policy and the payment card industry standards.

Mobile Users: Swipe to scroll table

Credit Card Handling Chart



Do - Properly destroy all hardcopy forms containing cardholder data (cross cut shred, incinerate or pulp). Placing in a secured bin provided by a disposal service is acceptable.

Don’t - Store cardholder data unless truncated (first six digits OR last four digits)

Do - Physically secure all hardcopy cardholder data pending processing. 

Don’t - leave cardholder information unattended on a desk, screen, or in any public area

Do – Only retain cardholder data received by phone or mail long enough to complete the transaction, then destroy the hardcopy.

Don’t - Send cardholder data outside of approved areas 

Do – Have a unique user name and password for your work and only use it for work purposes, not personal

Don’t – Share your user name, password or credentials

Do – Restrict access to devices to people duly approved and who need the access for their job.

Don’t – Install, move, replace or return devices without verification with Financial Management
Do – Verify the identity and credentials of all unknown persons prior to granting them access to modify or troubleshoot devices. Don’t – Use any computer or mobile device to enter cardholder data that is not specifically configured and dedicated to processing payments.
Do – Keep an up to date list of all credit card processing devices and inspections. Don’t – Enter cardholder data online as the customer.
Do - Report immediately to your supervisor and the Information Security Officer if you suspect tampering with a device or credit card information has been lost, stolen, exposed, or otherwise misused. Don’t – Request or send any cardholder data by email, fax, chat, instant message, SMS, or any similar end-user messaging technology.
  Don’t – Store any contents of the magnetic stripe

If cardholder data is received via email, fax or voicemail:

  • Destroy the sensitive data or message
  • Contact the sender to inform them that this method is not secure
  • Ask for the information over the phone or other compliant and secure media
  • Inform the sender UB will not accept information using this method in the future

If Financial Management has approved the need for cardholder data to be distributed internally, it must be physically secured; this includes using locked transmittal bags. 

Contact for Questions

Contact An Expert
Contact Email
Tricia Canty
Financial Management
PCI Compliance Committee