Best Practices for Handling Cardholder Information

Accountability/Applicability:

This document applies to all individuals who have access to credit card information, in any form, at any merchant location, of The University of New Brunswick.

Responsibility Statement:

University employees who have access to hold cardholder data are responsible to hold the data in confidence at all times.  Cardholder information should be disclosed only for a required business purpose.

University of New Brunswick conforms to PCI standards to protect credit card information held and/or used at the university.  Responsibilities and requirements for the following persons and units are listed below:

1. Merchant locations must:

a. Protect cardholder information so that no more than the first six and the last four digits of the credit card number are displayed or printed.
b. Ensure that all of their employees and business processes comply with this document and related procedures.
c. Identify positions that require access to cardholder data, specifying positions with access to multiple instances of cardholder data.
d. Make their employees aware of the importance of cardholder information security.

Manual Credit Card Processing Procedures

2. Credit card not present transactions

a. Credit card information obtained through phone.

i. Credit card information can be recorded on paper.
ii. Information is inputted into an order entry program.
iii. Paper notes/forms need to be cross-shredded or at least the portion with the credit card information after transaction has been approved.

b. Credit card information obtained through forms - on web, mail-in order forms or fax.

i. Information is inputted into an order entry program.
ii. Credit card is processed through POS or order entry program.
iii. Portion of form with credit card information is to be cross-shredded.

3. Credit card present transactions:

a. Credit card information obtained through manual swipe/chargex machine.
b. Phone credit card provider for confirmation.
c. Carbon credit slip is filed separately from daily transactions, if customer signed.

Cardholder Information Access:

To be allowed to accept manual card payments, the University department must adhere to the following:

1. Credit card sales receipts with full credit card numbers must be physically stored in a locked environment for an 18-month retention period that corresponds with the allowed chargeback period.  These receipts are to be kept separate from deposit documentation.

2. Records that contain full credit card information that cannot be destroyed should be archived in UNB Archives when regular access is no longer necessary.  Local long term storage of credit cards should be avoided.

Transmission of Cardholder Information:

1. Cardholder information must never be emailed.

2. Remind customers not to send credit card via email.

3. If an email is received unrequested with credit card information, the email must be deleted from both the inbox and deleted items folder.  Trash must be purged/expunged.  Remove all cardholder information before replying to such email.

Transporting of Cardholder Information:

1. Manual credit card receipts must be transported from one location to another in a secure manner.

a. Record of number of transactions and total value of receipts, signed by employee.
b. Receipts stored in sealed envelope/deposit bag for transport.
c. Verified by department receiving receipts, signed by employee.

2. Credit card receipts must never be left unattended, ie. Overnight in a car, put into baggage, left in hotel room.

Incident Response:

Only individuals who need to access or use cardholder information should do so, and should access only the information needed to perform their job functions.  Access of more than the minimum information needed by any University employee is prohibited.