Safekeeping & Security Procedures for Cardholder Data
|
In order to comply with standards set forth by the Payment Card Industry Data Security Standard (PCI DSS), Oakland Community College is adopting a best practice for safekeeping of cardholder data (CHD). As an employee of the College, your obligation is to follow the College’s best practice for safekeeping of CHD.
CHD includes, but is not limited to, cardholder primary account number (PAN), card expiration date, and card verification value (CVV). Please review and initial next to each bullet point below to indicate that you have read and understand the following:
- Documents or papers that have full cardholder data should be shredded or placed in a secured bin where all contents are shredded on a regular schedule. CHD must never be disposed of in a trash container.
- CHD should only be kept long enough to enter the information into the P2PE device, and then shredded.
- Printed transaction receipts, with masked CHD, must be kept in a secured and locked location and may also be kept in accordance with the College’s retention policy and shall be destroyed immediately following the required retention period. A regular schedule of deleting or destroying data should be established to ensure no CHD is kept beyond the required retention period. The secured and locked location should only be accessible to those employees who may need access to the printed document(s) for chargebacks or questions regarding a transaction.
- CHD or cardholder personally identifiable information (PII) should never be emailed or sent via inter-office mail.
- The three (3) or four (4) digit card CVV should never be saved or written on any document that is kept for retention purposes.
- CHD or cardholder personally identifiable information (PII) must never be downloaded, uploaded, or copied to any electronic device or cloud-based service.
- All devices used for transmission of CHD to an approved third party must be securely
attached to a physical object, such that the devices cannot easily be removed from
their location. When the device is not in use, the device status should be kept in
a locked state to prevent unauthorized use of the device. The secured location should
only be accessible to those employees who may need to access the printed document(s)
for chargebacks or questions regarding the transaction.
- On a regular basis, card devices should be checked for signs of tampering, which may include:
- Has the device been moved from its original location?
- Look for damage to the device
- Additional items plugged into the device
- Objects attached to card swipe or dip slots
- Contact the Manager of Banking Services immediately regarding any devices that show signs of tampering.
- Technical and repair services for devices should be conducted through the Manager of Banking Services. The Manager will work with the locations to get the required service and will notify the locations by whom and how the devices are to be serviced.
- In the event of a breach or a suspected breach of security, the department or affected unit must immediately contact the IT Support Center. The incident response must include notifications, staff requirements, and proper handling procedures.
By signing below, you agree that you have read the College’s best practice for the safekeeping and storage of cardholder data. You agree to adhere to the practices set forth in this document to the best of your ability. Any abuse or misuse of card information is subject to disciplinary action, dismissal and/or legal prosecution.
Email a signed and dated copy of this document to the Manager of Banking Services. You will receive an e-mail acknowledgement that your form has been received.
Signature: _________________________________________________________
Printed Name: _____________________________________________________
Date: _______________________________________________________________
Change Log
- 02-07-2011 Effective date
- 02-08-2021 Approved by Vice Chancellor for Administrative Services