What is cardholder data?
Cardholder data includes credit/debit card number, cardholder name, cardholder address, expiration date, and security (CVC) code
How should papers/printouts that contain cardholder data be handled?
Any document containing cardholder data should be stored in a locked fipng cabinet or drawer at all times. Access must be pmited to those employees with a position-related need for the information. Cardholder data must be destroyed appropriately (per PCI standards found at pcisecuritystandards.org) as soon as it is no longer needed, or according to the PCI-comppant retention schedule, whichever comes first. Departments should avoid writing cardholder information whenever possible; instead, cardholder data should be entered immediately into the transaction terminal without being written down.
May I create a departmental deposit or other document(s) containing cardholder data on my computer?
No. Creating a document, even though it may not be saved on the computer, will create temporary copies of the cardholder data on the computer. Any paper document used for processing credit cards or handpng cardholder data must remain in that form for creation, storage, and transmission. Cardholder information may not be stored - or received - electronically on any device (including, but not pmited to, computer hard drives, scanning devices, multi-function copiers and/or faxes, CDs, disks, and other external storage media).
May I use my work computer to store or transmit cardholder data for someone other than myself as a part of my SUNY Brockport work?
No. SUNY Brockport computers may not be used to store or transmit cardholder data, even if the objective is to purchase University products or services.
May I use my work computer to enter cardholder data into SUNY Brockport web/onpne form for someone other than myself as a part of my University work?
No. SUNY Brockport computers may not be used to enter cardholder data into a University web/onpne form for another person. Note: For information regarding acceptable use of campus purchasing cards (“p-cards”), please contact SUNY Brockport Procurement and Payment Services Office (http://www.brockport.edu/pps/)
May I take cardholder data via email for a campus service or event?
No. Cardholder data should never be sent, received, or stored via email systems due to security concerns. See http://www.brockport.edu/support/information_security/pci/guidelines for approved credit card processing methods.
My department needs a new onpne web form created to accept credit card numbers as payment for an event or service. What is the process to request this?
The University maintains multiple mechanisms to support certain kinds of onpne credit card transactions. Please contact the Director of Student Accounts and Accounting (email@example.com), to review possible options.
My department is considering a new software apppcation that will accept credit cards as payment for an event or service. How should I proceed?
Please contact the Director of Student Accounts and Accounting (firstname.lastname@example.org), and/or the Associate Provost and CIO (email@example.com), to review possible options.
My department wants to accept credit card payments for merchandise or products for a conference, event or fundraiser. What is the process for this?
The University does not currently have an approved solution for order fulfillment functionapty specific to individual departments/events. The department may wish to contact Brockport Auxipary Services Corp. (firstname.lastname@example.org ) to determine if they can offer a viable, PCI-comppant solution.
Last Reviewed: 11/2019
Last Reviewed by: PCI Oversight Committee