Data Handling Procedures

Payment Card Data Handling Procedures

In keeping with the Notre Dame Payment Card Policy, storage and disposal must comply with PCI-DSS requirements.  In order to meet this policy requirement, departments must limit storage of cardholder data to the amount and time required for business, legal, and /or regulatory purposes.

General Requirements

  • The card number must be redacted to not more than the first 6 and/or last 4 digits.
  • Do not store the personal identification number (PIN) or the encrypted PIN block.
  • Do not store sensitive authentication data subsequent to authorization (even if encrypted.)
  • NEVER store the card verification code or value or PIN verification value data elements used to verify card-not-present transactions.
  • Electronic storage is prohibited without prior approval obtained through the CCSP. 
  • Hardcopy records and electronic media containing cardholder data must be inventoried at least quarterly in order to lessen the chance that the loss or theft of this data goes unnoticed.
  • Electronic media containing cardholder data must be disposed of in accordance with PCI (e.g., using "military wipe programs," degaussing, or physical destruction).  Contact the University's Information Security department for assistance.
  • Retention schedules for documents containing cardholder information are established in partnership with the University Archives' Archivist for Records Management, in accordance with the University’s Records Management and Archives Policy.
  • Retention schedules require storage for the minimum length of time required for business, legal, and regulatory purposes.
  • Any forms containing cardholder data must be purged of full credit card numbers before they can be sent to the University Archives. The University Archives will not accept any documents containing cardholder data.
  • Paper containing payment card data must be disposed of using a cross-cut shredder. 

Mail Handling

For cardholder data received via U.S. Mail, always utilize a Business Reply (BR) account.

  • For intermittent, low volume activity use the University general account.
  • For continuous, high volume activity acquire a departmental BR account.

Note: BR envelopes must meet United States Postal Service (USPS) design specifications and be submitted to the local Post Master for approval.

Have mail containing sensitive cardholder data delivered by Mail Services to a person in the department or to a secure area in the department. Departments picking up their own Post Office Box mail should maintain physical control of mail until delivered to a person or secure area in the department.

BR mail is counted and bundled by the USPS.  Confirm the number of items received in each day's bundle to the USPS count and compare the monthly volume to the volume in that month's bill.

Any department wishing to receive cardholder data via physical mail without a BR account must request an exception to policy using the Payment Acceptance Activity Clarification Form.The request must include a description of the alternate process whereby receipt of cardholder data will be tracked.  Contact the CCSP office to do so (contact information below). 

Receipt of cardholder data via end-user messaging technologies (e.g. email, voicemail, instant messaging, and text messaging) is disallowed.

Chargeback Handling

The Merchant Card Coordinator (MCC) will receive all Chargeback Summary, Chargeback Notification, or Request for Transaction Documentation forms from the University's merchant bank.

The MCC will make all cardholder numbers unreadable on the Chargeback Summary, Chargeback Notification or Request for Transaction Documentation.

Two (2) copies of the form(s) will be made. 

  • One copy is retained in the MCC's file.
  • One copy is sent to the Merchant Account Owner for handling.
  • The original document(s) will be cross cut shredded by the MCC.

Note:  The Merchant Card Coordinator can utilize My Merchant View should the Merchant Account Owner need a card number for research.

Applicability

This procedures policy applies to all University of Notre Dame employees and students.