Any type of cardholder data storage requires the prior approval of Merchant Services. The data needs to be protected against unauthorized access. Cardholder data should not be retained any longer than a documented business need; after which, it must be deleted or destroyed.
Credit card merchants at the University of Florida are required to follow strict procedures to protect customers’ payment card data and attest compliance with the Payment Card Industry Data Security Standard (PCI DSS). Failure to protect such information may result in financial loss for customers and the University, suspension of credit card processing privileges, fines imposed on credit card merchants and damage to the institution’s reputation.
All University departments whose personnel store, process or transmit cardholder information. This also applies to units that outsource the processing of payment card information to third party vendors.
Cardholder data must be encrypted or truncated. Only the following data elements may be retained:
Storing the three-digit verification code on the back of the card (or four-digits on the front) or PIN after authorization of a transaction is not allowed.
In addition, the following are required:
A regular schedule of deleting or destroying data should be established in the merchant department to ensure that no cardholder data is kept beyond the record retention requirements.
The only acceptable destruction methods ensure that cardholder data cannot be reconstructed, and are:
Deposits – Credit Card Settlements
PCI Security Standards Council
UF Credit Card Merchant Policy
TRM125 – Payment Card Security Awareness Training
Banking & Merchant Services: (352) 392-9057
Treasury-creditcards@ad.ufl.edu