Keeping Data Safe – Storage and Destruction Procedure

Data Storage

Cardholder data must be encrypted or truncated.  Only the following data elements may be retained:

  • Cardholder name
  • Primary Account Number (PAN) (must always be unreadable anywhere it is stored and no more than the last four digits can be displayed)
  • Expiration date
  • Service code

Storing the three-digit verification code on the back of the card (or four-digits on the front) or PIN after authorization of a transaction is not allowed.

In addition, the following are required:

  1. Physical security controls to prevent unauthorized individuals from gaining access to the buildings, rooms, or cabinets that store the equipment, documents or any files containing cardholder data
  2. Cardholder data cannot be stored in a database, electronic file, or other electronic repository and cannot be stored on portable electronic media devices

Destruction of Data

A regular schedule of deleting or destroying data should be established in the merchant department to ensure that no cardholder data is kept beyond the record retention requirements.

The only acceptable destruction methods ensure that cardholder data cannot be reconstructed, and are:

  1. Cross-cut shredding
  2. Incineration
  3. Pulping

Resources

Credit Card Equipment

Deposits – Credit Card Settlements

Internal Controls Checklist

PCI Security Standards Council

UF Credit Card Merchant Policy

Training

TRM125 – Payment Card Security Awareness Training

Contacts

Banking & Merchant Services: (352) 392-9057

Treasury-creditcards@ad.ufl.edu

Page Contents