Credit Card Processing Guidelines
Willamette University has an obligation to protect cardholder data and must comply with the standards set forth by the Payment Card Industry Data Security Standards (PCI-DSS).
Any department or organization on campus that accepts credit cards for payment must properly secure protected credit card information. That information includes: full credit card number, card type, expiration date, PIN, and card validation codes and/or any magnetic strip data.
Credit card information should never be transmitted or received by email, fax or campus mail. If you have to take credit card information remotely, it should be done by telephone.
Credit card information should never be stored electronically (email, scanned copies, spreadsheets, etc.). Many malicious programs have been expressly written to search for and copy any credit card information stored on a computer.
Paper records containing protected credit card information should not be retained. If a copy must be made, then the protected credit card information should be blacked out using a marker, the document recopied, and then the original securely destroyed (shredded). It is preferred that the paper form containing credit card information be designed in such a way that the credit card information can be separated and submitted to the Cashier for processing.
Any Department using third-party services and/or cash register systems should not be storing credit card information on University computers. If a Department is using a third-party service for credit card processing, it must request written certification of compliance with PCI-DSS (processors) and/or PA-DSS (applications) from the vendor and submit a copy to the Accounting Office.
Grant & Restricted Fund Administrator