Willamette University has an obligation to protect cardholder data and must comply with the standards set forth by the Payment Card Industry Data Security Standards (PCI-DSS).
Any department or organization on campus that accepts credit cards for payment must properly secure protected credit card information. That information includes: full credit card number, card type, expiration date, PIN, and card validation codes and/or any magnetic strip data.
Credit card information may not be transmitted or received by end-user messaging technologies (such as email, text, or chat), fax or campus mail. If you have to take credit card information remotely, it should be done by telephone.
Credit card information may not be stored electronically (email, scanned copies, spreadsheets, etc.). Many malicious programs have been expressly written to search for and copy any credit card information stored on a computer.
Paper records containing protected credit card information may not be retained. The paper form containing credit card information should be designed in such a way that the credit card information can be easily separated and cross-shredded. If a copy must be made, then the protected credit card information must be redacted using a black marker, the document recopied, and then the original cross-shredded.
Any Department using third-party services and/or cash register systems may not store credit card information on University computers. If a Department is using a third-party service for credit card processing, it must request written certification of compliance with PCI-DSS (processors) and/or PA-DSS (applications) from the vendor and submit a copy to the Accounting Office.
Departments must inspect credit card machines on a regular basis (at least quarterly) to look for tampering. This inspection should include comparing the device serial number to the serial number on record. Personnel must be aware of suspicious behavior and report any tampering or substitution of devices to the Accounting Office.
All new devices must be approved and tracked by the Accounting Office. This tracking must include the device make, model, location, and serial number. Wireless devices must be set up by WITS before use.