Policies and Procedures
Procedure 308.8 – Truncation and Retention of Cardholder Account Numbers
July 1, 2006
July 8, 2015
July 8, 2015
Executive Director and Information Security Officer
Information Technology Services
There are specific standards that must be adhered to with regard to the processing or retention of a cardholder's account number.
Forms and Instructions
The customer’s copy of a credit card transaction may not contain the full card number and expiration date. Only the last four digits of the card number may be printed. The merchant’s copy of the receipt may or may not contain the full card number and expiration date, and should only contain the full number and expiration date if there is a business reason for doing so. This business reason must be submitted to the Cash Manager in the Controller’s Office and approved by the CERTIFI committee. The merchant copy of the receipts must be kept in a secure place (i.e. locked cabinet with minimal access) for eighteen months. At the end of the eighteen months, the receipts should be destroyed in a secure manner, preferably shredding.
Information that cannot be stored or retained in any form includes the 3-digit Card Validation Value or Code (CID/CAV2/CVC2/CVV2) located on the back of the card within the signature panel, magnetic stripe data (CAV/CVC/CVV/CSC) and Personal Identification Number (PIN) data (number entered by a cardholder during a card-present transaction and/or encrypted PIN block present within the transaction message). In the case of internet transactions, cardholder account numbers must not be transmitted to cardholders.
- Point of Sale Computer Terminal:
The merchant is responsible for all software used in a point-of-sale computer terminal application. The software and configuration must be compliant with the Payment Card Industry Data Security Standard, and if applicable the Payment Application Data Security Standard, and its use must be approved by the University Controller’s Office and Information Security Office. See Procedure 308.1 – Establishing a New Credit Card Merchant Account, or Procedure 308.2 – Changing an Existing Credit Card Merchant Account for information related to establishing a new account or changing an existing account.
July 8, 2015: Updated information on PIN data.
July 18, 2011