NOTICE: The Finance Policies and Procedures Manual, along with the previous manual, is undergoing changes. These sites are continually updated to reflect changes in business processes. If you cannot find the information you are seeking in these policies, email financecomm@unc.edu for more information.
Policies and Procedures

Procedure 308.8 – Truncation and Retention of Cardholder Account Numbers

Effective
July 1, 2006
Last Updated
July 8, 2015
Last Reviewed
July 8, 2015
Responsible University Officer
Executive Director and Information Security Officer
Information Technology Services
University Controller
Responsible Unit
Accounting Services

Procedure Statement

There are specific standards that must be adhered to with regard to the processing or retention of a cardholder's account number.

Forms and Instructions

The customer’s copy of a credit card transaction may not contain the full card number and expiration date. Only the last four digits of the card number may be printed. The merchant’s copy of the receipt may or may not contain the full card number and expiration date, and should only contain the full number and expiration date if there is a business reason for doing so. This business reason must be submitted to the Cash Manager in the Controller’s Office and approved by the CERTIFI committee. The merchant copy of the receipts must be kept in a secure place (i.e. locked cabinet with minimal access) for eighteen months. At the end of the eighteen months, the receipts should be destroyed in a secure manner, preferably shredding.

Information that cannot be stored or retained in any form includes the 3-digit Card Validation Value or Code (CID/CAV2/CVC2/CVV2) located on the back of the card within the signature panel, magnetic stripe data (CAV/CVC/CVV/CSC) and Personal Identification Number (PIN) data (number entered by a cardholder during a card-present transaction and/or encrypted PIN block present within the transaction message). In the case of internet transactions, cardholder account numbers must not be transmitted to cardholders.

  • Point of Sale Computer Terminal:

The merchant is responsible for all software used in a point-of-sale computer terminal application. The software and configuration must be compliant with the Payment Card Industry Data Security Standard, and if applicable the Payment Application Data Security Standard, and its use must be approved by the University Controller’s Office and Information Security Office. See Procedure 308.1 – Establishing a New Credit Card Merchant Account, or Procedure 308.2 – Changing an Existing Credit Card Merchant Account for information related to establishing a new account or changing an existing account.

Related Data

None

History

Revised:
July 8, 2015: Updated information on PIN data.
July 18, 2011