308.6 – University of North Carolina at Chapel Hill Procedure on Truncation and Retention of Cardholder Account

Introduction

Purpose

There are specific standards that must be adhered to with regard to the processing or retention of card holder data. Card holder data is defined as, a full personal identification number, card holder name, expiration date and/or service code, additional sensitive information.

Scope of Applicability

This procedure applies to any official or administrator with responsibilities for managing university payment card transactions and those employees entrusted with handling payment card information.

Procedure

The customer's copy of a payment card transaction may not contain the primary account number (pan) and expiration date. Only the first six and last four digits of the card number may be printed. In accordance with Payment Card Data Security Standard requirement 3, Information that cannot be stored or retained in any form includes the 3-digit Card Validation Value or Code (CID/CAV2/CVC2/CVV2) located on the back of the card within the signature panel, magnetic stripe data (CAV/CVC/CVV/CSC) and personal identification number (PIN) data (number entered by a card holder during a card-present transaction and/or encrypted PIN block present within the transaction message). In the case of online payment transactions must be outsourced to a PCI compliant third-party.

Use of University Owned Computers as Payment Terminals

The use of university owned computer terminals as payment devices is strictly prohibited. Online payments must be outsourced to a PCI compliant third-party and initiated by the consumer. Online merchant department staff should never see credit card numbers, take them over the phone, by fax or email.

External Regulations and Consequences

University Policies, Standards, and Procedures

Contact Information

Primary Contacts
Subject Contact Telephone E-Mail
General Questions and PCI Compliance Merchant Services 919-843-0420 certifi@unc.edu
Deposits and Reconciliation Cashier's Office 919-962-5846 deposits@unc.edu
Data Security ITS – Information Security 919-962-4357 security@unc.edu or certifi@unc.edu
TouchNet Connection TouchNet Administrator 919-445-9319 certifi@unc.edu

Important Dates

  • Effective Date and title of Approver: July 1, 2006
  • Revision and Review Dates, Change notes, title of Reviewer or Approver: July 18, 2011
  • July 8, 2015: Updated information on PIN data.
100% helpful - 1 review

Details

Article ID: 131504
Created
Thu 4/8/21 9:10 PM
Modified
Tue 8/9/22 2:42 PM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
09/02/2020 10:12 AM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Cash Manager
Last Review
Date on which the most recent document review was completed.
09/02/2020 10:12 AM
Last Revised
Date on which the most recent changes to this document were approved.
09/02/2020 10:12 AM
Origination
Date on which the original version of this document was first made official.
07/01/2006 12:00 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
F&O-Finance