308.6 – University of North Carolina at Chapel Hill Procedure on Truncation and Retention of Cardholder Account

Introduction

Purpose

There are specific standards that must be adhered to with regard to the processing or retention of card holder data. Card holder data is defined as, a full personal identification number, card holder name, expiration date and/or service code, additional sensitive information.

Scope of Applicability

This procedure applies to any official or administrator with responsibilities for managing university payment card transactions and those employees entrusted with handling payment card information.

Procedure

The customer's copy of a payment card transaction may not contain the primary account number (pan) and expiration date. Only the first six and last four digits of the card number may be printed. In accordance with Payment Card Data Security Standard requirement 3, Information that cannot be stored or retained in any form includes the 3-digit Card Validation Value or Code (CID/CAV2/CVC2/CVV2) located on the back of the card within the signature panel, magnetic stripe data (CAV/CVC/CVV/CSC) and personal identification number (PIN) data (number entered by a card holder during a card-present transaction and/or encrypted PIN block present within the transaction message). In the case of online payment transactions must be outsourced to a PCI compliant third-party.

Use of University Owned Computers as Payment Terminals

The use of university owned computer terminals as payment devices is strictly prohibited. Online payments must be outsourced to a PCI compliant third-party and initiated by the consumer. Online merchant department staff should never see credit card numbers, take them over the phone, by fax or email.

External Regulations and Consequences

University Policies, Standards, and Procedures

Contact Information

Primary Contacts
Subject Contact Telephone E-Mail
General Questions and PCI Compliance Merchant Services 919-843-0420 certifi@unc.edu
Deposits and Reconciliation Cashier's Office 919-962-5846 deposits@unc.edu
Data Security ITS – Information Security 919-962-4357 security@unc.edu or certifi@unc.edu
TouchNet Connection TouchNet Administrator 919-445-9319 certifi@unc.edu

Important Dates

  • Effective Date and title of Approver: July 1, 2006
  • Revision and Review Dates, Change notes, title of Reviewer or Approver: July 18, 2011
  • July 8, 2015: Updated information on PIN data.
100% helpful - 1 review