PCI Compliance and Credit Card Data Handling
Payment Card Industry (PCI) compliance requirements are designed to ensure that ALL departments that process, store or transmit credit card information maintain a secure environment.
Never ask anyone to e-mail credit card data to anyone at Kettering. This could put the cardholder’s information at risk and violates PCI regulations. Though PCI compliance is not yet law, we must remain compliant to protect our customer and data. All currently identified third-party vendors who handle credit card data on our behalf have confirmed that they comply with the requirements. There is additional information regarding PCI compliance available at http://www.pcicomplianceguide.org/.
Anyone at Kettering receiving credit card data must securely handle and store that data. If gathered by phone, you should assemble and secure the credit card data until it is transferred to the Business Office (Diane Conley in Accounting for gifts, or staff in Student Accounts for non-gifts), and then destroy any record of it. If anyone in the originating department enters credit card data on a file to be given to the Business Office, that file should only be kept on a flash or external drive for storage and that file be stored in a locked file—not on a PC connected to the Kettering network. The originating department should never e-mail a file containing credit card data to anyone in the Business Office. If your area maintains paper files containing credit card data, those files need to be secured and destroyed when no longer needed. If you receive credit card data in the mail, place it in a confidential envelope for delivery to the Business Office, whether delivered via Inter-org mail or a mail box. Never store credit card data on your hard drive. We don’t store credit card data on our administrative systems nor accept credit card payment on-line from students or others without utilizing a PCI-compliant third party to collect the data, so keeping the data off Kettering individual PCs is important to maintain compliance.
Business Office staff who maintain credit card data for processing recurring payments store that data on flash drives or paper copies that are secured in locked file cabinets in order to comply with PCI regulations. We never leave that information in view, accessible to others, or on a PC’s hard drive.
Please remind your staff of the specific ways we need to handle our customers’ sensitive data.