skip to content
 

The security of card and customer data is mandatory to ensure the University is PCI DSS compliant. 

Store securely: Do NOT store ever:
Any information used to authenticate a card payment, including but not limited to The data stored on the magnetic stripe or chip
•    the card number
•    expiry date
•    issue number
•    any other unique data supplied as part of the card payment
The Card Security Code also known as CVV2 printed on the back of the card in or next to the signature pane
Any information that could identify individual card holders and their purchases including: Passwords or passphrases
•    name
•    address
•    purchase description
•    amount 
•    other details of the card payment 
 

 

Physical storage

Where paper copies containing card transaction details need to be retained for chargebacks or refunds, they must be retained in a secure, locked cabinet or room at all times.

Store documents in original transaction date or card number order. If there is a query relating to a transaction, the customer's name will not be provided. Copy credit card receipts must not be sent back to the customer unless part of the credit card number is obscured.
 

Electronic storage

Any electronic storage is forbidden. Card and/or cardholder details must not be stored or transmitted electronically (other than through the University’s online store). This includes emailing and scanning of paper copies.

 If there is a valid business requirement to scan paper copies of documents which also contain card transaction details, the card details must be redacted before scanning. Where possible, any paper copies containing card transaction details must be destroyed (cross shredded) immediately after use.
 

Transactions processed by a third party

Transactions processed by a Third Party must be handled, processed and stored in accordance with standard PCI DSS compliance regulations.

Period of retention

Merchant copies of transactions must be retained in a secure and accessible place for a minimum period of 18 months.

Customers can action a chargeback against a transaction during the first six months. For internal audit purposes, transaction details should be retained for a further minimum period of 12 months.
 

NB: Any notes made of card details prior to entering them into a PDQ machine should be securely destroyed immediately once the transaction has been processed.

.

Raven Login

Some items on this website are restricted. University members are encouraged to log in using Raven to make the best use of the site:
Login with Raven