skip to content

The security of card and customer data is mandatory to ensure the University is PCI DSS compliant.

What information must NOT be store at any time?

  • The contents of the magnetic stripe also known as Track 2 Data
  • The Card Verification Value or CVV contained in the magnetic stripe
  • The Card Verification Value contained in the magnetic stripe image in a chip known as the iCVV
  • The Card Security Code also known as CVV2 printed on the back of the card in or next to the signature pane
  • The PIN Verification Value or PVV which is contained in the magnetic stripe
  • Passwords or pass phrases

What information must be stored securely?

Any information that is used to authenticate a card payment including but not limited to:

  • the card number
  • expiry date
  • issue number
  • any other unique data supplied as part of the card payment

Any information that could identify individual card holders and their purchases including:

  • name
  • address
  • purchase description
  • amount
  • other details of the card payment

Physical storage

Where paper copies containing card transaction details need to be retained for a valid reason i.e. chargebacks, they must be retained in a secure, locked cabinet or room at all times.

Store documents in original transaction date or card number order. If there is a query relating to a transaction, Barclaycard will not provide the customer's name. Copy credit card receipts must not be sent back to the customer unless part of the credit card number is obscured.

Electronic storage - No!

Card and/or cardholder details should not be stored or transmitted electronically (other than through the University's online store). This includes emailing and scanning of paper copies.

If there is a valid business requirement to scan paper copies of documents which also contain card transaction details, the card details must be obliterated using an indelible marker pen before scanning. Where possible, any paper copies containing card transaction details must be destroyed (cross shredded) immediately after use.

The University will carry out penetration testing at least annually on the University network and the results will be notified to the PCI Compliance Officer.

Transactions processed by a third party

Transactions processed by a Third Party must be handled, processed and stored in accordance with standard PCI DSS compliance regulations.

Period of retention

Merchant copies of transactions must be retained in a secure and accessible place for a minimum period of 6 months. Customers can action a chargeback against a transaction during this time. For internal audit purposes, transaction details should be retained for a further minimum period of 12 months.

i.e. TOTAL storage time equals 18 months from date of transaction

Note, if you have made a rough paper note of any card details prior to entering them into eSales, WPM, a PDQ machine or on a template form these should be securely destroyed immediately once the details have been transferred



Please see our CORONAVIRUS/COVID-19 Assistance pages for help with areas of Finance during the current situation.

UFS issued communications and the University website also contain information on this topic

Raven Login

Some items on this website are restricted. University members are encouraged to log in using Raven to make the best use of the site:
Login with Raven