PCI Compliance Questions
- What is cardholder data?
Credit/debit card number, cardholder name, expiration date, security code - How should papers/printouts that contain cardholder data be handled?
They should be stored in a locked filing cabinet or drawer with access limited to only those who need the information. - May I create Departmental Deposit Receipt or other documents containing cardholder data on my computer?
No. Creating a document, even though it may not be saved on the computer, will create temporary copies of the cardholder data on the computer. Any paper document used for processing credit cards or handling cardholder data must remain in that form for creation, storage, and transmission. - May I use my work computer to store or transmit cardholder data for someone other than myself as a part of my PVAMU work?
No. PVAMU computers may not be used to store or transmit cardholder data, even if the objective is to purchase University products or services. Only University-approved PCI-compliant hardware, as defined by the University’s Payment Card Oversight Committee, may be used for these tasks. To request a review of a specific need of this type or for any question related to this information, please contact PVAMU Information Security Officer. - May I use my work computer to enter cardholder data into a PVAMU web/online form for someone other than myself as a part of my PVAMU work?
No. PVAMU computers may not be used to enter cardholder data into a PVAMU web/online form for another person, even if the objective is to purchase University products or services. Only University-approved PCI-compliant hardware, as defined by the University’s Payment Card Oversight Committee, may be used for these tasks. To request a review of a specific need of this type or for any question related to this information, contact PVAMU Information Security Officer. - May I take cardholder data over the telephone for a campus service or event?
Depending on the situation, this may be allowed. If this is part of your job responsibilities, you must complete the Cash Handling training (including periodic refreshers and updates) and/or consult with the University’s Payment Card Oversight Committee to understand what is required to maintain PCI compliance. - May I take cardholder data via email for a campus service or event?
No. Cardholder data should never be sent, received, or stored via email systems due to security concerns. - May I take cardholder data via postal mail for a campus service or event?
Depending on the situation, this may be allowed. To request a review of a specific need of this type, contact PVAMU Information Security Officer. - My department is considering a new software application that will accept credit cards as payment for an event or service. How should I proceed?
All new software applications being considered by campus departments must go through a technology evaluation and security review. This requires completion of the following forms:
After completion, the forms should be submitted to PVAMU Information Security Officer. If credit card acceptance is a part of the desired functionality, the security review of the application will trigger an evaluation by the University’s Payment Card Oversight Committee. The requestor will be notified of the outcome of these reviews.