unit logo
  1. Home
  2. Knowledge Base
  3. Treasury Management
  4. Payment Card Operations
  5. Keeping Data Safe
  6. Keeping Data Safe – Storage and Destruction

Keeping Data Safe – Storage and Destruction

Directive Statement

Any type of cardholder data storage requires the prior approval of Payment Card Operations.  The data needs to be protected against unauthorized access.  Cardholder data should not be retained any longer than a documented business need; after which, it must be deleted or destroyed.

Reason for Directive

Credit card merchants at the University of Florida are required to follow strict procedures to protect customers’ payment card data and attest compliance with the Payment Card Industry Data Security Standard (PCI DSS).  Failure to protect such information may result in financial loss for customers and the University, suspension of credit card processing privileges, fines imposed on credit card merchants and damage to the institution’s reputation.

Who Must Comply?

All University departments whose personnel store, process or transmit cardholder information. This also applies to units that outsource the processing of payment card information to third party vendors.

Data Storage

Cardholder data must be encrypted or truncated.  Only the following data elements may be retained:

  • Cardholder name
  • Primary Account Number (PAN) (must always be unreadable anywhere it is stored and no more than the last four digits can be displayed)
  • Expiration date
  • Service code

Storing the three-digit verification code on the back of the card (or four-digits on the front) or PIN after authorization of a transaction is not allowed.

In addition, the following are required:

  1. Physical security controls to prevent unauthorized individuals from gaining access to the buildings, rooms, or cabinets that store the equipment, documents or any files containing cardholder data
  2. Cardholder data cannot be stored in a database, electronic file, or other electronic repository and cannot be stored on portable electronic media devices

Destruction of Data

A regular schedule of deleting or destroying data should be established in the merchant department to ensure that no cardholder data is kept beyond the record retention requirements.

The only acceptable destruction methods ensure that cardholder data cannot be reconstructed, and are:

  1. Cross-cut shredding
  2. Incineration
  3. Pulping

Definitions

Encrypted

Convert information or data into a cipher or code, especially to prevent unauthorized access. [Back to Top]

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data. [Back to Top]

Portable Electronic Media Devices

Include, but not limited to, laptops, compact disks, USB flash drives, personal digital assistants and portable external hard drives. [Back to Top]

Truncated

Remove all but the last four digits of a credit card number from documentation. [Back to Top]

Last Reviewed

05/01/2020: reviewed content

Resources

Credit Card Equipment

Deposits – Credit Card Settlements

PCI Security Standards Council

Training

TRM125 – Payment Card Security Awareness Training

Contacts

Treasury Management/Payment Card Operations: (352) 392-9057

Treasury-creditcards@ad.ufl.edu

Still have a question?

View our FAQs