Guidelines for Cardholder Security for Card-Not-Present Credit Card Transactions
Information security is necessary due to the growth of card-not-present transactions which includes Internet, email, telephone, mail and fax. Consumers desire assurance that their account information is safe. Guidelines have been established by the Payment Card Industry Council to assist merchants, like the University of Rochester, in implementing cardholder secured information. Throughout the University, there are a small number of transactions that are incurred whereby the cardholder’s card is not present. PCI DSS and NYS General Business Law require security compliance for credit card transactions.
Statement for Guidelines
The University of Rochester Administration has identified specific security guidelines that will assist you in implementing security for cardholder information in card-not-present transactions. These guidelines will assure the University of compliance with the required standards for secured cardholder information.
Background for Guidelines
What needs to be protected?
- Any information used to authenticate a credit card payment transaction. Examples of this information include credit card number, credit card expiration date, and personal identification number.
- Any information received during the processing of a credit card payment that identifies the individual cardholder and the cardholder's purchase. Examples of this information include cardholder’s name, purchase description, purchase amount, and other information relating to the transaction.
How to protect the information?
- Limit the physical access to cardholder data on a need to know basis.
- Shred cardholder data once it is no longer needed.
- Identify, in a unique manner, the employees who have access to cardholder information and system resources. This could be a system identifier via a password or a unique combination to a locked area.
- Authenticate and control passwords through the addition, deletion and modification of users. Please refer to the University’s Information Technology Policy for additional details.
- Change passwords at least on a monthly basis.
- Maintain a secure area and restrict outsiders’ presence to areas where cardholder information is stored.
The following identifies guidelines or procedures that will assist your area in complying with secured information.
Maintain an audit trail that will permit reconstruction of events, if necessary. The audit trail should identify the user, the type of event (Internet, telephone, fax or mail), the date and time of receipt and the credit card transaction description.
- Submission of credit card numbers (full or partial) or any related cardholder information (e.g. CVV, CVV2 validation code) via e-mail is strictly prohibited.
- Utilize a secure processor like Verisign (Paypal) for completion of credit card transaction processing. Any credit card information will be maintained and stored by the secure processor. If hard copy forms of each transaction are required, the copies should be handled, maintained and stored in a secured location with limited access. If an electronic acknowledgment is necessary, do not include the cardholder’s credit card information. Retention of information should be limited to one year or 12 months.
- A telephone script should be available for all telephone representatives. The script should ask cardholder for the following information: credit card number, date of credit card expiration, name, address, and amount of transaction. It is recommended that periodically an area supervisor should monitor the telephone representatives to assure that no additional information is requested from the cardholders. An audit trail log should be retained which will identify each transaction, the total quantity of transactions and other card holder information. Retention of documents should be limited to one year or 12 months. Hard copy forms of each transaction should be stored in a secured location with limited access.
- Mail and Fax
- Maintain a limited number of employees to collect (3 or less) and account for the mail and fax receipt requests that include cardholder information. These receipts should be processed in a limited access area. The fax machine should also be in a secured limited access area. Maintain an audit trail log which will identify each transaction, the total quantity of transactions and other cardholder appropriate information. Appropriate information includes cardholder name, address, telephone number, transaction amount, transaction date, transaction purpose, and the last four digits of the credit card number (blacken the first 12 digits) Retention of documents should be limited to one year or 12 months. Hard copy forms of each transaction should be stored in a secured location with limited access.