Guidelines for Cardholder Security for Card-Not-Present Credit Card Transactions

General Information

Information security is necessary due to the growth of card-not-present transactions which includes Internet, e-mail, telephone, mail, and fax. Consumers desire assurance that their account information is safe.

Guidelines have been established by Visa USA that assist merchants, like the University, in implementing cardholder secured information. Throughout the University, there are a fair number of transactions that are incurred whereby the cardholder's card is not present. Visa requires security compliance as of 4/30/01.

Statement for Guidelines

The University has identified specific security guidelines that will assist you in implementing a security for cardholder information in card-not-present transactions. These guidelines will assure the University of compliance with the required standard of secured cardholder information.

Background for Guidelines

What needs to be protected?

Any information used to authenticate a credit card payment transaction. Examples of this information include, credit card number, credit card expiration, and personal identification number.
Any information received during the processing of a credit card payment that identifies the individual cardholder and the cardholder's purchase. Examples of this information include cardholder's name, purchase description, purchase amount, and other information relating to the transaction.

How to protect the information?

Limit the physical access to cardholder data on a need to know basis.
Dispose of cardholder data once it is no longer needed.
Identify, in a unique manner, the employees who have access to cardholder information and system resources. This could be a system identifier via a password or a unique combination to a locked area.
Authenticate and control passwords through the addition, deletion and modification of users. Please refer to the University's ITS security policy for more details.
Change passwords at least on a bi-monthly basis. Please refer to the University's ITS security policy for more details.
Restrict outsiders' presence to areas where cardholder information is stored.

Guidelines/Procedures

The following identifies guidelines or procedures that will assist your area in complying with secured information.

Maintain an audit trail that will permit reconstruction of events if necessary. The audit trail should identify the user, the type of event (Internet, telephone, fax, or mail, the date and time of receipt and credit card transaction.

Internet (e-mail):: Upon completion of the credit card transaction processing, remove the cardholder information to a limited access electronic file or database. The information should be secured on a computer separate from the web site. An audit trail log should be retained which will identify each transaction, the total quantity of transactions and identify retention dates. If hard copy forms of each transaction are required, the copies should be stored in a secured location with limited access. If an electronic acknowledgment is necessary, do not include the cardholder's credit card information. Retention of information should be limited to two years or 24 months.
Telephone: A telephone script should be available for all telephone representatives. The script should ask cardholder for the following information: credit card number, date of credit card expiration, name, address, and amount of transaction. It is recommended that periodically an area supervisor should monitor the telephone representatives to assure that no additional information is requested from the cardholders. An audit trail log should be retained which will identify each transaction, the total quantity of transactions and other card holder information. Retention of documents should be limited to two years or 24 months. Hard copy forms of each transaction should stored in a secured location with limited access.
Mail and Fax: Maintain a limited number of employees to collect and account for the mail and fax receipt requests that include cardholder information. These receipts should be processed in a limited access area. The fax machine should also be in a limited access area. Maintain an audit trail log which will identify each transaction, the total quantity of transactions and other cardholder appropriate information. Retention of documents should be limited to two years or 24 months. Hard copy forms of each transaction should be stored in a secured location with limited access.

Last modified: Wednesday, 01-Nov-2006 10:27:08 EST