VII. Universal Compliance Requirements

  1. NEVER store sensitive cardholder data electronically on any University computer or server, including in spreadsheets or local databases. (PCI 3.2)
  2. Customer receipts, merchant receipts, and other printed materials should NEVER display the full credit card number (aka Personal Account Number (PAN)).  Only the last four digits of the account number should be visible (after the transaction has been successfully processed). (PCI 3.3)
  3. NEVER e-mail or transmit sensitive cardholder data via unsecured messaging or transfer protocols/technologies. (PCI 4.2)
  4. Restrict access to cardholder data to individuals with a business need-to-know.  (PCI 7.1)
  5. ALL credit card documentation must be treated as a cash equivalent and should be kept physically secured, such as in a locked safe or filing cabinet. (PCI 9.6)
  6. ALL credit card documentation no longer needed for business or legal reasons must be destroyed in such a manner that the sensitive cardholder data cannot be reconstructed.  Acceptable destruction methods include cross-cut shredding, incineration, or placement in a locked “to-be-shredded” container, like those serviced by outside third-party document destruction companies. (PCI 9.8)
  7. ALL employees with access to sensitive cardholder data must review this security policy prior to processing or accessing any credit card data. (PCI 12.1)
  8. ALL employees with access to cardholder data MUST complete the following ICON courses prior to processing or accessing any sensitive cardholder data; and complete these courses on an annual basis thereafter. (PCI 12.1.1)
  • Credit Card Policy Training
  • Security Awareness Training
  1. Immediately report suspected or confirmed security breaches to it-security@uiowa.edu or call 335-6332, as outlined by the following University policies: (PCI 12.10)

 


 

  1. Policy
  2. Purpose
  3. General Responsibilities
  4. Merchant Responsibilities
  5. New Merchant Accounts
  6. Established Merchant Accounts
  7. Universal Compliance Requirements
  8. Important Links for Merchants

APPENDIX A:  12 PRIMARY REQUIREMENTS OF PCI DATA SECURITY STANDARDS
APPENDIX B:  MERCHANT LEVELS DEFINED - COMPLIANCE VALIDATION REQUIREMENTS
APPENDIX C:  SAQ & TRUSTWAVE SCAN REQUIREMENTS