Credit Card Information Security

Credit Card Information Security Guidelines

Departments should use the following guidelines when collecting credit card information from individuals in order to process payments for services, purchases, registrations, etc.

The university, through the Bursar’s Office, now provides alternative means to manage credit card activity through the Transact system. Transact provides several methods for departments to process credit card transactions one of them being the “StoreFront” where it is possible to accept credit card payments via the web. This preferred method serves to reduce the risks associated with retaining credit card information, including the risk of inadvertent exposure of credit card numbers. In addition to using the “StoreFront” technology, please adhere to these guidelines to safeguard credit card information:

  • Departments which have identified a need to accept credit card payments must contact the Bursar’s Office prior to accepting payments in this manner.  The Bursar’s Office will provide information on the acceptable methods for accepting credit card payments and will determine the appropriate method for each department. For departments not currently using Transact, credit card transactions should be processed in the department using a Tranz machine. 
  • When accepting credit card information for payments, use the university “Credit Card Information Security Form” available at to document the transaction information if another form has not been developed in the department. 
  • Under no circumstances should credit card information be entered and stored on any computer database in the department unless it is part of a secure system that has been approved by the Office of Security and Compliance, x20383. Stand-alone POS systems that process credit card transactions must have the Visa Payment Application Best Practice Certification unless explicitly exempted by the Office of Internal Audit and the Office of Security and Compliance.
  • Accept credit card information by telephone, mail, or in person only, not through electronic mail. If the department has a need to accept payments electronically contact the Bursar’s Office for assistance.  Under no circumstances should departments purchase new or make upgrades to their old credit card processing systems without coordinating this effort with the Bursar’s Office!
  • Under no circumstances should credit card information be emailed out of the department.
  • Printed receipts should show only the last 4 digits of the credit card number. If your receipt reveals the full credit card numbers contact the Bursar’s Office immediately.
  • When it is necessary to record an entire credit card number on a document in order to process the transaction, all but the last 4 digits of the credit card number should be “blacked out” on the document as soon as refunds and disputes are no longer likely, preferably within 60 days. In no case should the entire number be retained for more than 180 days.
  • Retain the original receipts from all transactions and any original, signed documentation in a secure location for a minimum of 4 years per university record retention guidelines. Find guidelines at Records Retention.
  • Store paper records in a locked room or cabinet when unattended.
  • Allow only authorized employees to have access to the secure record storage area(s).
  • Wherever possible, storage areas should be protected against destruction or potential damage from physical hazards, like fire or floods.
  • For questions, please call the Bursar’s Office, x 22626.

This page is maintained by the Office of Security and Access Management
Phone: 330-672-5566