Credit Card Processing Guidelines
Baylor University Credit Card Processing Guidelines
The purpose of this document is to describe the responsibilities inherent with the collection, processing, storage, or dissemination of credit card data.
- All credit card processing is subject to review by the Payment Card Oversight Committee. This includes credit card payments received via: web forms; walk-in, phone calls, faxes, or mail; and off-site events.
- Cardholder information must not be accepted through an e-mail. A reply should be sent to the sender with instructions on the proper procedures for submitting the information; however, the reply e-mail should not include the cardholder information. The Information Technology Services (ITS) Help Line should be contacted for assistance in deleting the original e-mail.
- No cardholder information is allowed to be stored electronically on any device (e.g. computer hard drives, CDs, disks, and other external storage media). This includes reports from hosted credit card processing vendors.
- The PIN and CVV2 or card verification code (on the back of the card) is NEVER allowed to be stored.
- POS (point of sale) or card swipe terminals must be approved by the Payment Card Oversight Committee and used only with dial-out connections or locked-down internet terminals.
- Access to cardholder information must be limited to those individuals whose job requires access.
- Any media, including paper copies that contain cardholder information, must be treated as confidential.
- Hand deliver manual credit card payment slips or Miscellaneous A/R reports that include credit card processing data to the Cashier's Office on a daily basis using a secure envelope and a procedure for verifying delivery.
- Any paper copies of cardholder information must be securely stored in a locked location when not in use.
- Do not publicly display cardholder information or leave it unattended and do not disclose cardholder information to others.
- When paper copies of cardholder information are no longer necessary, they must be shredded using a crosscut shredder.
- Employees and students handling cardholder information must go through a background check and must acknowledge understanding of these Baylor Credit Card Processing Guidelines. Generally, students should not have access to cardholder information. As PCI compliance training is developed, anyone handling cardholder information will be required to attend such training on an annual basis.
- Delete all pre-existing cardholder information from electronic databases, including computer hard drives, CDs, disks, and other external storage media, using PGP shredder or other ITS approved mechanism.
- All workstations used for entering cardholder information into online web forms must be locked-down according to Baylor policy.
For further information or assistance with sensitive personal information (SPI) protection, please email PCI-Information@baylor.edu.