PCI Compliance Questions
1. What is cardholder data?
Credit/debit card number, cardholder name, expiration date, security code
2. How should papers/printouts that contain cardholder data be handled?
They should be stored in a locked filing cabinet or drawer with access limited to only those who need the information.
3. May I create a Miscellaneous A/R or other documents containing cardholder data on my computer?
No. Creating a document, even though it may not be saved on the computer, will create temporary copies of the cardholder data on the computer. Any paper document used for processing credit cards or handling cardholder data must remain in that form for creation, storage, and transmission.
4. May I use my work computer to store or transmit cardholder data for someone other than myself as a part of my Baylor work?
No. Baylor computers may not be used to store or transmit cardholder data, even if the objective is to purchase University products or services. Only University-approved PCI-compliant hardware, as defined by the University's Payment Card Oversight Committee, may be used for these tasks. To request a review of a specific need of this type or for any question related to this information, email PCI-Information@baylor.edu.
5. May I use my work computer to enter cardholder data into a Baylor web/online form for someone other than myself as a part of my Baylor work?
No. Baylor computers may not be used to enter cardholder data into a Baylor web/online form for another person, even if the objective is to purchase University products or services. Only University-approved PCI-compliant hardware, as defined by the University's Payment Card Oversight Committee, may be used for these tasks. To request a review of a specific need of this type or for any question related to this information, email PCI-Information@baylor.edu.
6. May I take cardholder data over the telephone for a campus service or event?
Depending on the situation, this may be allowed. If this is part of your job responsibilities, you must complete the University PCI training (including periodic refreshers and updates) and/or consult with the University’s Payment Card Oversight Committee to understand what is required to maintain PCI compliance.
7. May I take cardholder data via email for a campus service or event?
No. Cardholder data should never be sent, received, or stored via email systems due to security concerns.
8. May I take cardholder data via postal mail for a campus service or event?
Depending on the situation, this may be allowed. To request a review of a specific need of this type, email PCI-Information@baylor.edu.
9. My department needs a new online web form created to accept credit card numbers as payment for an event or service. What is the process to request this?
Baylor maintains multiple mechanisms to support certain kinds of online credit card transactions. If your department currently utilizes the Content Management System (CMS), you should contact your regularly assigned support person. If you are uncertain whom to contact, please contact Andrew Maddox at Andrew_Maddox@baylor.edu.
10. My department is considering a new software application that will accept credit cards as payment for an event or service. How should I proceed?
All new software applications being considered by campus departments must go through a technology evaluation and security review. Please review the steps involved at: https://its.web.baylor.edu/solutions.
If credit card acceptance is a part of the desired functionality, the security review of the application will trigger an evaluation by the University's Payment Card Oversight Committee. The requestor will be notified of the outcome of these reviews.
11. My department wants to accept credit card payments for merchandise or products. What is the process for this?
Currently, Baylor does not have an approved solution for order fulfillment functionality. We are working with the Baylor Bookstore on this issue and hope to be able to utilize their fulfillment services in the future.