Standard for Handling Cardholder Data
Purpose
The purpose of this document is to establish requirements for UNC Charlotte employees and other authorized users regarding the the interaction with Cardholder Data (CHD). Handling includes processing, capturing, storing or transmitting this type of information. Adherence to this standard will help ensure that the University remains compliant with all University, State and Payment Card Industry (PCI) requirements.
Scope
This standard applies to all university employees, affiliates or authorized users who will be accepting electronic payments or interacting with payment card data, functions, or systems (e.g., credit and debit cards) as part of their job duties.
Contacts
Direct any general questions about this standard to the Office of the Bursar – Merchant Services at ecommerce@charlotte.edu.
Standard
Merchant System Access
- Access to Merchant reporting systems (e.g., TouchNet, ClientLine, Online Merchant Services, CEO Portal) must be requested by the merchant via the EC-Access Request to Reporting Systems form for the purpose of providing appropriate personnel with required reports for reconciliation, research, and deposit.
- Accesses will be restricted to the least privilege needed to perform job responsibilities and audited by the Office of the Bursar – Merchant Services on an annual basis.
- Access from on or off campus must be conducted on University owned equipment that is updated with current antivirus and required patches, not personally owned computers and devices.
- Personnel granted access to card reporting and/or administrative portals are prohibited from copying, moving and storing CHD onto local hard drives and removable electronic media unless explicitly authorized to do so by the Office of the Bursar – Merchant Services for a defined business need.
- If a business need is authorized, the data must be protected in accordance with all applicable Payment Card Industry Data Security Standards (PCI DSS) Requirements.
Cardholder Data (CHD) Storage
Customer CHD must never be entered or captured on University devices or network resources.
- University staff and entities are prohibited from storing the Primary Account Number (PAN) or Sensitive Authentication Data (SAD), physically or electronically (e.g., computer hard drives, CDs, Disks, other external storage media), after authorization of the transaction.
- The PAN must be masked when displayed (the first six and last four digits are the maximum number of digits to be displayed). In most cases where truncation is needed, only the last four digits of the PAN should be displayed.
- Only personnel with a legitimate business need should be able to see the full PAN.
- CHD, the PAN, and/or SAD are not to be left unattended or disclosed to others.
- CHD must never be accepted or sent by email, unsecured fax, over main network connected fax machines, or by any electronic means including end-user messaging technology.
Cardholder Data (CHD) Security Incident Response
All information security incidents or concerns must be reported immediately to your supervisor and/or the merchant account owner, who must immediately take action to determine the extent and category of the breach and report it to OneIT, if applicable, to minimize loss of sensitive data. University Policy 311.5, Personal Information Security Breach Notification Procedures, Standard for Managing Information Security Incidents, as well as the Guideline for Reporting Information Security Incidents provides guidance regarding action to be taken if a security incident is suspected or confirmed. The chart below indicates other parties that must be notified when a breach occurs.
Sensitive Information Breach
- Any sensitive information, including eCommerce-related data or equipment
- Contact: Immediately notify the Chief Information Security Officer and your designated Data Security Officer (DSO) or Information Security Liaison (ISL)
- Contact Information: Report IT Security Incident
Equipment/Criminal Activity Breach
- University-owned equipment and/or criminal activity
- UNC Charlotte Police
- Contact Information: Located at Police & Public Safety site
All Breaches
- All breaches
- Contact: Office of Legal Affairs
- Contact Information: Located at Office of Legal Affairs site
OneIT and the Office of the Bursar – Merchant Services will coordinate reviews for any incident which involves CHD and escalate if the deemed incident is valid and meets the threshold for escalation.
All merchant/departmental entities involved are expected to cooperate fully and in a timely manner with any investigation.
Related Resources
- FAQ: How do I report an IT security incident?
- Guideline for Mail Order Payment Forms
- Guideline for Reporting Information Security Incidents
- Guideline for Telephone Order Payments
- Standard for Managing Security Incidents
- University Policy 311.5, Personal Information Security Breach Notification Procedures
Revision History
- Initially approved by the AVC for Finance on November 25, 2024