Cash and Treasury Services
Payment Cardholder Data Processing and Handling Policy
See related policy.
- All merchants must be authorized by Cash and Treasury Services.
- University employees must be trained in the proper handling of credit card information. Individuals who are new to the role must be trained in PCI-DSS Compliance prior to processing cardholder data.
- Access to cardholder data must be restricted appropriately based on job function.
- A copy of this policy must be read and signed by authorized individuals annually.
- Signed polices will be maintained by the department business manager and Cash and Treasury Services.
Transmission of Cardholder Data
- Cardholder data must not be transmitted in an unsecure manner. For example: unencrypted email, electronic messaging, public fax machines, and inter-office mail.
Storage of Cardholder Data
- Do not store cardholder data in electronic format. Electronic formats include files on computers, smart phones, flash drives, and other similar devices.
- Do not store cardholder data in paper format. Once the cardholder information has been processed destroy with a crosscut shredder.
Telephone Payments-Cardholder not Present Transactions
The use of a point of sale device will not be permitted to process card not present transactions. Please contact the office of Cash and Treasury Services to transition to a TouchNet MarketPlace Online Store.
The use of a point of sale device will not be permitted to process card not present transactions. Please contact the Office of Cash and Treasury Services to transition to a TouchNet MarketPlace Online Store.
Card Present Transactions (Point of Sale Device)
Credit card processing devices must be configured to display only the last four digits of the credit card number on printed receipts.
- Picture ID required if the card is not signed
- Provide receipt to cardholder
- Store settlement and merchant copies in a secure area.
Receipt of Cardholder Information in Email
- Any unencrypted credit card information received by email will not be processed.
- The recipient of cardholder data will notify the sender that the transaction cannot be processed. Other acceptable methods for processing the credit card transaction will be offered. An email response template is provided below.
Retention and Destruction of Cardholder Data
- Cardholder data will be destroyed once the transaction has been processed. Paper will be crosscut shredded.
Cash and Treasury Services
Office of Information Security and Privacy
Email response for credit card number received by email:
Thank you for your recent email regarding payment for _______________. To protect your credit card information we cannot accept your payment via email. Email is an insecure means of transmitting cardholder information and/or other sensitive information. Effective, October 1st, 2015 to protect your credit card information Clemson University will not accept credit card payments by telephone or fax machine. To complete your credit card transactions please visit _________________________ to make an online payment.
Before sending response delete cardholder data. Delete original message after replying.