Bursar FAQ's for PCI Compliance

Credit/debit card number, cardholder name, expiration date, security/CVV code.

How should papers/printouts that contain cardholder data be handled?

Whenever possible, do NOT maintain paper/printouts. If needed, they should be stored in a locked filing cabinet or drawer with access limited to only those who need the information and destroyed per the records retention requirements in the PCI policy. http://www.usg.edu/records_management/schedules/.

May I create Departmental or other documents containing cardholder data on my computer?

No. Creating a document, even though it may not be saved on the computer, will create temporary copies of the cardholder data on the computer.

May I use my work computer to store or transmit cardholder data for someone other than myself as a part of my work?

No. CSU computers may not be used to store or transmit cardholder data, even if the objective is to purchase University products or services. Only University-approved PCI-compliant hardware may be used for these tasks. To request a review of a specific need of this type or for any question related to this information, contact the Bursar’s Office or the Controller.

May I take cardholder data over the telephone for a campus service or event?

Depending on the situation, this may be allowed. If this is part of your job responsibilities, you must complete the University Cash Handling and PCI training (including periodic refreshers and updates) and/or consult with the University's Bursar’s Office to understand what is required to maintain PCI compliance.

May I take cardholder data via email for a campus service or event?

No. Cardholder data should never be sent, received, or stored via email systems due to security concerns.

May I take cardholder data via postal mail for a campus service or event?

Depending on the situation, this may be allowed. To request a review of a specific need of this type, contact the Bursar’s Office.

My department needs a new online web form created to accept credit card numbers as payment for an event or service. What is the process to request this?

CSU maintains mechanisms to support certain kinds of online credit card transactions. You must contact the Bursar’s Office and use one of the current approved PCI compliant methods.

My department is considering a new software application that will accept credit cards as payment for an event or service. How should I proceed?

All new software applications being considered by campus departments must go through a technology evaluation and security review as well as Bursar/Controller assessment. Contact ITS prior to discussions with a vendor so they can be involved in the process to determine if a similar solution already exists, ensure network compliance of proposed solution, and the ability to interface with other CSU systems. The requestor will be notified of the outcome of these reviews.

My department wants to accept credit card payments for merchandise or products. What is the process for this?

CSU maintains mechanisms to support certain kinds of online credit card transactions. You must contact the Bursar’s Office and use one of the current approved PCI methods.