5.21 Credit Card Processing

Policy TrackingDate
RevisedFebruary 15, 2016

Credit card processing at the College complies with the Payment Card Industry Data Security Standards (PCIDSS). The following security requirements have been established by the payment card industry and adopted by the College to ensure compliance with the payment card industry. These requirements apply to all employees, systems, and networks involved with credit card processing, including transmission, storage, or electronic and paper processing of credit card numbers.

Authorized Employees
Credit card processing for official college business is restricted to Business Office personnel and other personnel authorized by the Chief Financial Officer. No other College employees are authorized to process such information for any reason.

College employees who process credit card information or who have access to this information will complete annual data security training.

Each College employee who processes credit card information must strictly adhere to the

  1. Access to credit card information is restricted to authorized personnel.
  2. System and desktop passwords must be changed regularly in accordance with Policy
  3. Accounts should be immediately terminated or disabled for employees who leave
  4. employment with the College.
  5. Credit card information should not be stored in any format.

Data Retention
Credit card information, including the card number, cardholder name, CVV code, and expiration date should not be retained for any reason.

Employees may not send or process credit card data in any insecure manner including:
transmitting such data via mail, courier, email, or instant messaging. Credit card information may not be left exposed to anyone.

Network and Infrastructure
The Information Technology Department maintains additional procedures to ensure compliance with PCIDSS. These include:

  1. Configuration of card processing environments procedures, including segmentation of local area networks and protection through deployment of firewalls;
  2. Logging control procedures;
  3. Wireless use procedures; and
  4. Encryption procedures

The College shall annually submit a PCIDSS security questionnaire to the North Carolina Community College System to ensure compliance with the PCI Data Security standards.

Blue Ridge Community College Policies and Procedures Manual