Payment Card Industry- Data Security Standard Policy

Payment Card Industry- Data Security Standard Policy


Office of Administration, Internal Controls


Director of Compliance


Information Security and Technology



Effective Date:


Implementation History:


PCI-DSS, personal privacy protection, information security, credit card

Background Information:

The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements for credit card account data security, developed by the credit card industry in response to an increase in identity theft and credit card fraud.


Empire State University is committed to safeguarding cardholder data and adhering to the standards established by the Payment Card Industry Council including setting up and maintaining controls for handling credit card data, computer and internet security and completing an annual self-assessment questionnaire.


Cardholder data – All personally identifiable data associated with the cardholder (cardholder name, account number, expiration date, etc.).

Card Verification Code (CVC) –Also known as the Card Validation Value (CVV) or the Card Security Code (CSC) – this is the three or four digit code on the back of the card, which is used as an additional security feature.  This code must never be stored electronically.

PCI-DSS – The Payment Card Industry Data Security Standard was adopted to assure the protection of customer data and credit card numbers.

Sensitive Authentication Data – Security-related information (card validation codes/values, full magnetic-stripe date, or personal identification number) used to authenticate cardholders, appearing in plain-text or otherwise unprotected form.

Point-of-Sale device - Any device in which cardholder data is input to facilitate credit card transactions


The University requires all departments of the university or a university affiliated organization, contractors, or consultants that handle cardholder data on behalf of the University to do so only in compliance with PCI DSS Standard and in accordance with procedures listed.

Access to Customer Credit Card Data is only allowed for authorized personnel who are responsible for processing or facilitating credit card transactions.

Unsecured (unencrypted) transmission of cardholder data is prohibited. 

The electronic storage of personally identifiable credit card or payment information on University computers and severs is expressly prohibited under any circumstances.

All third party vendors that have access to credit card information on behalf of SUNY Empire State University must be PCI compliant.

Employees who work directly with credit card processing and documentation are required to sign this policy and complete annual data security awareness training.

Applicable Legislation and Regulations


Credit card numbers and cardholder data may not be emailed, faxed, or sent via any electronic messaging technologies (i.e.: instant messaging).

No credit card numbers received via email will be processed. The recipient will notify the sender that the transaction cannot be processed and will offer acceptable methods for transmitting cardholder information.  The credit card number will be redacted from the response and the email will be deleted from the inbox and trash bin.

The Internal Controls Officer will review business process maps with department heads annually to maintain a list of current credit card processors at the university.

Physical cardholder data must be locked in a secure and access will be limited to employees approved to handle credit card information. Cardholder data must be destroyed when no longer needed via a cross-cut paper shredder or by being placed in a shred box approved by Internal Controls. Sensitive authentication data must be immediately destroyed after the transaction is processed.

Only secured communication protocols and/or encrypted connections to authorized vendors are used during the processing of ecommerce transactions. As such, only Empire State University devices should be used for processing ecommerce transactions. 

All credit card equipment (i.e.: Point-of-Sale, etc.) must be kept in a secure location when not in use.

A written agreement must be maintained that the service provider is responsible for the security of the cardholder data. The service provider’s PCI DSS compliance must be verified each year by obtaining the provider’s Attestation of Compliance or checking the status on the VISA Global Registry of PCI DSS Validated Service of Providers.

Related References, Policies, Procedures, Forms and Appendices

Related References

PCI-DSS – The Payment Card Industry Data Security Standard

SUNY Empire credit card processes by department can be found on the SUNY Empire Business Architecture library  search “credit card” (password required).