Note: Issuing Office is responsible for documentation of LU compliance with the following statements:
Electronic cardholder data should not be stored on any Information System.
Although Liberty University does not electronically store cardholder data, we do have temporary storage of physical paper media before processing and disposal. See Physical Security – Media Policy for more details.
If any cardholder data is discovered in any Liberty University Information System, it should be removed immediately by authorized IT personnel. Please report discovery to supervisor/manager to start removal process.
If an email is received that contains cardholder data, the cardholder data should be deleted and a response sent back to the sender, detailing how to proceed. Employees should contact any other personnel that were copied on the same email to ensure that involved personnel also double delete the cardholder information.
Render Personal Account Number (PAN) unreadable anywhere it is stored (including on any portable digital media, backup media, and in logs) by using any of the following approaches:
- One-way hashes based on strong cryptography (hash must be the entire PAN)
- Truncation (hashing cannot be used to replace the truncated segment of PAN)
- Index tokens and pads (pads must be securely stored)
Mask PAN when displayed or stored (last 4 digits are the maximum number of digits to be displayed or stored).
Failure to adhere to this policy could result in disciplinary action up to and including termination.
Date for Review