Page tree
Skip to end of metadata
Go to start of metadata



Find Policy by Category


Click here to view faculty-only policies

PCI Data Retention and Disposal Policy

Introduction

Issuing Office

Cashiering and Treasury Services

Affected Parties

University personnel who handle credit card transactions, any other University personnel who discover stored CHD, and the personnel responsible to remove CHD, should it be found.

Policy Rationale

Liberty University will protect cardholder data by using third-party credit card processing vendors in order to remove the necessity of storing any cardholder data (CHD). Customer credit card details entrusted to the University must be afforded a combination of security measures (technological and procedural) which, in combination, prevent all recognized possibilities of the card details being accessed, stolen, modified, or in any other way divulged to unauthorized persons. In an effort to protect cardholder data, Liberty University does not store any electronic credit card data on any system.

Definition of Glossary Terms

CDE: Cardholder Data Environment. “The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data.” (PCI Glossary, April 2018)

PAN: Primary Account Number. “Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account.” (PCI Glossary, April 2018)

Policy Information

Policy Statements

Note: Issuing Office is responsible for documentation of LU compliance with the following statements:

Electronic cardholder data should not be stored on any Information System.

Although Liberty University does not electronically store cardholder data, we do have temporary storage of physical paper media before processing and disposal. See Physical Security – Media Policy for more details.

If any cardholder data is discovered in any Liberty University Information System, it should be removed immediately by authorized IT personnel. Please report discovery to supervisor/manager to start removal process.

If an email is received that contains cardholder data, the cardholder data should be deleted and a response sent back to the sender, detailing how to proceed. Employees should contact any other personnel that were copied on the same email to ensure that involved personnel also double delete the cardholder information.

Render Personal Account Number (PAN) unreadable anywhere it is stored (including on any portable digital media, backup media, and in logs) by using any of the following approaches:

  • One-way hashes based on strong cryptography (hash must be the entire PAN)
  • Truncation (hashing cannot be used to replace the truncated segment of PAN)
  • Index tokens and pads (pads must be securely stored)

Mask PAN when displayed or stored (last 4 digits are the maximum number of digits to be displayed or stored).

Sanctions

Failure to adhere to this policy could result in disciplinary action up to and including termination.

Exceptions

None specified

Date Approved

6/30/2022

Date for Review

6/30/2023