Merchant Credit Card Processing Guidelines
- On hire and subsequently on an annual basis, supervisors should discuss the importance of credit card information with staff members processing transactions. A background check is required for all employees processing credit card related transactions and data. (Currently at Caltech, students do not have background checks upon employment and thus should not be handling credit card data.)
- Credit card information is considered personal financial information and must be trated in a secure and confidental manner.
- Access to credit card information including: (i) order forms with credit card information, (ii) notes from phone calls or faxes with credit card information, (iii) register receipts, transaction records or sales reports where the credit card number appears, even if masked or truncated, are to be secured and filed in chronological order for twelve months when not in use for business purposes. Secured means the information must be stored in a locked drawer, cash register drawer, safe, office with restricted access, or other secure location.
- All notes, receipts, reports, storage media, or records which contain credit card information must be stored in chronological order and destroyed after twelve months from the date of the transaction. "Destroyed" means shredding or other form of secure destruction.
- The access to credit card information is to be restricted to only those with a business need to know the information. Examples include those processing the transaction, those accounting for the transaction, and those processing a refund for a credit card transaction.
- The card verification code (3 or 4 digit security code printed on the card) is never to be stored or retained beyond the point of entering a transaction and receiving authorization.
- Credit card information should never be downloaded on to a personal computer or storage device unless the device is secured and the data stored is encrypted. If such storage is required, consult Campus IMSS professionals for the requirements related to storing Personal Restricted Data.
- Credit card information (whole credit card numbers) should never be e-mailed on open, public networks.
- If a department acquires or designs credit card applications or contracts for third parties for credit card processing, they should notify the Treasury Services Department and ensure the third party software comply with Payment Application Data Security Standards and/or are Payment Card Industry Data Security Standard certified (more information available at https://www.pcisecuritystandards.org).
If you have any questions, you may contact:
David Vera, Treasury Manager