Clark University's PCI Compliance Policy

As of March, 2008

The Payment Card Industry Data Security Standard (PCI DSS) mandates that we protect cardholders from fraud and identity theft. The mandated security requirements apply to all system components; whether it be a network component, server or application that is included or connected to the cardholder data environment.

Clark University has adopted the following policies regarding the storage, security and disposal of credit card data. It is expected that all employees adhere to these best policies:

• NEVER e-mail credit card information.
• Only employees who have a legitimate business "need-to-know" should have access to cardholder information.
• Sanitize credit card numbers on any document where the complete number is visible.
• Blackout credit card number (first 12 digits) and then photocopy.
• Shred the original, retain the copy.
• Cut out/off and shred card information.
• Do not store credit card information online.
• Shred documentation containing credit card information when it is no longer needed for business or legal reasons.
• Lock computer terminals and paper storage areas when un-attended.
• Limit access to computing resources and cardholder information only to those individuals whose job requires such access.
• Establish a mechanism for systems with multiple users that restricts access based on a user's need to know and is set to "deny all" unless specifically allowed.

It is imperative that each University employee involved in receiving and/or processing credit card information be aware of this policy and adhere to it. If you have any questions or need further information, please contact Jessica Sabourin, Assistant Director of Student Account Operations at 508-793-7721.