Dickinson State University Credit Card Policy
Credit card information must be received, processed, and stored in compliance with Purchasing Card Industry (PCI) standards. Credit card information may be accepted online through the use of Touchnet Payment Gateway, MarketPlace Suite, and MBS Insight, by telephone, or in person. If accepted by telephone, any credit card information written on office stationary must be destroyed by cross-cut shredding as soon as possible after the transaction has been processed. Credit card numbers may be accepted through the mail; however credit card information obtained by unauthorized persons because of lost or stolen mail will not be the responsibility of the university, and therefore discouraged as a method of transfer. Credit card information shall not be obtained through email nor stored on any DSU computer as the DSU network is open without a firewall and not in compliance with PCI standards. Cardholder data held overnight shall be stored in a locked secure area. Access should be limited to individuals that require use of the area and on a â€œneed to know basisâ€?. Once the cardholder data is processed, it should be destroyed using cross-cut shredding. Credit card information should only be retained for the time needed to process the transaction. Credit card receipts may only show the last four digits of the credit card number. If receipts show more than the last four digits, the receipts must be shredded or retained in a locked secure area. Credit card voids and/or credits processed in the Business Office must be approved by the Controller or Vice President for Business Affairs; voids and/or credits processed in the University Store will be approved by the University Store Manager.
Approved - 12/3/2009