Credit card information will not be stored electronically (CEO, email, etc).  Hard copy information will be kept only until transactions are complete and will then be cross-shredded.

Full PAN’s (Primary Account Numbers) shall not be sent in unencrypted e-mails, instant messaging, chat or any other end-user messaging technologies.

Card-validation codes (3 or 4 digit number printed on the front or back of a payment card used to verify card-not-present transactions) and PIN numbers will not be stored or maintained in any format.

Full PAN’s (Primary Account Numbers) will not be shown on computer screens, receipts, faxes, or paper reports.  This data can be printed on the “merchant copy” of receipts only but should not be kept in hard copy or electronic form.  When displayed or stored the maximum number of digits allowed is the first six or the last four.

All hard copies of card holder data received will be cross-shredded so that such data cannot be reconstructed.

A risk assessment will be completed annually to identify risks and vulnerabilities and shall be updated when the environment changes.

A list of all credit card service providers will be maintained by the Business Office.

A written agreement that acknowledges a service provider’s responsibility for the security of cardholder data will be received from all credit card service providers used by the District.

All credit card service providers will be evaluated by the Business Office to determine PCI DSS compliance.

Adopted:  9/16/10