SDSU Campus Credit Card Policy

Collection 

  1. Collection of CHD (Card Holder Data) over the phone or through mail is discouraged, but permitted, if all other procedures are followed as set forth in this document.
  2. Collection of CHD using an electronic fax machines is discouraged, but permitted.
    1. The fax machine should be accessible to departmental staff only.
    2. Departments accepting CHD via fax cannot use the option that converts faxes to electronic documents.
  3. Collection of CHD through Email is NOT permitted 
    1. In the even that CHD is delivered via email.
      1. Notify ross.pirlet@sdstate.edu or john.martinez@sdstate.edu with the circumstances of the email: date, time, from address, to address and subject line - In the body, include the last four digits of the CC number involved; ie. XXXXXXXXXXXX1234.
      2. Permanently delete the email by highlighting the email and then doing a 'Shift + Delete' with confirmation (or delete the email and then empty your 'deleted items' folder).
      3. DO NOT process the credit card payment from the email.
      4. Contact the donor/customer directly via phone or email (do not reply to original email). Create a new email message, indicate that we CANNOT accept CHD via email and request the provide the number over the phone.

Access

  1. Access to credit card information should be limited to department employees on a 'need to know' basis.
  2. Custodian staff (or other unauthorized personnel) should have no access to CHD.
  3. All employees involved in collection, processing, storage or transmission of CHD are required to participate in PCI Awareness Training.
  4. Student Employees who handle the processing of more than one credit card transaction at a time (bulk) should have a background check conducted and participate in PCI Awareness Training.
  5. Transportation of CHD from one place to another for any reason:
    1. Should be limited to employees who have regular access to the CHD.
    2. Should be in a secure, locked bag.

Storage

  1. Electronic storage of credit card information is NOT PERMITTED under any circumstances