Credit Card Processing and Security Policy
The purpose of this policy is to define the guidelines for accepting and processing credit cards
and storing personal cardholder information. The policy will help to ensure that cardholder
information supplied to The College of Saint Benedict is secure and protected. The College is
complying with credit card company requirements and the Payment Card Industry Data Security
This policy applies to all College of Saint Benedict employees. The policy pertains to all
departments that process, transmit, or handle cardholder information. The cardholder
information may be in a physical or an electronic format.
All transactions that the College processes must meet the standards outlined in the policy.
A. Electronic credit card numbers should not be transmitted or stored on a personal
computer or e-mail account. Electronic lists of customer’s credit card numbers should not
be retained. Credit card information should only be accepted online, by telephone, mail,
or in person. This information should not be accepted via e-mail and departments should
not e-mail credit card information.
B. Physical cardholder data must be locked in a secure area. Access should be limited to
individuals that require the use of the data. Access should also be restricted on a ‘need to
C. Only essential information should be stored. Do not store the Card Validation Code (also
known as the Security Digits, V Code, or CID). Do not store users PIN’s or the full data
from a cards magnetic stripe.
D. Credit card information should only be retained for the time needed to process, or if
retained for reconciliation, for as long as one-year maximum if necessary.
E. Credit card information, if it does not need to be retained, should be destroyed.
Information should be destroyed by shredding (cross-cut) immediately after processing,
or immediately after they no longer need to be retained.
F. Credit card receipts may only show the