shield Harvard University
Harvard Shield
About                                
Enterprise Security Policy
Information Security & Privacy
Human Subjects
For Students
For Employees
For Registrars
Harvard Confidential Info
Working with Vendors
Accepting Credit Cards
Authorization
Data Protection
Compliance Certification
Transaction Monitoring
Disclosing Breaches
Local Policies
Federal and Regulatory
Glossary of Terms
FAQ's       
Reporting Security Incidents
Reporting Violations
Privacy Policy
Security Presentations
Search the Site
Accepting Credit Cards :: Local Policies
 
  You should carefully consider your business needs and develop policies on the following issues:
  • Charge backs : How will you handle complaints that the charge was not legitimate? What investigation, if any, will you do? Who needs to be notified?
    If you are experiencing frequent charge back complaints or suspect fraud, you need to contact Cash Management @ 5-4397
  • Data Access: There should be very few people that have access to credit card data after the transaction has been authorized. Other authorized users should either not see any data or see a masked number with only the last 4 digits visible.
  • Passwords: Ensure that any passwords that protect credit card data are different from other passwords you have and are hard to guess and not written down and left unsecured. PCI also requires that passwords require periodic changing.
  • Retention: You should have a local data retention policy that determines how long you retain credit card information. Keep cardholder information storage to a minimum. Limit your storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in your data retention policy.
    • Electronic - Ideally credit card numbers will not be stored locally in electronic form. If your business requires that you temporarily store credit card account numbers then they should be securely disposed of when they are no longer needed. It is permissible to retain the last four digits of the credit card number.
    • Paper - Federal and credit card association require merchants to retain the original signed credit card merchant slip for 2 years. These should be kept locked on site for 2-3 months and then placed in archives for the remainder of the 2 years. They should be securely destroyed directly from archives.
  • Changes: Before making any changes to your technical architecture or business practices regarding credit cards you should insure that you would still be in compliance with PCI data security requirements. Your change control process should include having a direct scan done by TrustWave on your new environment prior to placing it into production.

 		 
 
Universities adopt serious protections after high risk laptops are stolen
Advisory on use and protection of HUID
  >> See all  
Printer Friendly Page
 Trademark Notice|Privacy Policy | © 2008 President and Fellows of Harvard College  
Supported by WDS