Payment Card Industry Information

Definition: Information related to credit, debit, or other payment cards.

Governing Authority: Payment Card Industry Data Security Standards (PCI-DSS).

Responsible Operating Unit: Bursar's Office.

Examples: Cardholder name, card account number, card expiration date, card verification number, and card security code.

Special Considerations: Credit or debit card numbers cannot be stored in any electronic format without the expressed written consent of the Bursar's Office. If your operating unit desires to begin accepting credit card payments, you must contact the Bursar's Office to arrange for a PCI Compliant environment, as you may not handle the transaction processing using individual operating unit computers.

List of IT Services & Tools

For the definition of terms related to the categories below, please reference the Glossary of Permission Levels.

Acceptable IT Services & Tools:

• None without consultation.

Consultation Required:

• All solutions intending to store payment card information require consultation from the Information Security Office and the Bursar's Office.

Not Permitted IT Services & Tools:

• Network accessed storage (shared.ohio, home.ohio)

• OneDrive/O365 Groups

• OnBase

• Blackboard

• OneDrive/O365 individual accounts

• PeopleSoft

• Personal cloud accounts

• Personal/Non-University owned devices

• Qualtrics

If you don't see the IT service or tool listed that you wish to use to store data classified as medium or high sensitivity, contact Information Security to determine if it's appropriate for your data type.