Cardholder Data Collection and Processing
The University collects cardholder data for the exclusive purpose of processing card transactions, and procedures must be followed for the collection, processing, and disposal of cardholder data. For information on cardholder data retention, please see the Cardholder Data Retention Procedures.
Cardholder data may be collected on payment processor capture pages, such as Touchnet, as part of an E-Commerce payment flow. University websites may redirect to E-Commerce Committee sanctioned payment card capture pages and must be PCI-compliant. Vendor websites may redirect to E-Commerce Committee-sanctioned payment card capture pages or a vendor-managed payment card capture page; vendor websites for these purposes must be PCI-compliant.
University employees must only enter cardholder data into virtual terminals (PCI-compliant laptops and desktops) that are labeled for payment card use. Payment card virtual terminals shall only be networked to the University Payment Card (PCI) network while being utilized to collect cardholder data. The University does not provide non-employees with virtual terminals for the purpose of cardholder data collection or processing.
Payment card virtual terminals and their Sophos RED network devices must be physically secured when unattended by a University employee. Recommended methods for physically securing terminals include storage inside of a locked container or inside of a locked room.
Please visit the Requesting a Virtual Terminal page for more details on procuring new E-Commerce vendors.
Please visit the E-Commerce Contracts page for more details on procuring new E-Commerce vendors.
Please visit the Touchnet Payment Gateway page for more details on requesting or utilizing Touchnet.
Payment Card Terminals
Cardholder data may be collected via payment card terminals supplied by Payment Card Support. Terminals may be networked using analog phone lines, cellular towers, or Ethernet over the University Payment Card network. Transactions occurring on credit card terminals use an encrypted connection directly to the payment processor.
Payment card terminals shall only be used by University employees. Payment cards must be used by the person to whom the card is issued and must be signed. The allowed collection types in order of preference are NFC (contact-less), EMV chip (dip), magnetic stripe (swipe), and manual entry (card-not-present).
Payment card terminals and their Sophos RED network devices (if present) must be physically secured when unattended by a University employee. Recommended methods for physically securing terminals include storage inside of a locked container or inside of a locked room.
Other Allowed Collection Methods
The University may accept cardholder data via other collection methods including:
- Physical media, such as in the mail
- Verbally over an analog phone line where the analog line is the sole connectivity for the phone
- Verbally over a cellular phone line where the cellular phone line is the sole connectivity for the phone
Cardholder data obtained using a phone or physical media should be processed using a payment card terminal or virtual terminal.
Disallowed Collection and Processing Channels
Cardholder data may not be collected, transmitted, stored, or processed via:
- SMS (texting)
- Instant messaging technologies such as Teams, Jabber, Slack, or Facebook Messenger
- Ethernet or Wi-Fi connected phones, such as the University Cisco phone system
- Digital storage such as flash drives, hard drives, or cell phones
- An employee on a University-managed or -contracted website if the site is targeted towards University customers
- A non-employee user entering cardholder data on an employee computer
- Payment gateways, processors, or web sites not approved by the E-Commerce Committee including but not limited to Square, Venmo, or Paypal
- Ethernet-connected fax machines or network-connected virtual fax services such as Rightfax
- Any unencrypted service not explicity allowed
- Any allowed methods without following proper procedures
Physical Media Security
If circumstances dictate that ISU departments/personnel possess cardholder data on physical media, such as paper, the following rules apply to the collection, processing, and storage of physical media containing cardholder data:
- Cardholder data on physical media must not be left unattended, such as on a desk
- Unattended physical cardholder data must be secured in a locked room or container
- Physical media with cardholder data must be stored separate from other non-cardholder data media such that cardholder data can be easily identified, protected, and destroyed
- Physical cardholder data must not be moved off-campus without being supervised and in a secure container
- Cardholder data is not distributed to personnel without a business need to see or use such data