Purpose:  To ensure credit card information is collected and processed in a secure and timely manner.

Drake will honor the sensitivity of cardholder data and expectations that this information will be protected from misuse and loss and from unauthorized access, modifications and disclosure.

• Cardholder data is defined as any personally identifiable data associated with the cardholder in a credit card payment transaction. this could include an account number, expiration date, name, address, social security number, or card validation code.

Credit card information is to be received by appropriate staff only.

Hardcopy containing credit card information will be processed timely and destroyed in a secure manner immediately after processing. Credit card information received by mail should be locked in a secure location until the number can be processed and destroyed.

• Examples of destruction  in a secure manner include shredding, permanently blacking out, pulping, or disintegration of paper. 

Credit card information obtained via an onsite event must be processed at the event location via a method that does not require documenting the credit card number, eliminating the need to transport credit card information.

No electronic credit card numbers should be transmitted or stored in any personal computer, e-mail account, or server maintained outside of Drake OIT.

See Drake OIT administrative systems security policy for guidelines on systems processing.

Colleges and/or Schools or departments that wish to accept credit cards for events must have approval from Business and Finance before proceeding with event and/or communication regarding event Colleges/Schools and/or departments wishing to accept credit cards for events using web based credit card processing or other programs must have the approval of Business and Finance before proceeding with the involvement of OIT personnel to begin working on this process.