FAQs
What if cardholder data is sent to you unsolicited via email? Immediately notify the customer that the University does not accept cardholder data via email and provide alternative methods of completing the transaction. If email is sent back to the customer any cardholder data must be deleted from the return message. Delete the email (permanent delete from email store, deleted items, and recover deleted items after the customer has been notified.
What cardholder data needs to be protected?
Account data or cardholder data that you need to protect includes—but is not limited to—the following:
card number, known as the Primary Account Number (PAN)
cardholder name
expiration date
customer’s payment address.
If your payment system involves swiping cards, you must also protect the data in the magnetic stripe and chip of credit and debit cards. Depending on your system, you may also receive card verification security codes (including CVV2, CID, CAV2, and CVC2). Those are the three- or four-digit codes that appear on the front or back of a card. These also must be treated as sensitive data. Cardholder data also includes the PINs or PIN blocks for debit card transactions.