Data Retention and Disposal

Payment Card Equipment Disposal

Departments are required to contact Merchant Card Services for disposal of all equipment that processes, transmits, or stores payment card transactions.

Financial Record Card Sales and Card Data Retention

At this time, OBFS is performing a comprehensive analysis and revision of its policies regarding retention and disposal of financial transaction records for archiving state requirements. When this project is completed, the financial records retention policy will be updated to reflect the recommended requirements. In the meantime, the recommended approach is to keep all transaction records until the new guidelines have been released. Please contact the University Archivist for an immediate business need to review your existing department or college Records Disposal Authorization (RDA) form on file.

Merchant Card Services requires departments/units to follow best practices for PCI DSS card data security by keeping only the last four digits of the card number that can be viewable on paper or in an electronic system. All but the last four digits of the card number should be removed from paper or electronic system. The payment card’s full readable card number, expiration date, card security code, or personal identification number (PIN) should never be recorded and or stored on any documentation or in an electronic system.

Reminders

Paper Order/Registration Forms containing the payment card information must be rendered unreadable once the transaction is complete. Marking out the card information with a china marker (grease pencil) is the preferred method. Alternatively, the form can be created to capture card information at the bottom of the form so that it can be removed and shredded for disposal.

The payment card transaction sales drafts, itemized receipts or invoices and forms should never retain the full card number, expiration date, or card security code. Card information written down after the transaction has been authorized must be shredded or made unreadable for disposal. Also, the cardholder's identifying information must be recorded elsewhere, other than on the sales draft where card information is printed.

Keeping cardholder information confidential, is a service University customers will appreciate.

Additional Resource

• Merchant Department Operational Overview, Policies and Procedures (PDF)

If you have questions, please contact us and visit our Training Resources.

Last Updated: May 3, 2010