Credit Cards and Financial Account Information


Compliance is a must.

Credit card numbers and financial account numbers are protected by state law. In addition, as a condition of accepting credit card payments the University must meet the Payment Card Industry’s strict Data Security Standards (PCI DSS). The University’s Data Protection Standards explain what departments that collect, access, share, send, use or store this Restricted Use data like credit card and financial account numbers must do to ensure that it is safe and secure. The University’s PCI Policy explains what departments that accept credit card payments are required to do.

Failing to comply with these laws and policies has serious consequences.

PAGE CONTENTS:

The Basics
Consequences
Beyond the Basics
Still Have Questions?


The Basics

EVERYONE
  • DON’T accept credit card payments unless your department has been approved by the Cashier’s Office and you follow the Payment Card Industry (PCI) Policy.
  • DON’T request, access, use or store credit card or financial account numbers unless there is a legitimate business need to do so and your department has confirmed that it complies with the policies described above.
  • DO read the Data Protection Standards and be sure you understand how to secure sensitive information.
  • DO help minimize risk. Be on the lookout for University forms (paper or electronic), emails, or old files (electronic or paper) that contain financial account numbers. If it doesn’t seem necessary, say something. Ask your supervisor, Information Security or Compliance Services for help determining whether it is appropriate for financial account numbers to be in those places and, if not, how to safely and security destroy the information.
  • DO report any suspected data breach to Information Security immediately.

DEPARTMENTS THAT ACCESS, USE OR STORE FINANCIAL ACCOUNT NUMBERS
  • DON’T store financial account numbers on unencrypted laptops, USB drives or portable devices like Dropbox or Google Drive that have not been approved by Information Security.
  • DON’T email or otherwise transmit financial account numbers electronically. If it’s absolutely necessary, contact Information Security to identify a secure way to do so. The University’s encrypted email system may be used to send sensitive information to individuals and organizations outside of the University.

Back to top

Consequences

  • A data breach involving financial account numbers may lead to identity theft or stolen funds. You don’t want either of those to happen to you; you should do what you can to minimize the risk that it happens to others.
  • If there is a data breach that involves financial account numbers the University may be required to notify every individual whose information has been breached and may provide credit monitoring. In addition, the University may be required to notify state attorneys general and credit card companies about the breach. The department in which the breach occurs will participate in these efforts.
  • Regulators may impose fines or penalties and individuals who are harmed may file lawsuits.


Beyond the Basics

Want to know more? There are additional resource on the following important, related topics.


Still have questions?

Below you can find contact information and links to team sites.

Compliance Services

Email Compliance Services or call 617-358-8090 if you aren’t sure where to start, or for questions concerning compliance with laws or policies about credit cards and financial account numbers.


Cashier’s Office

Email the Cashier’s Office if you have questions about accepting credit cards and financial account numbers properly and securely.


Information Security

Information Security can help you keep data secure, reliable, and accessible. Report a data breach to the Information Security Breach Response Team.


Sourcing & Procurement

Sourcing can help you find the right vendor and make sure the vendor is as careful with sensitive data as we are.

Back to top