University of Illinois System
Policies & Procedures

21.2.3 Store Cardholder Data on Paper Securely

Policy Statement

Because storing cardholder data on paper increases the risk of a security breach, avoid doing so unless you have a strong business need.

Procedure

To store cardholder data on paper securely:

  1. If you believe you have a business need to store cardholder data, consult with Merchant Card Services to confirm your business need and determine the best method for storage.
  2. Follow these minimum PCI Standard for any paper that contains card information:
  • Store all materials containing cardholder information in a locked file cabinet, safe, or other secure storage mechanism in a restricted/secure area.
  • Never store sensitive authentication data such as CVC2/CVV2/CID or PIN after the sale has been processed.
  • Limit access to sales drafts, reports, or other sources of cardholder data to employees on a need-to-know basis
  • Make sure all identifying information is removed or redacted according to the guidelines in Keeping Merchant Card Records.
  • Show only the last four digits of the credit/debit card account number on printed receipts.
  • Conduct a periodic inventory of stored paper forms to account for all credit/debit transaction documents. When destroying paper forms that contain cardholder information, render them unreadable by incinerating or pulping them or by using a cross-cut shredder.
  • Do not store card information in any electronic system, including customer databases or spreadsheets.
  • Do not send card information on paper to a different physical location without using a secure courier service that will confirm safe delivery.

Related Policies and Procedures

10 Implement Internal Controls for Handling Cash and/or Checks
Keeping Merchant Card Records

Additional Resources

Redact in Definitions

Last Updated: April 13, 2012 | Approved: Senior Associate Vice President for Business and Finance | Effective: November 2008