Data Retention and Disposal

Payment Card Equipment Disposal

Departments are required to contact Merchant Card Services for disposal of all equipment that processes, transmits, or stores payment card transactions.

Financial Record Card Sales and Card Data Retention

Our policy for retention and disposal of financial transaction records is posted in OBFS Policies and Procedures Section 21 - Keeping Merchant Card Records. This policy complies with the Records and Information Management Services (RIMS) policies and recommendations for retention and disposal of records. Contact RIMS for further clarification and answers.

We require units to follow best practices for PCI DSS card data security by keeping only the last four digits of any card number, whether on paper or in an electronic system. All but the last four digits of the card number should be removed from paper and electronic systems. A payment card’s full readable card number, expiration date, card security code, and personal identification number (PIN) should never be recorded or stored on any document or in an electronic system.

Reminders

Paper order/registration forms containing payment card information must be rendered unreadable once a transaction is complete. Marking out card information with a china marker (grease pencil) is the preferred method. Alternatively, use a form that captures card information at the bottom so that it can be removed and shredded for disposal.

Payment card transaction sales drafts, itemized receipts, or invoices and forms should never retain the full card number, expiration date, or card security code. Card information written down after a transaction has been authorized must be shredded or made unreadable for disposal. Also, a cardholder's identifying information must be recorded elsewhere, other than on the sales draft where card information is printed.

Keeping cardholder information confidential is a service that all customers appreciate.