E-Commerce

PCI DSS Account Data Standard

Last modified 1/8/2025

Purpose

The purpose of this standard is to establish secure and compliant guidelines for managing Payment Card Industry (PCI) account data ("account data")3. Account data is extremely sensitive data and is a prime target for attackers, as the processing of account data creates a significant business-critical exposure, and compromised account data is easily monetized by attackers.

By implementing this standard, the University seeks to ensure compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) and mitigate risks posed by utilizing Electronic Commerce (E-Commerce) transaction systems. This approach balances providing effective guidance for managing account data while allowing University units freedom to maintain individual processes and procedures.

Scope

This standard applies to all University departments that process or transmit account data as well as support teams that support departments that process or transmit account data. This standard exclusively applies to departments and support teams governed by the Payment Card Industry Data Security Standard.

Standard

Departments and support teams must maintain and follow documented processes and/or procedures to meet the following criteria:

  1. Departments and support teams must be compliant with the latest version of the PCI DSS SAQ P2PE and SAQ A Standards6.
  2. Account data shall only be collected for the express purpose of processing card transactions.
  3. Account data may be collected and/or processed from customers via:
    1. An E-Commerce Committee approved service provider card capture page, such as TouchNet.
    2. An E-Commerce Committee approved payment processor, such as NCR (JetPay).
    3. An E-Commerce Committee approved P2PE-compliant1 device.
    4. An E-Commerce Committee approved and PCI-compliant Interactive Voice Response (IVR) system.
    5. An independent postal service, such as USPS (inbound collection only, not for transmitting outbound).
  4. Account data shall not be collected and/or processed via:
    1. The campus physical mail system.
    2. Any electronic mail (email) system.
    3. Instant messaging technologies, such as Microsoft Teams or SMS (texting).
    4. Network connected phones (VoIP), such as the campus phone system.
    5. Personal or University cellular phones.
    6. Physical or virtual fax services, such as Rightfax or a fax machine.
    7. Data transfer solutions (OneDrive, iCloud, Dropbox) or devices (removable storage drives).
    8. Any payment gateways, processors, websites, or other service providers not approved by the E-Commerce Committee (e.g. Square, Venmo, Zelle).
    9. An employee entering customer account data into a customer-facing web service on behalf of the customer.
    10. Any allowed or approved methods without compliance with relevant processes and procedures.
  5. Digital account data must not be stored on University systems post-transaction, including in media backups.
  6. Departments collecting physical account data (i.e. on paper) must meet the following criteria:
    1. Departments must maintain an up-to-date list of pre-transaction account data storage locations ("inventory").
    2. Physical media with account data must be stored separate from other non-account data media such that account data can be easily identified, protected, and destroyed.
    3. Physical media with account data must not be left unattended and unsecured, such as on a desk.
    4. Physical media with account data must not be moved off-campus without being supervised and in a secure container.
    5. Physical media with account data must not be sent via courier or other delivery services.
    6. Account data must not be distributed to personnel without a business need.
    7. Physical media with account data must be disposed immediately post-transaction via cross-cut shredding.
    8. Verify quarterly that all post-transaction account data has been securely rendered unrecoverable.

Exceptions

While this standard is intended to apply comprehensively, there may be instances where certain devices or support teams are unable to meet the full requirements. In such cases, exceptions must be formally requested and reviewed.

Requests for exceptions must be submitted to Payment Card Support2 through the university’s ticketing system or by emailing paymentcardsupport@ilstu.edu. Each request must include:

  • The information technology team and functional business units associated with the exception request
  • Device or process/procedure identifiers affected by the exception
  • A detailed use case explaining why the exception is necessary and what compensating security controls, if any, will be implemented

Payment Card Support, Information Security Office, and the E-Commerce Committee will mutually review all exception requests in accordance with the Information Security Program's exception management process. Approval will be granted only when it is determined that operational needs outweigh the security risks, and where appropriate compensating controls are in place to mitigate those risks. All approved exceptions will be documented, periodically reviewed, and may be subject to additional security monitoring.

Additional Information

Footnotes

The following information provides supporting information referenced in the other sections of this document:

  1. Payment card industry (PCI) definitions are maintained by the PCI Security Standards Council (SSC) at the PCI SSC website Glossary including Web Redirection Server, Payment Cards, Payment Card Industry Data Security Standard (PCI DSS), Point of Interaction (POI), Point-to-Point Encryption (P2PE), Self Assessment Questionnaire (SAQ), and more.
  2. Payment Card Support: The cross-functional support team for PCI DSS and payment card devices. You may contact a team member directly, submit a ticket to Payment Card Support, or email paymentcardsupport@ilstu.edu. 
  3. Account Data: Consists of cardholder data, sensitive authentication data, or both.
  4. Cardholder Data (CHD): At a minimum consists of the full primary account number but also includes the primary account number with cardholder name, service code, or expiration date.
  5. Sensitive Authentication Data (SAD): Security-related information used to authenticate cardholders and/or authorize payment card transactions, such as magnetic stripe data, card security code, or PIN data.
  6. SAQ: The PCI SSC reporting tool used to document self-assessment results from an entity’s PCI DSS assessment. The self-assessment documents are maintained by the PCI SSC.

Account Data Element Reference Chart

Classification

Data Element

Digital Storage Pre-Transaction

Physical Storage Pre-Transaction

Storage Post-Transaction



Cardholder Data

Primary Account Number (PAN)

No

Yes, if necessary

No

Cardholder Name

Yes, if necessary

Yes, if necessary

Yes, if necessary

Service Code (3-4 digit code in magnetic stripe)

No

Yes, if necessary

No

Expiration Date

Yes, if necessary

Yes, if necessary

Yes, if necessary


Sensitive Authentication Data

Full Track Data (Magnetic Stripe)

No

No

No

Card Security Code (CAV2/CVC2/CVV2/CID)

No

Yes, if necessary

No

PIN/PIN Block

No

No

No

Supporting References

The following information provides supporting references that informed the development of this standard:

https://policy.illinoisstate.edu/technology/9-8/

https://policy.illinoisstate.edu/fiscal/cashier/7-5-2/

https://listings.pcisecuritystandards.org/documents/PCI-DSS-v4-0-SAQ-A.pdf

https://listings.pcisecuritystandards.org/documents/PCI-DSS-v4-0-SAQ-P2PE.pdf

https://www.pcisecuritystandards.org/glossary/

PCI DSS Guidance

Illinois State University complies with the PCI DSS framework to ensure our cybersecurity measures effectively meet compliance and mitigate risks associated with payment card processing. PCI DSS requirements relevant to this standard are documented here.

3.1.1 All security policies and operational procedures that are identified in Requirement 3 are Documented, Kept up to date, In use, and Known to all affected parties.

3.2.1 Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following:

  • Coverage for all locations of stored account data.
  • Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization.
  • Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements.
  • Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification.
  • Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy.
  • A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable.

3.3.1.2 The card verification code is not retained upon completion of the authorization process.

9.4.1 All media with cardholder data is physically secured.

9.4.1.1 Offline media backups with cardholder data are stored in a secure location.

9.4.2 All media with cardholder data is classified in accordance with the sensitivity of the data.

9.4.3 Media with cardholder data sent outside the facility is secured as follows: Media is sent by secured courier or other delivery method that can be accurately tracked. 

9.4.4 Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals).

9.4.6 Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows: Materials are cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed. Materials are stored in secure storage containers prior to destruction.