May credit card information be submitted by email or fax?

Email

  1. No; University policy and credit card guidelines prohibit sending credit card information by email or accepting that information from someone outside the University.

    The Standard for Handling Cardholder Data states:

     "CHD must never be accepted or sent by email, unsecured fax, over main network connected fax machines, or by any electronic means including end-user messaging technology."

    The Payment Card Industry Data Security Standards (PCIDSS) (for more information, see the PCI SSC website), states in section 4.2:

    “Never send unprotected PANs (Primary Account Numbers) by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.).”

Fax

  1. Faxing of cardholder information is not allowed unless preapproved by Merchant Services

  2. If you have a business need to fax cardholder information, email the Merchant Services Manager. 

NOTE:  For a fax request to be approved:

  1. The fax machine must be secure and operate via an analog line (not connected to the University network).
  2. The fax machine must be located in a locked room and accessible only by employees designated as those allowed to interface with cardholder data.

  3. Those employees must have completed the Merchant Training Requirements.

Reference:  Payment card processing requirements are further explained within the University Receipts and Deposits Standards.

Print Article