Merchant services and supplies

Frequently asked questions

What is the Payment Card Industry Data Security Standard (PCI DSS)?

PCI DSS is the result of a collaboration of the major credit card associations to establish a single data security standard designed to protect sensitive cardholder information.

Who has to comply with PCI DSS?

Any entity that stores, processes or transmits cardholder data (including credit and debit cards) must comply with PCI DSS requirements.

What can happen if I am not in compliance with PCI DSS?

Non-compliance can result in fines and remedial efforts that could easily exceed $1 million. It can also risk exposing customers (students, faculty, staff and the general public) to fraud and identity theft. Breach of cardholder information can result in negative publicity and cause damage to ASU’s reputation. Non-compliance can also result in the loss of credit card and debit card acceptance privileges.

What is cardholder data?

The full magnetic strip or the primary account number (PAN) of a payment card belonging to a cardholder, along with any of the following data types: cardholder name, expiration date or service code (a three or four-digit number coded onto the magnetic stripe that specifies acceptance requirements and limitations for a magnetic stripe-read transaction).

Do I have to batch out my merchant terminal every day?

Yes, you must complete batch processing of all sales receipts at the end of each business day.

How should papers/printouts that contain cardholder data be handled?

Physical copies of payment card numbers should not be stored past authorization, unless a legitimate business need exists to maintain the information. Paper copies must be crosscut shredded upon disposal. Never throw sensitive data in the trash.

May I create documents containing cardholder data on my computer?

No. Creating a document, even though it may not be saved on the computer, will create temporary copies of the cardholder data on the computer. Any paper document used for processing credit cards or handling cardholder data must remain in that form for creation, storage and transmission.

May I use my work computer to store, enter or transmit cardholder data for someone other than myself as a part of my ASU work?

No. ASU computers may not be used to store, enter or transmit cardholder data. Only University approved PCI compliant hardware may be used for these tasks.

May I take cardholder data over the telephone for a campus service or event?

Yes, as long as the conversation is not being recorded or stored.

May I take cardholder data via email, text or chat (end user messaging) for a campus service or event?

No. Cardholder data should never be sent, received, or stored via end user messaging due to security concerns. If you have previously received payment card information via email, you will need to delete all messages containing credit card information from your inbox, sent folder, drafts folder, and any other folders that you may have created. Once that is done, empty your email trash, empty your web browser cache (temporary browser files), and empty your computer’s recycle bin or trash.

May I take cardholder data via U.S. Mail for a campus service or event?

Depending on the situation, this may be allowed. The payment must be processed immediately and documents must be disposed of using a cross-cut shredder.

My department needs a new online web form created to accept credit card numbers as payment for an event or service. What is the process to request this?

ASU maintains several payment options that support certain types of online credit card transactions. If you are interested in using one of these options, please contact

What is PCI compliance and how long is the PCI compliance certification valid?

PCI compliance is the adherence to a set of security standards that were developed to protect credit card information during and after a financial transaction. Although the PCI compliance certification is valid for one year from the date the certificate is issued, compliance is an ongoing and collective effort for all ASU departments. Ensuring that each department is aware of PCI policies and best practices for handling sensitive payment card information is essential for minimizing risks and obtaining compliance.