Skip to main content

PCI DSS Do's and Don'ts

What are my responsibilities?

There are a few key things you should do (and also not do!) to ensure you are compliant with PCI’s standards. This simple list of Do’s and Do Not's should get you started down the path of PCI compliance:

PCI compliance: DO
  • Change the default password on your computer to a complex password.
  • Supervise all visitors (including YOUR personnel) in areas where credit card information is maintained.
  • Ensure all cardholder data is unreadable during transmission.  In otherwords, strong encryption must be used for transmission.
  • Cross-cut shred handwritten credit card information immediately after use.
  • Store documents or media with credit card information in a locked drawer or filing cabinet accessible only by authorized personnel.
  • Report immediately to your supervisor and the Information Security Officer for your campus if you suspect credit card information has been lost, stolen, exposed, or otherwise misused.
  • Submit a quarterly scan report, completed by an Approved Scanning Vendor (also called an ASV).  DoIT and the Office of the Treasurer can facilitate your scan
  • Complete and maintain your PCI Merchant Manual to ensure PCI compliance.
  • Attend the university PCI training class upon hire and also annually. Contact the Office of the Treasurer for on-site training or to learn more about the University PCI training.
  • Maintain a copy of the PCI-specific policies and procedures commensurate with their merchant category.   
  • Contact UM PCI-DSS Core Team by email if you are making a change to your cardholder data environment.   
  • All merchants must have a current data flow diagram on file specific to their merchant environment. 
PCI compliance: DO NOT
  • NEVER physically write down any credit card information unless you are explicitly required to do so as part of your business processes.
  • NEVER acquire or disclose any cardholder’s credit card information without the cardholder’s consent, including but not limited to:
    • the partial sixteen (16) digit card number
    • the CVV/CVC (three or four digit validation code on the back of the card)
    • the PIN (personal identification number)
  • NEVER Transmit or accept any of the above cardholder information via e-mail, fax, scan (image now or other), or by end-user messaging technologies. 
  • NEVER store any sensitive authentication data on a University computer, server, or on paper, including:
    • The card’s storage chip or magnetic stripe
    • The CVV/CVC (the three or four digit validation code on the back of the card) post authorization
  • NEVER use an imprint machine to process credit card payments (unless you must as part of your business processes).
  • NEVER leave unsettled batches in terminals at the end of a business day. You set up auto-settle programming or ensure that batches are settled manually each night.
  • NEVER share the password to your computer or any computer you access.
  • NEVER leave sensitive information unattended on my desk, screen, or in any public area
PCI questions?

Contact John Layman of the Office of the Treasurer by email ( or by phone at 573/882-3318

Reviewed 2022-01-18