Skip to Content

Credit Cards and Payment Card Industry (PCI) Compliance

The Golden Rules


  Pciture of golden ruler

  1. Thinking of taking credit cards or changing your current process? Contact U.Va. Payment Card Services first!
  2. Do NOT request or send any credit card information by email.
  3. If someone emails cardholder data to you, you should make them aware that we cannot process the transaction for their own security. Be sure to delete the cardholder data before responding and suggest an approved payment card processing method. Securely delete the email as soon as possible.
  4. Never record data in any electronic format (Excel files, databases, etc.) unless you have been authorized to do so by the University Comptroller and in compliance with University Policy IRM-015 - Electronic Storage of Highly Sensitive Data.
  5. Do not request, record, or store any of the magnetic stripe data or the credit card confirmation code (three digit on the back of many cards and 4 digits on the front of American Express. This is sometimes referred to as the "CVV 2" code).
  6. Please do not direct a payer to a specific computer or offer to enter payment card data into a hosted website on their behalf. Doing so could expose your computer and every computer connected to it to keylogging, hackers, etc. We want to make sure that our client's data is safe!


  7. Questions about the University of Virginia's Credit Cards and Payment Card Industry compliance?
    Contact U.Va. Payment Card Services at or view our staff listing.