Collection, Storage and Destruction of Credit Card Details Policy

Policy Statement

Monash University values the privacy of credit card information and is committed to protecting the credit card details it holds and uses.

This policy outlines how Monash University intends to collect, store and destroy credit card details.

Principles

The policy is based on the following principles:

• Monash University must take reasonable steps to protect the credit card details it holds from misuse and loss and from unauthorised access, modifications and disclosure.
• It is a necessary condition for Monash University to provide credit card facilities to individuals for the payment of services and goods provided by Monash University.

Broad Overview

Monash University may consider the following matters when adopting reasonable steps to protect the credit card information it holds:

• The sensitivity of credit card details and an individual's expectations that this information will be protected from misuse and loss and from unauthorised access, modifications and disclosure;
• The harm likely to result if there is a breach of security; and
• The form in which the information is stored (eg on paper or electronically) processed and transmitted.

Application

All University staff.

Operative Date

Operative from first full pay period to commence on or after 18 May 2003

Policy Authorisation

Divisional Director, Human Resources Division

Policy Administrator

Director, Policy & Consultancy, Human Resources Division

Detailed Policy

1.0 Application of Policy

This policy is designed to deal with situations where a person provides details of their credit card to the university. The policy is also designed to ensure that Monash University will store and destroy credit card details in a manner which protects the credit card details from:

• misuse;
• loss;
• unauthorised access;
• unauthorised modification; and
• unauthorised disclosure.

2.0 Collection of Credit Card Details

Monash University is committed to ensuring that credit card details are collected in a secure manner. Monash University will take reasonable steps to protect the credit card details it holds from misuse and loss and from unauthorised access, modifications and disclosure during collection by adopting the following practices:

• preventing individuals from providing credit card details in an email;
• ensuring that where credit card details are collected on-line, encryption in accordance with the University's IT Security Policy and IT Security Framework is included within the on-line web page, databases and other supporting programs;
• only collecting credit card details in an appropriate environment, for example not requesting credit card details verbally in a public waiting room; and
• ensuring that when credit card details are collected via facsimile, the facsimile is placed in a secure location.

3.0 Storage of Credit Card Details

3.1 Monash University is committed to ensuring that credit card details are held securely. Monash University will take reasonable steps to protect the credit card details it holds from misuse and loss and from unauthorised access, modifications and disclosure by adopting the following practices:

• ensuring that credit card details are stored in a secure and protected manner such as locked filing cabinets;
• where possible, removing any credit card details from Monash University networked computers;
• ensuring that EFPTOS machines and other devices used to collect credit card details are stored securely, particularly when they are not in use (eg overnight);
• ensuring that appropriate staff only have access to credit card details; and
• ensuring information is transferred securely (for example, not transmitting credit card details via e-mail).

3.2 Credit card details may be stored in hard copy documents. If credit card details are stored as electronic data appropriate security measures must be utilised in accordance with the University's IT Security Policy and IT Security Framework. Some of the ways Monash University seeks to protect credit card details include the following:

• confidentiality requirements on the use of information by Monash University's employees;
• policies on document storage and security;
• security measures for access to Monash University's computer systems;
• controlling access to Monash University's premises;
• web site protection measures.

3.3 Credit Card details are required to be stored onsite or in an easily accessible location for 12 months for charge back purposes. After 12 months, credit card details may be moved offsite providing the credit card details are stored in a secure location.

3.4 Credit card details must be stored for the length of time prescribed by the Records Disposal Authority.

4.0 Destruction of Credit Card Details

Credit card details will be destroyed in a secure manner when they are no longer needed by Monash University. Examples of destruction in a secure manner include shredding, pulping or disintegration of paper files, fire, confidential disposal in accordance with any guidelines provided by Records & Archives, encryption or scrubbing of credit card number or contracting an authorised disposal company for secure disposal.

5.0 For Further Information

For further information about this policy please contact:

6.0 Obligations of Staff

If a staff member collects credit card details on Monash University's behalf, the staff member must meet the relevant requirements of this policy in relation to the storage of credit card details.

7.0 Disciplinary Action

Breach of this policy

If a staff member breaches this policy, depending on the circumstances it may be regarded as misconduct or poor performance and this may result in action being taken in accordance with the provisions set out in the Monash University enterprise agreement or, where applicable, the provisions of the relevant AWA Terms and Benefits Policy.

8.0 Change of Policy

Monash University may change this policy from time to time without prior notice.

Relevant Australian Legislation, Policies and Associated Documentation

9.0 Privacy

Legislation

10.0 Associated Policies and Legislation (including Guidelines & Procedures)

Associated Documentation

11.0 Further Information and Assistance

Adherence to this policy will generally ensure compliance with University requirements and relevant legislation. However, there may be instances where inadvertent breaches could occur. When in doubt users requiring assistance with interpretation of the policy, or who wish to report an incident, should contact: