Interpret the report from the scan
Questions to ask yourself, supervisor, or department IT support...
Where did the file originate?
Desktop, file sharing, old Institional procedures? Make sure you are getting all sources of this data.
Who owns the data?
Based on the report, determine the location and ownership of affected files, and contact file owners. If file ownership cannot be ascertained, or the owner has left the University, consult with the department chair or administrator.
Do I need to keep this data?
If you question retention or need of data, visit with your department and controller officer.
Do I need to keep this data at this location?
Discussion options with department administration and IT support in the most secure options.
Am I practicing best practice security safeguarding for the ongoing sensitive data I retain?
This a great time to re-evaluate the business practices to ensure data is safeguarded. The Federal Trade Commision has a Protecting Personal Information, a Guide for Business booklet that outlines best practices for electronic and paper data. For a physical copy, please contact the Card Office at 797-3852 and they can send you some.
How to Handle Digital Credit Card Information
PCI 2.0 specifically states that no storage of customer's 16 digital credit card information once processed. During the scanning process, you could potentially find 3 types of credit card information.
Customer's 16 digit credit card information, CVC or expiration date
This information CAN NOT be retained and must be shredded using the Identity Finder shredding tool.
Your personal credit card information
You discover your own personal information in the temporary files or web browser cache. This information should be shredded for your personal protection.
University Purchasing Credit Card information
This information can be retained, because we are the customer. It is recommended that you truncate the leading 5 digits, since they are always the same at USU. This information is considered confidential instuitional data and should be managed as such.