Credit Card or Payment Card Industry (PCI) Information

Data Classification Level: Restricted

Key: Permission Levels

  • Permitted
  • Permitted with Information Assurance (IA) Consultation
  • Not Permitted

For IA consultation, please contact the ITS Service Center

Protecting sensitive data is a shared responsibility. You are responsible for ensuring that your use of permitted services complies with laws, regulations, and policies where applicable.

Not Permitted

Data Type Description 

Information related to credit, debit, or other payment cards. This data type is governed by the Payment Card Industry Data Security Standard (PCI DSS) and overseen by the University of Michigan Treasurer's Office. Credit or debit card numbers cannot be stored in any electronic format without the expressed, written consent of the U-M Treasurer's Office. That office is responsible for the only PCI-compliant environment at the university.

If your unit wants to start accepting credit card payments, contact the University of Michigan Treasurer's Office to arrange for this. You cannot handle the transactions using departmental computers.

Restrictions listed here do not apply to your own personal credit card information. However, it is recommended that you follow the same precautions with regard to your own personal information as you would with university data.

Data Steward: University Treasurer: [email protected]

Examples 

  • Cardholder name
  • Credit/debit card account number
  • Credit/debit card expiration date
  • Credit/debit card verification number
  • Credit/debit card security code

Laws/Regulations/Policies 

PCI Security Standards Council

Additional Resources 

U-M PCI Resources (Treasurer's Office)
Using ITS PCI-Compliant Services: What U-M Merchants Need to Know
Payment Card Assurance (PCA) (Information and Technology Services)
Andrew File System (AFS): 
Not Permitted
Canvas: 
Not Permitted
Cloud Storage Included with Software: 
Not Permitted
Data Warehouse: 
Not Permitted
Desktop Backup (Powered by Code42): 
Not Permitted
MiDesktop: 
Not Permitted
Digital Signage: 
Not Permitted
Echo360 - Lecture Capture and LectureTools: 
Not Permitted
eResearch: 
Not Permitted
Globus: 
Not Permitted
Amazon Web Services GovCloud at U-M: 
Not Permitted
Amazon Web Services (AWS) at U-M: 
Not Permitted
Google Non-Core Services: 
Not Permitted
Google Drive at U-M: 
Not Permitted
Google Mail and Calendar at U-M: 
Not Permitted
Google at U-M Core Services: 
Not Permitted
MiDatabase: 
Not Permitted
MiServer: 
Not Permitted
MiShare: 
Not Permitted
MiStorage CIFS with AWS S3 Cloud Storage Integration: 
Not Permitted
MiStorage (NFS): 
Not Permitted
MiVideo: 
Not Permitted
MiWorkspace: 
Not Permitted
Personal Accounts: 
Not Permitted
Personally Owned Devices (phone, tablet, laptop, etc.): 
Not Permitted
Qualtrics: 
Not Permitted
ServiceNow at Michigan Medicine: 
Not Permitted
MiBackup: 
Not Permitted
Turbo Research Storage (NFS): 
Not Permitted
Turbo Research Storage (NFSv4+Kerberos or CIFS): 
Not Permitted
Michigan Medicine Exchange/Outlook Email and Calendar: 
Not Permitted
Document Imaging System: 
Not Permitted
E-signature Service - SignNow: 
Not Permitted
Piazza Q&A: 
Not Permitted
Gradescope: 
Not Permitted
Electronic Research Notebook at U-M: 
Not Permitted
Microsoft Azure at U-M: 
Not Permitted
Google Cloud Platform at U-M: 
Not Permitted
Perusall: 
Not Permitted
Secure Enclave Service (formerly Yottabyte Research Cloud): 
Not Permitted
Microsoft Office 365 at U-M: 
Not Permitted
Armis2: 
Not Permitted
Great Lakes Cluster: 
Not Permitted
Adobe Cloud Storage: 
Not Permitted
Zoom at U-M: 
Not Permitted
TeamDynamix at U-M: 
Not Permitted
Dropbox at U-M: 
Not Permitted
Virtru at U-M: 
Not Permitted
Microsoft Teams at U-M: 
Not Permitted
Denodo at U-M: 
Not Permitted
Slack at U-M: 
Not Permitted
Microsoft 365 at Michigan Medicine: 
Not Permitted
Lighthouse HPC Cluster: 
Not Permitted
MyDataHelps: 
Not Permitted
REDCap MICHR Academic License: 
Not Permitted
GitHub Enterprise SaaS: 
Not Permitted