Presentation on theme: "October 28, 2013. Who? What? When? Why? Comply with PCI compliance policies set forth by industry Create internal policies and procedures to protect."— Presentation transcript:
October 28, 2013
Who? What? When? Why?
Comply with PCI compliance policies set forth by industry Create internal policies and procedures to protect cardholder data Inform and train GVSU personnel who process cardholder data Perform annual review Report suspected or confirmed breach incidents
Compliance Documents Prohibited Practices: Storing CVV codes, pin numbers, track data or card numbers These must be destroyed immediately after processing. Sending credit card information via mobile or end-user messaging technologies ( , fax) Requesting for credit card information to be sent to GVSU street address Sending credit card information via intercampus mail
Prohibited Practices: Accepting/entering credit card information on GVSU website on behalf of a customer Using a laptop for entering credit card information Instructing customers to enter their own credit card information on a GVSU public computer Directly passing credit card fees to customers who pay via credit cards
Prohibited Practices: Using non-designated PCI compliant shredding devices or services Using non-designated PCI compliant hardware Most mobile terminal options, such as the Square that connects to the IPhone/IPad are NOT acceptable. Using non-approved third party service providers to process credit card transactions
So, then what is allowed?
Accepted Processing Procedures: Approved secure websites for ongoing, frequent processes Ben Rapin, Institutional Marketing, E-Commerce Request Form Approved secure terminal – wired or wireless Jennifer Schick, Accounting Business Office, Credit Card Processing Assistance Most mobile terminal options, such as the Square that connects to the IPhone/IPad are NOT acceptable.
Accepted Processing Procedures: Low volume options Take directly to cashier window on same business day. Must be taken by GVSU employee (not a student). See Credit Card Processing Assistance for Departmental Deposit Form.www.gvsu.edu/pci Can keep the last 4 digits of a card number for reference. Call one of the following offices, provide the FOAP where the money should be deposited, and transfer the call: for gift deposits (Gift Processing/Development Office) OR for other credit card payments (Student Accounts Hotline).
Accepted Processing Procedures: Dedicated PO Box for US Mail Approved PCI compliant shredders or shredding services Coordinate shredding services/bins through Kip Smalligan. Shredders must be cross-cut or diamond cut. Approved PCI compliant vendors If using or considering a third party service provider to accept credit cards, the vendor must be PCI compliant. Notify Sue Korzinek of process to allow for proper documentation to be acquired from third party vendor BEFORE signing a contract.
A scenario that works for many events: Set up online registration with Institutional Marketing. Prepare mailing and give registrants these options: Register online for credit card payments or Register via mail for check payments. For day of the event registrations, allow check payments or request the use of a loaner terminal to accept credit card payments.
Any new contract/relationship that relates to credit card payments MUST be approved by the PCI Committee. Contact Sue Korzinek and Jennifer Schick. WARNING: Just because a vendor or salesperson says that they are PCI Compliant, it does not mean that they are!
EMV – September 2015 EMV (Europay/MasterCard/Visa) /a.k.a Pin & Chip Instead of a magnetic stripe, EMV cards contain an embedded microprocessor. EMV chip technology reduces card fraud in a face- to-face card-present environment; provides global interoperability; and enables safer and smarter transactions across cards and contactless channels. – U.S. EMV Migration Efforts Continue Despite Debit Regulatory Challenges, 10/3/13
EMV – September 2015 As new credit card terminals are ordered or current terminals need to be replaced, GVSU will order terminals that are EMV capable. By September 2015, GVSU will order new EMV capable credit card terminals to replace terminals with the old technology.
Mobile technology Reminder: Most mobile terminal options, such as the Square that connects to the IPhone/IPad are NOT acceptable. Reminder: Using a laptop for entering credit card information is NOT acceptable. We are in the process of testing/evaluating new wireless/cellular terminals and a mobile payment bundle that would connect to an IPad.
Fees Reminder: At GVSU, departments are NOT allowed to directly passing credit card fees to customers who pay via credit cards. Recent headlines discussed changes in rules regarding surcharges/convenience fees. Few companies are actually proceeding down this path due to various hoops that they would need to jump through. Departments are able to set their rates for all forms of payment knowing that credit card processing fees are 2-3%.
Contact information: Sue Korzinek X12035 Jennifer Schick X12231