Presentation is loading. Please wait.

Presentation is loading. Please wait.

Published byStephanie Bangs Modified over 10 years ago

Similar presentations

Presentation on theme: ""— Presentation transcript:

3 Credit Card Security Awareness
Central Michigan University Payroll and Travel Services Credit Card Security Awareness

4 Agenda Merchant Account Manager PCI DSS – What is it?
Cardholder Data vs Payment Data Security Guidelines Incident Response Plan Upcoming Changes Questions

5 Merchant Account Manager
All departments accepting credit card payments are required to designate someone as the Merchant Account Manager. They will be responsible for the following…

6 Merchant Account Manager
Responsibilities You will be the main point of contact for all changes and updates to credit card processing. You are responsible for sharing this information with your dept. You are responsible for reporting/requesting any changes to online reporting access. Keep an updated list of employees who have access to cardholder data. This includes databases, filing cabinets, offices, etc. Contact Payroll and Travel Services to eliminate the merchant account if you no longer wish to accept credit cards. Reporting any changes to your credit card process to Payroll and Travel Services.

7 Merchant Account Manager (cont.)
Read, understand and follow the Merchant Operating Guide as well as the CMU Merchant Sites Security Guidelines. Make sure that all employees involved in the processing of credit card transactions do the same. Recognize the importance of credit card security and make sure that your department is processing transactions in a secure manner. Educate other individuals in your department about the importance of credit card security. In the event of a credit card breach/compromise, you will be responsible for reporting the issue to Payroll and Travel Services. You will be responsible for assisting with the investigation and resolving the incident. It is understood that it is the department’s responsibility to cover any fines/fees charged by the credit card companies for fraud related to negligence. Who in your department should be responsible for this?

8 For more information about PCI DSS visit www.pcisecuritystandards.org
Credit Card Security ALL departments that accept credit cards (regardless of the volume of payments processed and the method used to process the payment) are required to comply with Payment Card Industry Data Security Standard (PCI DSS). For more information about PCI DSS visit

9 Payment Card Industry Data Security Standard – PCI DSS
What is PCI Compliance? The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. Initially created by aligning Visa's Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard's Site Data Protection (SDP) program, the standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents. For more information about PCI DSS visit

10 PCI DSS Levels All merchants will fall into one of the four merchant levels based on transaction volume over a 12-month period.

11 Merchant Requirements
PCI DSS Levels Merchant Level MasterCard Visa Merchant Requirements Level 1 >6 MM trans. Regardless of channel, or Hacked/attacked in past, or Otherwise ID’d by V/MC Report on Compliance (ROC) Quarterly scan showing no high vulnerabilities Level 2 Any e-commerce merchant processing between 150M and 6MM transactions per year Any merchant processing 1MM to 6 MM transactions per year. PCI self-assessment questionnaire (all “Yes” or “N/A”) Level 3 Any e-commerce merchant processing between 20M and 150M transactions per year Any e-commerce merchant processing between 20M and 1MM transactions per year Level 4 All other merchants regardless of channel Compliance mandatory Validation Optional

12 Why is compliance so important?
It is required in order to accept credit cards. We want to protect our customers. A security breach/compromise of cardholder data has many consequences. 1. Regulatory notification requirements 2. Loss of reputation 3. Loss of customers 4. Potential financial liabilities (regulatory and other fees and fines) 5. Litigation For more information about PCI DSS visit

13 For more information about PCI DSS visit www.pcisecuritystandards.org
PCI DSS Requirements Build and Maintain a Secure Network Requirement 1 Install and maintain a firewall configuration to protect cardholder data Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3 Protect stored cardholder data Requirement 4 Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5 Use and regularly update anti-virus software Requirement 6 Develop and maintain secure systems and applications For more information about PCI DSS visit

14 PCI DSS Requirements cont.
Implement Strong Access Control Measures Requirement 7 Restrict access to cardholder data by business need-to-know Requirement 8 Assign a unique ID to each person with computer access Requirement 9 Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10 Track and monitor all access to network resources and cardholder data Requirement 11 Regularly test security systems and processes Maintain an Information Security Policy Requirement 12 Maintain a policy that addresses information security For more information about PCI DSS visit

15 PCI DSS Requirements cont.
If you are using a PCI Approved Service Provider Questionnaire A (11 Questions) Includes physical access and security policies If you are using a dialup terminal Questionnaire B (24 Questions) Protect stored data, “Need to know”, physical access and security policies If you are using an IP terminal or processing credit cards on CMUs network Questionnaire C or D (32 to 226 Questions) Must comply with all sections of the standard and complete Quarterly network scans For more information about PCI DSS visit

16 What needs to be done to comply?
CMU has already done many things to comply. Many departments are using PCI approved service providers. Other departments have changed their processes. Providing credit card security awareness training. Updated contracts to include PCI language. Updated policies and procedures. For more information about PCI DSS visit

17 For more information about PCI DSS visit www.pcisecuritystandards.org
What do I need to do? PROTECT CARDHOLDER DATA!!! Every department that accepts credit card payments needs to evaluate their current credit card process and verify that they are doing everything possible to ensure the security of cardholder data. Two truths about PCI Compliance It is very possible that your costs for card acceptance will go up. You may have to change the way you process payment cards. For more information about PCI DSS visit

18 What information needs to be protected?
Not all information related to a credit card transaction need to be protected. There is cardholder data and payment data. Payment data should be kept for auditing purposes. Cardholder data should not be stored.

19 Cardholder Data vs Payment Data
Payment data includes Cardholder name Transaction date Last 4 Digits of credit card number Authorization code Card type Amount This information should be stored for 3 years per the record retention schedule.

20 Cardholder Data vs Payment Data
Cardholder Data – Should NOT be stored.

21 CVV2 – 3 or 4 digit code NEVER store CVV2 data (3 or 4 digit code found on the back of a card) If you have this stored somewhere – DESTROY IT. If it is stored in old records, you need to go back and DESTORY IT. In the event of a compromise, if you have this information, the severity of the compromise greatly increases. *If your terminal asks for this code and you would rather not be responsible for it, let me know and we can have your terminal reprogrammed to not ask for this code.

22 Cardholder Data vs Payment Data
Cardholder data – You do not need it, SO DON’T STORE IT. Misconception - I need to keep the credit card number. Process refund – There are other ways to do this. Ask the cardholder for their card number. You can get the credit card number off of the processorsonline reporting website. If you are using an approved service providers website, you do not need to cardholder data to process a refund. You can call the processors helpdesk for assistance. Any other reasons you need cardholder data? *Think about whether the storage of cardholder data and the business purpose it supports are worth the risk of having data compromised.

23 Cardholder Data Take inventory of all the places you store cardholder data and destroy it especially if you have the CVV2 (3 or 4 digit code). *Exception – Terminal Merchants: if the full 16 digit card number is printed on the merchant receipts, you are allowed to store these in a secure location because the payment data is also included. FYI…We will be changing all CMU terminals to only print the last 4 digits in the next 2 months.

24 To see all Security Guidelines go to www.controller.cmich.edu.
If you are a terminal merchant, accept cardholder data by telephone, mail, or in person only, not through electronic mail. All face-to-face transactions should have the payment card present and obtain a signature. Always verify that the card is valid and signed. Compare signatures and check for ID where possible and feasible. When it is necessary to store cardholder data prior to processing the transaction, it must be stored in a “secure” environment. Secure environments include locked drawers, file cabinets, offices and safes. All documentation containing cardholder data must be destroyed in a manner that will render them unreadable (cross-cut shredded) after the payment has been processed. To see all Security Guidelines go to

25 To see all Security Guidelines go to www.controller.cmich.edu.
Cardholder receipts generated from a point-of-sale terminal must include only the last four digits of the account number. The expiration date must be excluded. Merchant receipts generated from a point-of-sale terminal must exclude the card expiration date and should only have the last 4 digits of the account number. (beginning Oct 2008) Transactions should be batched on a daily basis to get better rates and to clear out credit card transactions.  Access to cardholder information should be limited to only those individuals whose job requires such access. To see all Security Guidelines go to

26 To see all Security Guidelines go to www.controller.cmich.edu.
Merchants are required, in good faith, to maintain a fair policy for the exchange and return of merchandise and for resolving disputes over merchandise and/or services purchased with a payment card. If a transaction is for non-returnable, non-refundable merchandise, this must be indicated on all copies of the sales draft before the cardholder signs it. A copy of your return policy must be displayed in public view. Merchants should not, under any circumstances, pay any card refund or adjustment to a cardholder in cash.  If cash is refunded and the cardholder files a dispute your department will bear the loss of income from the transaction. Retain the payment data from all transactions and any original, signed documentation in a secure location for a minimum of 3 years per record retention guidelines. Wherever possible, storage areas should be protected against destruction or potential damage from physical hazards, like fire or floods. To see all Security Guidelines go to

27 To see all Security Guidelines go to www.controller.cmich.edu.
Under no circumstances should cardholder data be entered and stored on any computer database in the department unless it is part of a secure system that has been approved by Payroll and Travel Services. Cardholder data must remain in the department processing the transaction. This information should never be distributed to another department. All cardholder data and payment information should be classified as confidential. If it is necessary to send payment data to a third party it should be done by a secured courier or other delivery method that can be accurately tracked. To see all Security Guidelines go to

28 To see all Security Guidelines go to www.controller.cmich.edu.
All employees involved in the processing of credit card transactions must read, understand and follow the Merchant Operating Guide as well as the CMU Merchant Sites Security Guidelines. Duties within a department should be segregated so that one person does not perform processing from the beginning to the end of a process. For example, one employee should not be processing credit cards, recording the revenue and reconciling the accounts. Payroll and Travel Services must be contacted if you are disposing of any credit card processing equipment. This includes terminals and computers used to process transactions. Questions? To see all Security Guidelines go to

29 Additional Guidelines
Do not store cardholder data in student files. Do not copy or distribute documents that has cardholder data on it. If you are accepting cardholder data on a form, put the payment section at the bottom of the form. Once the payment is processed, cut the cardholder data off and destroy it (cross-cut shredded). To see all Security Guidelines go to

30 Incident Response Plan
In the event that one or more credit cards have been compromised or appear to have been compromised, it is the responsibility of the department to inform Payroll and Travel Services immediately. If you receive a call from your approved service provider regarding an actual or suspected breach, contact Payroll and Travel Services ASAP. A compromise can include documentation with cardholder data as well as cardholder data located on computer systems.

31 Incident Response Plan – Steps to be taken (Terminal Merchants)
Contain and limit your exposure and contact Payroll and Travel Services ASAP. An assessment of the situation will be made. Payroll and Travel Services will contact the appropriate parties (this includes our payment processor, CMU Police, the Associate VP of Financial Services and Reporting, Internal Audit, Public Relations and Marketing). The Merchant Account Manager will need to be available for questions and will need to help complete the Incident Response Report. Depending on the situation, a Forensic Investigation may be necessary. Once the situation has been resolved, a meeting will be set up to go over your credit card process and changes may be made.

32 What do I need to do… Assign a Merchant Account Manager for your department. Train other employees in your office that handle cardholder data the importance of security. Review your current credit card process and make necessary changes to be secure. Destroy cardholder data that is currently being stored.

33 Questions??? Helpful Websites CMU Merchant Services
Payment Card Industry Data Security Standard

Download ppt ""

Similar presentations

University of Minnesota

University of Minnesota
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
The Welsh Procurement Card at Aberystwyth University

The Welsh Procurement Card at Aberystwyth University
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,

Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,
P-Card User Guide Standard Profile July 2012 1 RCNJ-BOA Purchasing Card User Guide – Standard Profile Ramapo College and Bank of America VISA Procurement.

P-Card User Guide Standard Profile July RCNJ-BOA Purchasing Card User Guide – Standard Profile Ramapo College and Bank of America VISA Procurement.
JPMorgan Chase Purchasing Card Training

JPMorgan Chase Purchasing Card Training
Procurement Card Presented By: Denise Matias, CAH March 20, 2013.

Procurement Card Presented By: Denise Matias, CAH March 20, 2013.
October 28, 2013. Who? What? When? Why? Comply with PCI compliance policies set forth by industry Create internal policies and procedures to protect.

October 28, Who? What? When? Why? Comply with PCI compliance policies set forth by industry Create internal policies and procedures to protect.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
Cash Collection and Deposit Training Financial Services.

Cash Collection and Deposit Training Financial Services.
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Activity 1………….Why Do You Need A Bank? Activity 2………The Many Services of a Bank Activity 3…The ABCs of a Chequing Account Activity 4………Opening a Chequing.

Activity 1………….Why Do You Need A Bank? Activity 2………The Many Services of a Bank Activity 3…The ABCs of a Chequing Account Activity 4………Opening a Chequing.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
 Departmental Administrative Specialist should verify that the vendor is not an existing vendor using XK03 in IRIS.  All NEW vendors must complete the.

 Departmental Administrative Specialist should verify that the vendor is not an existing vendor using XK03 in IRIS.  All NEW vendors must complete the.
Don’t Lose the Lettuce Cash Handling Procedures Cash Handling Procedures “Don’t Lose the Lettuce” Pepperdine University Cashier’s.

Don’t Lose the Lettuce Cash Handling Procedures Cash Handling Procedures “Don’t Lose the Lettuce” Pepperdine University Cashier’s.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 1 The Impact of Information Technology on the Audit Process Chapter 12.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Impact of Information Technology on the Audit Process Chapter 12.
Accounting Information Systems 8e

Accounting Information Systems 8e
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

Similar presentations

Ads by Google