Payment Card Industry (PCI) Rules and Standards Training for KSU Departments and Individuals Processing Transactions with Payment Cards
Introduction to PCI Payment Card Industry (PCI) standards were designed to prevent credit card fraud and breaches of credit card information, and require that all aspects of the credit card processing transaction be secure. Payment Card companies (such as Visa, MasterCard) can punish violators by revoking card processing privileges, fining the University (up to $500,000 per violation or incident), and requiring on-site compliance auditing by a certified external security auditor. The University would be liable for notification costs and cleanup (to reimburse cardholders for losses incurred) in the event of a data security breach of cardholder data. The University would also suffer a serious loss of consumer confidence in our ability to protect sensitive data.
Who do the PCI Requirements Apply to? Anyone involved in any part of processing credit card transactions must understand and follow the PCI requirements. The number of credit card transactions a department processes does not matter. Even if you only process a handful of card transactions a year the PCI requirements still have to be followed. We all share an interest and a responsibility to protect cardholder data at the university.
PCI Data Security Rules for Departments Taking Payment Cards All Kansas State University departments that accept, process, store, and transmit payment card data must comply with the Payment Card Industry security standards to ensure the security of cardholder data processed by K-State. PCI standards apply to all types of payments, including in-person, mail, telephone, and web transactions. K-State’s Policy and Procedures Manual 6115 covers Credit Card Processing. K-State is committed to maintaining the security of customer information, including payment cardholder number, name, expiration date and verification number, and follows best practices for protecting payment card information. The Division of Financial Services and the Office of Information Security & Compliance work with all departments to ensure compliance for all merchant IDs. Please note that the PCI data security rules change over time as new versions of the PCI Data Security Standard (PCI DSS) are released.
Methods to Accept Credit Cards If proper procedures are followed, credit cards can be accepted via… Online Storefronts - Departments are required to work with the Office of Information Security and Compliance and the Division of Financial Services Systems to accept on-line credit card payments. In Person By Phone Process transaction while customer is on the phone if possible. Otherwise enter the cardholder data onto a designated form and shred the data once the transaction has been processed. By Mail/Fax Shred cardholder data once the transaction has been processed. Payments that can not be processed immediately need to be securely stored. Fax machine needs to be in a secured area where only department staff have access.
What is “Cardholder Data”? All Information from a payment card used in a transaction Cardholder Data Elements Primary Account Number (PAN) Cardholder Name Expiration Date Sensitive Authentication Data (SAD) Magnetic stripe data Card Validation Code (CVC) Personal identification number (PIN)
PCI Requirements There are 12 specific requirements outlined by PCI. Some requirements are technical and some are policy/procedural. Requirement 1: Install & Maintain a Firewall - Firewalls should be set up to control the flow of electronic traffic, both internal and external. All forms of traffic must be filtered through a firewall. Requirement 2: Change Default Passwords - Generally, devices and software come with vendor supplied "default" passwords and settings. These passwords and settings are not secret or unique, and are well publicized in the hacker community. For this reason, these passwords MUST be changed from the default to more secure passwords and should be changed before attaching them to K-State’s network.
PCI Requirements Cont. Requirement 3: Protect Stored Cardholder Data- The University and all personnel handling cardholder data have a responsibility to protect the security of cardholder data and the best way to protect sensitive data is to NOT STORE IT! The items that cannot be stored are: Full contents of card's magnetic stripe or chip Card verification code Customer's personal identification code (PIN). Payment card numbers: Truncate the card number to the last four digits All electronically stored sensitive cardholder data must be encrypted.
PCI Requirements Cont. Requirement 4: Encrypt Transmissions of Cardholder Data - Sensitive information must be encrypted prior to being transmitted over public networks. For example, never send or receive cardholder data in an email. Never transmit cardholder data over the wireless network. Improperly secured wireless has been the entry point on many of the largest cardholder data breaches nationwide. Requirement 5: Use and Regularly Update Anti-Virus Software - Anti-virus software must be installed and running on all systems at risk. This anti-virus software must be updated on a regular basis. Requirement 6: Develop and Maintain Secure Systems and Applications – Install the latest software patches provided by your vendors. For in-house development, use secure coding techniques.
PCI Requirements Cont. Requirement 7: Restrict Access to Cardholder Data to Business Need-to-Know Personnel- The only people who should have access to cardholder data are those whose jobs require they work with this data. All paper and electronic records containing payment card information must be stored securely. Requirement 8: Assign a Unique ID - It is important that only authorized users have access to cardholder data and the systems that interact with cardholder data. Each individual with computer access should be provided a unique user ID and account passwords should never be shared.
PCI Requirements Cont. Requirement 9: Restrict Physical Access to Cardholder Data Access to the following should be restricted: file cabinets or other locations of paper copies of cardholder data network jacks and wireless access points computers containing cardholder data fax machines used to transmit cardholder data servers housing cardholder data cardholder data backup storage media Cardholder data should always be deleted and/or destroyed when it is no longer needed
PCI Requirements Cont. Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data – Have in place tracking mechanisms and log all user activities. Logs should be reviewed daily and log history maintained for one year. Requirement 11: Regularly Test Security Systems and Processes – Vulnerability scans should be run quarterly and a thorough review of the network and applications annually. Requirement 12: Maintain a Policy that Addresses Information Security – K-State maintains the following PPM chapters dealing with information security. PPM 3433 Data Classification and Security Policy (http://www.k-state.edu/policies/ppm/3400/3433.html) PPM 3430 Security for Information, Computing and Network Resources (http://www.k-state.edu/policies/ppm/3400/3430.html) PPM 3415 Information Security Plan (http://www.k-state.edu/policies/ppm/3400/3415.html)
Credit Card Best Practices NEVER process a transaction with cardholder data from an email. Delete the email and empty your trash folder immediately. Send a NEW email, do not reply/forward original email, to the sender with acceptable ways to make a payment. NEVER enter a credit card number into your personal work computer on behalf of a customer. If your department does not have a credit card terminal or dedicated computer to take payments then the customer should be directed to make the payment online. Write cardholder data only on designated forms. Store all documents containing cardholder data in a secure, locked area. Destroy cardholder data with a cross-cut shredder once there is no longer a business need for it. Only allow employees with a legitimate business need to access cardholder data. Document departmental procedures.