PCI and how it affects College Stores… ROBIN MAYO | PCIP ECOMMERCE MANAGER EAST CAROLINA UNIVERISTY.

Slides:



Advertisements
Similar presentations
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Advertisements

Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,
JPMorgan Chase Purchasing Card Training
October 28, Who? What? When? Why? Comply with PCI compliance policies set forth by industry Create internal policies and procedures to protect.
Mobile Payment Security The Good, the Bad and the Ugly
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
Springfield Technical Community College Security Awareness Training.
Property of CampusGuard Compliance With The PCI DSS.
C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento
Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Why Comply with PCI Security Standards?
Introduction to PCI DSS
Northern KY University Merchant Training
Payment Card Industry (PCI) Data Security Standard
Youngstown State University PCI Training enter or left click on mouse to advance slides.
Web Advisory Committee June 17,  Implementing E-commerce at UW  Current Status and Future Plans  PCI Data Security Standard  Questions.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8.
BZUPAGES.COM Electronic Payment Systems Most of the electronic payment systems on internet use cryptography in one way or the other to ensure confidentiality.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
PCI requirements in business language What can happen with the cardholder data?
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.
Payment Card PCI DSS Compliance SAQ-A Training Accounts Receivable Services, Controller’s Office 7/1/2012.
Viterbo University Credit Card Training Updated
Course ILT Internet transactions and security Unit objectives Learn how to purchase goods online by using credit cards and Web-based forms Describe the.
Security Squad Keeping your Equipment and Information Safe Security Squad Keeping your Equipment and Information Safe Security Squad Video Series, Part.
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
Credit Card Merchant Training PCI Why Now? In October 2015, there will be a fraud liability shift that will affect merchants not able to accept.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Payment Card PCI DSS Compliance SAQ-B Training Accounts Receivable Services, Controller’s Office 7/1/2012.
What you need to know about PCI-DSS Jane Drews Chief Information Security Officer Information Security & Policy Office
e-Learning Module Credit/Debit Payment Card Acceptance and Security
Development of a Clean Room/Highly Restricted Zone June 12, 2012 Thomas Garrubba - CVS Caremark; Manager, Technical Assessments Group ©2011 The Shared.
Langara College PCI Awareness Training
EMV: What is it and how will it impact your business.
Personal data protection in research projects
Jon Bonham, CISA, QSA Director, ERC
Fall  Comply with PCI compliance policies set forth by industry  Create internal policies and procedures to protect cardholder data  Inform and.
1 10/2013. This training is provided for cashiers, phone-a-thon participants, and fiscal personnel involved in payment card activities that are never.
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
Summary of Changes. General These are changes that have come up in many EMV migrations that I have assessed and been involved in. The changes are broken.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
WHAT NEW, WHAT NEXT IN PAYMENT PROCESSING. EMV WHAT IS EMV? 3  An acronym created by Europay ®, MasterCard ® and Visa ®  The global standard for the.
Introduction to PCI DSS
Payment Card Industry (PCI) Rules and Standards
PCI DSS Improve the Security of Your Ecommerce Environment
Payment Card Industry (PCI) Rules and Standards
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
Internet Payment.
UGA Extension Credit Card Processing Training
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
PCI Device Inspections
UD PCI GUIDELINES A guide for compliance with PCI DSS and the University of Delaware Payment Card Program ALWAYS Process payments immediately using a solution.
Payment Card Industry Data Security Standards (PCI-DSS) Training
Presentation transcript:

PCI and how it affects College Stores… ROBIN MAYO | PCIP ECOMMERCE MANAGER EAST CAROLINA UNIVERISTY

Agenda  What is PCI  Accepting Payment Cards  Securing and Segmenting  Device Tampering  Other PCI requirements  What NOT to do  What’s New  Q&A

PCI – Payment Card Industry  Set of policies and standards created by card brands to ensure the security of payment card data  Merchants must adhere to PCI requirements and remain compliant or merchant status can be revoked  Fines – up to $500,000 per card brand, all fraud losses, cost of re-issuing cards, consumer fraud monitoring expenses

Accepting payment cards  Prior to contracting with any vendor for software, hardware or services that involves credit/debit card payments, you should work with your campus to:  verify the vendor is PCI compliant  verify the software is PA-DSS compliant  verify the hardware is PCI compliant and compatible with your acquirer  document in your contract which requirements you and/or the vendor will be responsible (PCI Req )  secure and segment workstation/register – this includes networked printers utilized by your PCI workstations/registers

Securing and Segmenting  Workstations, registers, computers, etc. that process, store or transmit cardholder data should be segmented from the rest of your network within your campus’ PCI firewall  Designated PCI workstations should:  Only have one purpose – software that processes transactions  all other software/functionality should be removed from workstation  Not have or instant messaging  Not have internet access except for that needed to process transactions  Should only be able to print to local printers (connected directly to workstation) or to a networked printer that is also segmented within your PCI firewall  Servers associated with your workstations/software should also be segmented  Remote access to your PCI designated servers or workstations must utilize 2 factor authentication

Segmenting and Scope Example Registers On campus servers Firewall Internet – approved IPs only PCI Firewall Printers

Device Tampering  Train staff to inspect devices daily or at the beginning of their shift for tampering  Inspection should include the following:  Verifying device is in the appropriate location  Make/model are correct  Colors, labels, etc. are the same as usual  Verify stickers and labels on devices have not been compromised  Look for scratches or marks on device  Cords/cables connected to device are the same color/type as usual  Also inspect the general vicinity to look for any unusual electronic devices, cameras or new displays

Device Tampering - examples

Device Tampering - examples

Other important PCI requirements  Training – employees and volunteers who process transactions or handle card holder information must be trained upon hire and annually  Criminal Background checks – should be completed for all staff who can access more than one card number at a time or impact the security of your cardholder data environment (for others it is a good practice but not required)  Terminated employees – immediately revoke physical and electronic access for employees who leave under bad circumstances, are suspended or under investigation; employees who leave under good terms should have their access revoked within a reasonable time frame  Sensitive areas – you should control access to sensitive areas and limit access to as few employees as possible  Passwords – should be a minimum of 7 characters and include alpha and numerical

It is a good habit NOT to …  … cardholder data  …Allow faxes with cardholder data to a copier/fax on network (analog fax machines only PCI)  …Store full card numbers electronically  ….Store full card numbers(hard copies) after processing unless you have a documented business need  …Process any payments or allow others to submit transactions on computers in your department unless it has been approved and those computers have been secured for PCI  …Process transactions on mobile/wireless devices (Wi-Fi is NOT always secure)  …Surplus/trash old credit card terminals/devices – your campus should have a method to have these destroyed securely First & Last 4 digits are safe to store electronically and hard copy

What’s changing…  New requirements PCI DSS v effective April 2015  EMV chip cards – Oct 2015  Contactless (NFC) – Apple Pay  P2PE – Point to Point Encryption

Questions???

Thank you Robin Mayo (252)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.