1. Fall 2015

2.  Comply with PCI compliance policies set forth by industry  Create internal policies and procedures to protect cardholder data  Inform and train GVSU personnel who process cardholder data  Perform annual review  Report suspected or confirmed breach incidents

3.  www.gvsu.edu/pci Compliance Documents www.gvsu.edu/pci  Prohibited Practices:  Storing CVV codes, pin numbers, track data or card numbers (either electronically or on paper)  These must be destroyed immediately after processing.  Sending credit card information via mobile or end- user messaging technologies (email, fax)  Requesting for credit card information to be sent to GVSU street address  Sending credit card information via intercampus mail

4.  Prohibited Practices:  Accepting/entering credit card information on GVSU website on behalf of a customer  Using a laptop for entering credit card information  Instructing customers to enter their own credit card information on a GVSU public computer  Directly passing credit card fees to customers who pay via credit cards

5.  Prohibited Practices:  Using non-designated PCI compliant shredding devices or services  Using non-designated PCI compliant hardware  Most mobile terminal options, such as the Square that connects to the IPhone/IPad are NOT acceptable.  Using non-approved third party service providers to process credit card transactions

6.  So, then what is allowed?

7.  Accepted Processing Procedures:  Approved secure websites for ongoing, frequent processes  Ben Rapin, Institutional Marketing, 18014  www.gvsu.edu/webteam/ecommerce.htm - E-Commerce Request Form www.gvsu.edu/webteam/ecommerce.htm  Approved secure terminal – wired or wireless  Jennifer Schick, Accounting Business Office, 12231  www.gvsu.edu/pci - Credit Card Processing Assistance www.gvsu.edu/pci  Most mobile terminal options, such as the Square that connects to the IPhone/IPad are NOT acceptable.

8.  Accepted Processing Procedures:  Low volume options  Take directly to cashier window on same business day.  Must be taken by GVSU employee (not a student).  See www.gvsu.edu/pci Credit Card Processing Assistance for Departmental Deposit Form.www.gvsu.edu/pci  Can keep the last 4 digits of a card number for reference.  Call one of the following offices, provide the FOAP where the money should be deposited, and transfer the call:  16806 for gift deposits (Gift Processing/Development Office) OR  12209 for other credit card payments (Student Accounts Hotline).

9.  Accepted Processing Procedures:  Dedicated PO Box for US Mail  Approved PCI compliant shredders or shredding services  Coordinate shredding services/bins through Kip Smalligan.  Shredders must be cross-cut or diamond cut.  Approved PCI compliant vendors  If using or considering a third party service provider to accept credit cards, the vendor must be PCI compliant.  Notify Sue Korzinek of process to allow for proper documentation to be acquired from third party vendor BEFORE signing a contract.  Approvals can take up to 6 months

10.  A scenario that works for many events:  Set up online registration with Institutional Marketing.  Prepare mailing and give registrants these options:  Register online for credit card payments or  Register via mail for check payments.  For day of the event registrations, allow check payments or request the use of a loaner terminal to accept credit card payments.

11.  Any new contract/relationship that relates to credit card payments MUST be approved by the PCI Committee.  New contracts must have approval of University Legal, Compliance and Risk Management Office  Contact Sue Korzinek and Jennifer Schick.  WARNING: Just because a vendor or salesperson says that they are PCI Compliant, it does not mean that they are!

12.  Notify immediately  Assess situation  Corrective measures  Prepare message  Evaluate processes for improvement

13.  EMV – October 2015  EMV (Europay/MasterCard/Visa) /a.k.a Pin & Chip  Instead of a magnetic stripe, EMV cards contain an embedded microprocessor.  “EMV chip technology reduces card fraud in a face- to-face card-present environment; provides global interoperability; and enables safer and smarter transactions across cards and contactless channels.” – “U.S. EMV Migration Efforts Continue Despite Debit Regulatory Challenges”, www.cnbc.com 10/3/13 www.cnbc.com

14.  EMV – October 2015  GVSU has ordered new EMV capable credit card terminals to replace terminals with the old technology.

15.  Mobile technology  Most mobile terminal options, such as the Square that connects to the IPhone/IPad are NOT acceptable.  Vantiv Mobile Checkout and Vantiv Mobile Accept are complaint options. Contact Jennifer Schick to learn more.  Using a laptop for entering credit card information is NOT acceptable.

16.  Terminal Security New Requirements  See new Terminal daily/monthly/annual checklists

17.  Fees  Reminder: At GVSU, departments are NOT allowed to directly passing credit card fees to customers who pay via credit cards.  Recent headlines discussed changes in rules regarding surcharges/convenience fees.  Few companies are actually proceeding down this path due to various “hoops” that they would need to jump through.  Departments are able to set their rates for all forms of payment knowing that credit card processing fees are 2-3%.

18. Contact information: Sue Korzinek X12035 Jennifer Schick X12231