Credit Card Handling Security Standards

Similar documents
Subject: Protecting cardholder data in support of the Payment Card Industry (PCI) Data Security Standards

PCI Compliance and Payment Card Processing Policy

What is PCI Compliance?

CREDIT CARD PROCESSING AND SECURITY

Ball State University

BUSINESS POLICY. TO: All Members of the University Community 2016:07. Credit Card Processing and Security Policy (Supersedes Policy 2009:05 & 2012:12)

Payment Card Industry Data Security Standards (PCI DSS) Initial Training

Subject: Protecting cardholder data in support of the Payment Card Industry (PCI) Data Security Standards

Credit Card Acceptance and Processing Procedures

Payment Card Security Policy

Payment Card Industry Training 2014

Administration and Department Credit Card Policy

PCI Training. If your department processes credit card information, it is CRITICAL that you understand the importance of protecting this data.

OLD DOMINION UNIVERSITY PCI SECURITY AWARENESS TRAINING OFFICE OF FINANCE

UNL PAYMENT CARD POLICIES AND PROCEDURES. Table of Contents

Campus Administrative Policy

Payment Card Acceptance Administrative Policy

CASH HANDLING. These procedures apply to any individual handling or processing University or Auxiliary Organization cash or cash equivalents.

PAYMENT CARD INDUSTRY

Payment Card Industry Compliance Policy

The University of Michigan Treasurer s Office Card Services. Merchant Services Policy Document

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

Payment Card Industry Data Security Standards (PCI DSS) Awareness Training

Clark University's PCI Compliance Policy

Application of Policy. All University faculty, staff, and third party service providers.

Business Practices Seminar April 3, 2014

Data Breach Financial Protection Program Terms and Conditions

Credit Card Processing Best Practices

Indiana University Payment Card Merchant Agreement

U.S. Eagle Federal Credit Union Mobile Banking Agreement

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

VPSS Certification Frequently Asked Questions

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

PURCHASING CARD MANUAL

MERCHANT MEMBER PACKAGE AGREEMENT & APPLICATION

MERCHANT CARD PROCESSING AGREEMENT 1. MERCHANT S APPLICATION AND INFORMATION.

Departmental Funds Receipting

PAI Secure Program Guide

TERMS AND CONDITIONS OF CUSTOMER PROCESSING

Visa s Approach to Card Fraud and Identity Theft

2.1.3 CARDHOLDER DATA SECURITY

Sparta Area School District Purchasing Card Program and Employee Use Agreement

Merchant Payment Card Processing Guidelines

Bursar s Office University Department Cash Receipting System Users. Updated 03/16/2018

SureRent 2020 Private Landlord Tenant Screening Application Package

CASH HANDLING PROCEDURES

CASH HANDLING PROCEDURES

Fees There are currently no separate monthly or transaction fees assessed by the Bank for use of the Online Banking Service including the External

WEBINAR. Five Steps to PCI Compliance. Madeline Long. Ron Demmans. Download these slides at Director of Sales Solveras

Event Merchant Card Services

A report showing the merchant s settlement. The acquirer settlement report is generated by the acquiring bank at the end of every billing cycle.

McGILL UNIVERSITY PROCUREMENT CARD POLICIES AND PROCEDURES

University of Illinois Community Credit Union Consumer Remote Deposit Anywhere Terms & Conditions

Colorado State University-Pueblo Fiscal Rules

A to Z Jargon buster. Call +44 (0) to discuss your upgrade options

Cash Handling Policy & Procedures

Securing Credit Card Data at UB (complying with Payment Card Industry Data Security Standards)

The Southern Bank Company. Electronic Fund Transfers Your Rights and Responsibilities

P-CARD TRAINING. For P-Cardholders I

DICKINSON COLLEGE PURCHASING CARD PROGRAM POLICIES AND PROCEDURES MANUAL

NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM ACCREDITATION STANDARD AND AUDIT CRITERIA Version 2.0. Potential Verification for Onsite Audit

D.L. Evans Online Banking & Electronic Document (E- Document) Agreement & Disclosure

University of WI-Superior Key Policy. The following are the various levels of keys issued by the university based on eligibility of the key holder:

Purchasing and Travel Services

PCI FAQ Q: What is PCI? ALL process, store transmit Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)?

To be eligible for a P-Card the applicant must meet the following criteria:

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

Sage Payment Processing User's Guide. March 2018

INFORMATION AND CYBER SECURITY POLICY V1.1

Purchasing Card Policy

empowering Your Money

Purchasing: Procurement Card Policy & Procedures

Welcome to payment processing. Growing your business just got easier

MERCHANT CARD PROCESSING AGREEMENT 1. MERCHANT S APPLICATION AND INFORMATION.

Merchant Agreement. PAGE 1 of 10 MERCHANT AGREEMENT PSiGate-Peoples effective Feb _M-M_032718

MOBILE CHECK DEPOSIT SERVICES AGREEMENT

Title CIHI Submission: 2014 Prescribed Entity Review

PLEASE CAREFULLY REVIEW THESE TERMS AND CONDITIONS BEFORE PROCEEDING:

minimise card fraud in your business.

Amstar Brands Payment Methods Manual. First Data Locations

Credit Card Procedural Manual

Purchasing Card Cardholder Training

EMPLOYEE PRIVACY STATEMENT

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

Purchase Card Policy. Revised: 2/19/2015. All University Faculty and Staff. Issued By: Office of the Vice President for Business and Finance

Bill Pay User Terms and Agreements

Cash Management and A/R and PCI OH MY!!! 3/2/2015. Cash Management. Agenda. Cash Management A/R Accounts Receivable PCI Q&A

ORIGINATING ACH ENTRIES REFERENCE

Checking Account & Debit Card Simulation. Understanding Checking Accounts and Debit Card Transactions

ALLIANCE BANK & TRUST MOBILE REMOTE DEPOSIT CAPTURE AGREEMENT

Australia Post Load&Go China Card Short-Form Product Disclosure Statement

ELECTRONIC FUND TRANSFERS DISCLOSURE. and MOBILE BANKING AGREEMENT YOUR RIGHTS AND RESPONSIBILITIES IMPORTANT! IF YOU DISCOVER YOUR

Checking Account & Debit Card Simulation. Understanding Checking Accounts and Debit Card Transactions

MOBILE REMOTE DEPOSIT SERVICES AGREEMENT

FUNDS HANDLING (Cash Receipts) GUIDELINES AND PROCEDURES

BOC Credit Card (International) Limited Terms and Conditions for BOC Mobile Payment Services

APPLICATION for: TechGuard Liability Insurance Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

Secure Payment Transactions based on the Public Bankcard Ledger! Author: Sead Muftic BIX System Corporation

Checking Account & Debit Card Simulation. Understanding Checking Accounts and Debit Card Transactions

Loaner Equipment Policy TEC 6.0

Transcription:

Credit Card Handling Security Standards Overview This document is intended to provide guidance regarding the processing of charges and credits on credit and/or debit cards. These standards are intended to protect against exposure and possible theft of account and personal cardholder information that has been provided to the University of Scranton and ensure compliance with industry regulations. Payment Card Industry Data Security Standards (PCI DSS) The University and all departments that process credit or debit card information must comply with the Payment Card Industry Data Security Standards (PCI DSS). This includes the acquiring, accepting, capturing, storing, processing or transmitting of credit or debit card data, in both electronic and non-electronic formats. PCI DSS is a set of comprehensive requirements for enhancing credit card data security. The standards were developed by the PCI Security Standards Council, and a single violation of any of the requirements can trigger an overall non-compliant status. Each non-compliant incident may result in steep fines, suspension and revocation of card processing privileges. Although the primary focus of the PCI DSS is on web-based sales and processing credit card information via the Internet, there are other processes that allow systems to be Internet accessible which may expose cardholder information. Scope Any department, auxiliary organization, entity or individual that in any way accepts, captures, stores, processes or transmits credit or debit card information, using campus information assets, (both electronic and non-electronic), or uses third-party service providers to do this for you, is governed by this Information Security Standard. Payment Methods, Hardware and Services PCI DSS requires the merchant to inventory, document, and secure all payment methods used to process card transactions. In order to ensure PCI DSS compliance, all hardware, software, payment accessories (e.g. card swipe hardware, receipt printer), mobile applications, and related third-party services (e.g. payment processors) must be reviewed and authorized by the Information Security Office (ISO) prior to implementation. Any modifications to existing payment methods should also be reviewed. 1

Storing Credit and Debit Card Holder Data Card holder data is any personally identifiable data associated with a cardholder. This can be an account number, expiration date, name, address, social security number, or Card Verification Value (CVV or CVV2). Storage of credit cardholder data refers to both electronic (databases, spreadsheets, etc.) and nonelectronic (faxes, imprint machine slips, hand written forms, etc.) data. The best way to be in compliance with PCI DSS is by NOT storing credit card holder data if there is no business need to do so. Information Security Office (ISO) Responsibilities 1. ISO will coordinate organizational compliance and documentation. 2. ISO will advise organizations on appropriate documentation of compliance and procedures to ensure alignment with PCI-DSS requirements. 3. ISO will maintain a central list of devices used for the processing of cardholder data. The ISO will periodically inspect devices for tampering. Department Responsibilities 1. Each department which conducts credit card transactions under an assigned Merchant ID (MID) shall designate an individual to serve as the PCI DSS contact for the department, responsible for completing the requisite documentation and ensuring the department is compliant with PCI-DSS. 2. The department contact shall compile and maintain a list of users in their department who interact with cardholder data. The department contact shall notify the ISO when changes to this list occur. 3. The department contact shall notify the ISO of any changes to hardware, software or services used to process cardholder data prior to the changes being implemented. 4. Communicate procedures to staff The department head in units effected by this standard should communicate the department credit card security handling procedures to staff and 2

ensure that the Credit Card Handlers and Processors Responsibilities section of this standard is followed by all personnel involved in credit card transactions. 5. Prevent unauthorized access to cardholder data and secure the data The department head should establish procedures to prevent access to cardholder data in physical or electronic form. Hard copy or media containing credit card information should be stored in a locked drawer or office, and password protection should be used on computers. 6. Restrict access based on a business need-to-know Access to physical or electronic cardholder data should be restricted to individuals whose job requires access. 7. Assign a unique ID to each person with computer access User names and passwords may not be shared. 8. Transmitting credit card information by e-mail or fax Full or partial credit card numbers and three or four digit validation codes (usually on the back of credit cards) may not be faxed or emailed. 9. Never store electronically the CVV, CVV2 validation code, or PIN number - Departments must not store the three or four digit CVV or CVV2 validation code from the credit card or the personal identification number (PIN). 10. Background Checks consistent with the University s new hire process, a background check is performed on all new hires. This practice has been in place prior to the development of these Credit Card Handling Security Standards. If adverse information is discovered through the background check process, the action taken will be directed by the background check policy and will be subject to the adverse action process. The decision to allow a new hire to begin employment, or an existing employee to continue employment, will be made in accordance with the University s background check policy. All individuals who were employed prior to the University adopting the mandatory background check policy are not required to have a background check retroactively. For sake of establishing a cutoff date, all employees who began employment prior to the inception of this standard are not required to have a background check to work in areas where credit card processing is required. 11. Mask 12 of the 16 digits of the credit card number - Terminals and computers must mask all but the first 6 digits and/or the last 4 digits of the credit card number (masking all digits but the last 4 is standard practice on campus). 3

12. Using imprint machines Imprint machines need special handling as they display the full 16 digit credit card number on the customer copy. Departments should not use imprint machines to process credit card payments unless personnel have been authorized to do so, and processes exist to securely store and dispose of the information. 13. Report Security Incidents to the Information Security Office - If staff or faculty know or suspect that credit card information has been exposed, stolen, or misused; this incident must be reported immediately to Information Security Office. The report must not disclose by fax or e-mail credit card numbers, three or four digit validation codes, or PINs. 4

Credit Card Handlers and Processors Responsibilities Staff or faculty with access to credit or debit card holder data must not: 1. Acquire or disclose any cardholder s credit card information without the cardholder s consent including but not limited to the full or partial 16 digit credit card number, 3 or 4 digit validation code (usually on the back of credit cards), or PINs (personal identification numbers). 2. Transmit or request any credit card information by e-mail or fax. If someone e-mails their data, you should make them aware that, for their own safety, they should not do this again. The email or fax should be destroyed as soon as possible. 3. Electronically store or record any credit card information in any electronic format (Excel files, databases, e-mail, etc.) unless you have been authorized to do so by their department head and the Information Security Office. 4. Request, record, or store any of the magnetic stripe data or the credit card confirmation code (3 digit on the back of many cards and 4 digits on the front of American Express). 5. Share a computer password if you have access to a computer with credit card information Staff or faculty with access to credit or debit card holder data should: 1. Change a vendor-supplied or default password if you have access to a computer with credit card information. 2. Password protect your computer if you have access to a computer with credit card information 3. Store all non-electronic, physical documents, or storage media containing credit card information in a locked drawer, locked file cabinet, or locked office 4. Store all electronic files containing credit card information on a secured server, or as encrypted or password protected files 5. Report immediately a credit card security incident to your department head and the Information Security Office if you know or suspect credit card information has been exposed, stolen, or misused 6. Destroy all media used for credit cards when retired from use. Properly shred all hard copies prior to disposal. 5

Acknowledgement Form Credit Card Handlers and Processors By my signature below, I acknowledge that I have read, have access to, and understand my responsibilities outlined by the Credit Card Handling Security Standard. I understand that it is my responsibility to abide by the requirements of the current policy, and any updates/revisions going forward. It is also my responsibility to report any known violations of this policy to my supervisor and the Information Security Officer. I understand that if I fail to follow, or report violations of this standard in any form, I am subject to disciplinary action in accordance with the University s Discipline Policy and Procedures up to and including termination. Employee Name Print Employee Signature Date: 6

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback