GVSU PCI Standards Powerpoint Presentation
Download
Report
Transcript GVSU PCI Standards Powerpoint Presentation
October 28, 2013
GVSU PCI COMPLIANCE
(CREDIT CARD PAYMENT SECURITY STANDARDS)
GVSU PCI COMPLIANCE – THE BEGINNING
Who?
What?
When?
Why?
WHAT IS GVSU’S RESPONSIBILITY?
Comply with PCI compliance policies set forth
by industry
Create internal policies and procedures to
protect cardholder data
Inform and train GVSU personnel who process
cardholder data
Perform annual review
Report suspected or confirmed breach
incidents
GVSU PCI PROCESSING PROCEDURES
www.gvsu.edu/pci Compliance Documents
Prohibited Practices:
Storing CVV codes, pin numbers, track data or
card numbers
These must be destroyed immediately after processing.
Sending
credit card information via mobile or
end-user messaging technologies (email, fax)
Requesting for credit card information to be
sent to GVSU street address
Sending credit card information via intercampus
mail
GVSU PCI PROCESSING PROCEDURES
Prohibited Practices:
Accepting/entering
credit card information on
GVSU website on behalf of a customer
Using a laptop for entering credit card
information
Instructing customers to enter their own credit
card information on a GVSU public computer
Directly passing credit card fees to customers
who pay via credit cards
GVSU PCI PROCESSING PROCEDURES
Prohibited Practices:
Using
non-designated PCI compliant shredding
devices or services
Using non-designated PCI compliant hardware
Most
mobile terminal options, such as the Square
that connects to the IPhone/IPad are NOT
acceptable.
Using
non-approved third party service providers
to process credit card transactions
GVSU PCI PROCESSING PROCEDURES
So, then what is allowed?
GVSU PCI PROCESSING PROCEDURES
Accepted Processing Procedures:
Approved
secure websites for ongoing, frequent
processes
Ben
Rapin, Institutional Marketing , 18014
www.gvsu.edu/webteam/ecommerce.htm E-Commerce Request Form
Approved
Jennifer
secure terminal – wired or wireless
Schick, Accounting Business Office, 12231
www.gvsu.edu/pci - Credit Card Processing Assistance
Most mobile terminal options, such as the Square that
connects to the IPhone/IPad are NOT acceptable.
GVSU PCI PROCESSING PROCEDURES
Accepted Processing Procedures:
Low
volume options
Take
directly to cashier window on same business day .
Must be taken by GVSU employee (not a student).
See www.gvsu.edu/pci Credit Card Processing Assistance for
Departmental Deposit Form.
Can keep the last 4 digits of a card number for reference.
Call
one of the following offices, provide the FOAP where
the money should be deposited, and transfer the call:
16806 for gift deposits (Gift Processing/Development Office) OR
12209 for other credit card payments (Student Accounts
Hotline).
GVSU PCI PROCESSING PROCEDURES
Accepted Processing Procedures:
Dedicated PO Box for US Mail
Approved PCI compliant shredders or shredding
services
Coordinate
shredding services/bins through Kip Smalligan.
Shredders must be cross-cut or diamond cut.
Approved PCI compliant vendors
If
using or considering a third party service provider to accept
credit cards, the vendor must be PCI compliant.
Notify Sue Korzinek of process to allow for proper
documentation to be acquired from third party vendor BEFORE
signing a contract.
GVSU PCI PROCESSING PROCEDURES
A scenario that works for many events:
Set
up online registration with Institutional
Marketing.
Prepare mailing and give registrants these options:
Register online for credit card payments or
Register via mail for check payments.
For day of the event registrations, allow check
payments or request the use of a loaner terminal to
accept credit card payments.
CONSIDERING MAKING A CHANGE?
Any new contract/relationship that relates to
credit card payments MUST be approved by the
PCI Committee.
Contact Sue Korzinek and Jennifer Schick.
WARNING: Just because a vendor or
salesperson says that they are PCI Compliant, it
does not mean that they are!
SECURITY BREACH PROCESS
Notify immediately
Assess situation
Corrective measures
Prepare message
Evaluate processes for improvement
UPDATES
EMV – September 2015
EMV
(Europay/MasterCard/Visa) /a.k.a Pin & Chip
Instead of a magnetic stripe, EMV cards contain an
embedded microprocessor.
“EMV chip technology reduces card fraud in a faceto-face card-present environment; provides global
interoperability; and enables safer and smarter
transactions across cards and contactless
channels.” – “U.S. EMV Migration Efforts Continue Despite Debit Regulatory Challenges”,
www.cnbc.com 10/3/13
UPDATES
EMV – September 2015
As
new credit card terminals are ordered or current
terminals need to be replaced, GVSU will order
terminals that are EMV capable.
By September 2015, GVSU will order new EMV
capable credit card terminals to replace terminals
with the old technology.
UPDATES
Mobile technology
Reminder:
Most mobile terminal options, such as
the Square that connects to the IPhone/IPad are
NOT acceptable.
Reminder: Using a laptop for entering credit card
information is NOT acceptable.
We are in the process of testing/evaluating new
wireless/cellular terminals and a mobile payment
bundle that would connect to an IPad.
UPDATES
Fees
Reminder: At GVSU, departments are NOT allowed to
directly passing credit card fees to customers who pay
via credit cards.
Recent
headlines discussed changes in rules regarding
surcharges/convenience fees.
Few companies are actually proceeding down this path due to
various “hoops” that they would need to jump through.
Departments are able to set their rates for all forms of
payment knowing that credit card processing fees are
2-3%.
QUESTIONS?
Contact information:
Sue Korzinek
Jennifer Schick
X12035
X12231