Transcript Central Michigan University Payroll and Travel Services        Merchant Account Manager PCI DSS – What is it? Cardholder Data vs Payment Data Security Guidelines Incident Response.

Central Michigan University
Payroll and Travel Services
3







Merchant Account Manager
PCI DSS – What is it?
Cardholder Data vs Payment Data
Security Guidelines
Incident Response Plan
Upcoming Changes
Questions
4
All departments accepting credit card
payments are required to designate someone
as the Merchant Account Manager.
They will be responsible for the following…
5
Responsibilities

You will be the main point of contact for all changes and updates
to credit card processing. You are responsible for sharing this
information with your dept.

You are responsible for reporting/requesting any changes to online
reporting access.

Keep an updated list of employees who have access to cardholder
data. This includes databases, filing cabinets, offices, etc.

Contact Treasury and Investment Services to eliminate the
merchant account if you no longer wish to accept credit cards.

Reporting any changes to your credit card process to Treasury and
Investment Services.
6

Read, understand and follow the CMU Merchant Sites Security
Guidelines. Make sure that all employees involved in the
processing of credit card transactions do the same.

Recognize the importance of credit card security and make sure
that your department is processing transactions in a secure
manner. Educate other individuals in your department about the
importance of credit card security.

In the event of a credit card breach/compromise, you will be
responsible for reporting the issue to the CMU Security Incident
Response Team (CMU-SIRT). You will be responsible for assisting
with the investigation and resolving the incident. It is understood
that it is the department’s responsibility to cover any fines/fees
charged by the credit card companies for fraud related to
negligence.
Who in your department should be responsible for this?
7

ALL departments that accept credit cards
(regardless of the volume of payments processed
and the method used to process the payment) are
required to comply with Payment Card Industry
Data Security Standard (PCI DSS).
For more information about PCI DSS visit www.pcisecuritystandards.org
8
What is PCI Compliance?
The PCI Data Security Standard represents a common set of
industry tools and measurements to help ensure the safe
handling of sensitive information. Initially created by
aligning Visa's Account Information Security
(AIS)/Cardholder Information Security (CISP) programs with
MasterCard's Site Data Protection (SDP) program, the
standard provides an actionable framework for
developing a robust account data security process including preventing, detecting and reacting to security
incidents.
For more information about PCI DSS visit www.pcisecuritystandards.org
9

All merchants will fall into one of the four merchant
levels based on transaction volume over a 12-month
period.
10
Merchant
Level
Level 1
Level 2
Level 3
Level 4
MasterCard
Visa
Merchant
Requirements
 >6 MM trans.
 Regardless of channel, or
 Hacked/attacked in past, or
 Otherwise ID’d by V/MC
 >6 MM trans.
 Regardless of channel, or
 Hacked/attacked in past, or
 Otherwise ID’d by V/MC
 Report on Compliance
(ROC)
 Quarterly scan showing
no high vulnerabilities
 Any e-commerce merchant
 Any merchant processing
processing between 150M and
6MM transactions per year
1MM to 6 MM transactions per
year.
 PCI self-assessment
questionnaire (all “Yes” or
“N/A”)
 Quarterly scan showing
no high vulnerabilities
 Any e-commerce merchant
processing between 20M and
150M transactions per year
 Any e-commerce merchant
processing between 20M and
1MM transactions per year
 All other merchants regardless
of channel
All other merchants regardless
of channel
PCI self-assessment
questionnaire (all “Yes” or
“N/A”)
 Quarterly scan showing
no high vulnerabilities
Compliance mandatory
 Validation Optional
11

It is required in order to accept credit cards.

We want to protect our customers.

A security breach/compromise of cardholder data has
many consequences.
1. Regulatory notification requirements
2. Loss of reputation
3. Loss of customers
4. Potential financial liabilities
(regulatory and other fees and fines)
5. Litigation
For more information about PCI DSS visit www.pcisecuritystandards.org
12
Build and Maintain a Secure Network
Requirement 1
Install and maintain a firewall configuration to protect cardholder
data
Requirement 2
Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect Cardholder Data
Requirement 3
Protect stored cardholder data
Requirement 4
Encrypt transmission of cardholder data across open, public
networks
Maintain a Vulnerability Management Program
Requirement 5
Use and regularly update anti-virus software
Requirement 6
Develop and maintain secure systems and applications
For more information about PCI DSS visit www.pcisecuritystandards.org
13
Implement Strong Access Control Measures
Requirement 7
Restrict access to cardholder data by business need-to-know
Requirement 8
Assign a unique ID to each person with computer access
Requirement 9
Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10
Track and monitor all access to network resources and cardholder
data
Requirement 11
Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12
Maintain a policy that addresses information security
For more information about PCI DSS visit www.pcisecuritystandards.org
14
CMU has already done many things to comply.





Many departments are using PCI approved service providers.
Other departments have changed their processes.
Providing credit card security awareness training.
Updated contracts to include PCI language.
Updated policies and procedures.
For more information about PCI DSS visit www.pcisecuritystandards.org
15
PROTECT CARDHOLDER DATA!!!

Every department that accepts credit card payments needs
to evaluate their current credit card process and verify that
they are doing everything possible to ensure the security of
cardholder data.
 Two truths about PCI Compliance
1. It is very possible that your costs for card acceptance will go up.
2. You may have to change the way you process payment cards.
For more information about PCI DSS visit www.pcisecuritystandards.org
16




Not all information related to a credit card
transaction need to be protected.
There is cardholder data and payment data.
Payment data should be kept for auditing
purposes.
Cardholder data should not be stored.
17

Payment data includes






Cardholder name
Transaction date
Last 4 Digits of credit card number
Authorization code
Card type
Amount
This information should be stored for 3 years per the
record retention schedule.
18
Cardholder Data – Should NOT be stored.
19

EuroPay MasterCard Visa (EMV) Technology or Chip
and Pin
 From October 2015, any US retailer taking payment with any of the
major credit cards will be obliged to use chip and pin technology or
accept full liability for any resulting fraud.
 CMU Merchant Accounts that process card-present transactions must
have EMV enabled devices.
▪ EMV enabled credit cards contain an embedded computer microchip that encrypts
the credit card data while processing the transaction.
▪ Chip and pin enabled cards are either “dipped” into a terminal and the pin is
physically entered by the cardholder or it can be “tapped” on the terminal if using
radio-frequency identification technology.
▪ The combination of card validation using the chip and pin entry provides stronger
protection against the fraudulent use of lost, stolen or counterfeit cards.
20
NEVER store CVV2 data (3 or 4 digit code found on the
back of a card)


If you have this stored somewhere – DESTROY IT.
If it is stored in old records, you need to go back and
DESTROY IT.
In the event of a compromise, if you have this information, the severity of
the compromise greatly increases.
*If your terminal asks for this code and you would rather not be responsible for it, let me know
and we can have your terminal reprogrammed to not ask for this code.
21

Cardholder data –You do not need it, SO DON’T STORE IT.

Misconception - I need to keep the credit card number.
 Process refund – There are other ways to do this.
▪ Ask the cardholder for their card number.
▪ You can get the credit card number off of the processors online
reporting website.
▪ If you are using an approved service providers website, you do not
need to cardholder data to process a refund.
▪ You can call the processor helpdesk for assistance.
 Any other reasons you need cardholder data?
*Think about whether the storage of cardholder data and the business
purpose it supports are worth the risk of having data compromised.
22
Take inventory of all the places you store cardholder
data and destroy it especially if you have the CVV2
(3 or 4 digit code).
23

If you are a terminal merchant, accept cardholder data by telephone,
mail, or in person only, not through electronic mail.

All face-to-face transactions should have the payment card present
and obtain a signature. Always verify that the card is valid and
signed. Compare signatures and check for ID where possible and
feasible. Never ask a chip and pin cardholder for their four digit pin –
it is confidential and they must enter it themselves.

When it is necessary to store cardholder data prior to processing the
transaction, it must be stored in a “secure” environment.
 Secure environments include locked drawers, file cabinets, offices and safes.

All documentation containing cardholder data must be destroyed in a
manner that will render them unreadable (cross-cut shredded) after
the payment has been processed.
To see all Security Guidelines go to www.controller.cmich.edu.
24

Cardholder receipts generated from a point-of-sale terminal must
include only the last four digits of the account number. The
expiration date must be excluded.

Merchant receipts generated from a point-of-sale terminal must
exclude the card expiration date and should only have the last 4
digits of the account number. (beginning Oct 2008)

Transactions should be batched on a daily basis to get better rates
and to clear out credit card transactions.

Access to cardholder information should be limited to only those
individuals whose job requires such access.
To see all Security Guidelines go to www.controller.cmich.edu.
25

Merchants are required, in good faith, to maintain a fair policy for the
exchange and return of merchandise and for resolving disputes over
merchandise and/or services purchased with a payment card. If a
transaction is for non-returnable, non-refundable merchandise, this must
be indicated on all copies of the sales draft before the cardholder signs it.
A copy of your return policy must be displayed in public view.

Merchants should not, under any circumstances, pay any card refund or
adjustment to a cardholder in cash. If cash is refunded and the
cardholder files a dispute your department will bear the loss of income
from the transaction.

Retain the payment data from all transactions and any original, signed
documentation in a secure location for a minimum of 3 years per record
retention guidelines.

Wherever possible, storage areas should be protected against
destruction or potential damage from physical hazards, like fire or floods.
To see all Security Guidelines go to www.controller.cmich.edu.
26

Under no circumstances should cardholder data be entered and stored
on any computer database in the department unless it is part of a secure
system that has been approved by Treasury and Investment Services.

Cardholder data must remain in the department processing the
transaction. This information should never be distributed to another
department.

All cardholder data and payment information should be classified as
confidential. If it is necessary to send payment data to a third party it
should be done by a secured courier or other delivery method that can be
accurately tracked.
To see all Security Guidelines go to www.controller.cmich.edu.
27

All employees involved in the processing of credit card transactions must
read, understand and follow the CMU Merchant Sites Security
Guidelines.

Duties within a department should be segregated so that one person
does not perform processing from the beginning to the end of a process.
For example, one employee should not be processing credit cards,
recording the revenue and reconciling the accounts.

Treasury and Investment Services must be contacted if you are disposing
of any credit card processing equipment. This includes terminals and
computers used to process transactions.
Questions?
To see all Security Guidelines go to www.controller.cmich.edu.
28

Do not store cardholder data in student files.

Do not copy or distribute documents that has cardholder
data on it.

If you are accepting cardholder data on a form, put the
payment section at the bottom of the form. Once the
payment is processed, cut the cardholder data off and
destroy it (cross-cut shredded).
To see all Security Guidelines go to www.controller.cmich.edu.
29

In the event that one or more credit cards have been
compromised or appear to have been compromised, it is
the responsibility of the department to inform the CMU
Security Incident Response Team (CMU-SIRT) immediately.
 If you receive a call from your approved service provider regarding an
actual or suspected breach, contact Treasury and Investment Services
ASAP.

A compromise can include documentation with cardholder
data as well as cardholder data located on computer
systems.
30
1.
2.
3.
4.
5.
6.
Contain and limit your exposure and contact CMU-SIRT ASAP.
An assessment of the situation will be made.
The CMU-SIRT will contact the appropriate parties (this includes
our payment processor, CMU Police, the Associate VP of
Financial Services and Reporting, Internal Audit, Public Relations
and Marketing).
The Merchant Account Manager will need to be available for
questions and will need to help complete the Incident Response
Report.
Depending on the situation, a Forensic Investigation may be
necessary.
Once the situation has been resolved, a meeting will be set up to
go over your credit card process and changes may be made.
31

Assign a Merchant Account Manager for your department.

Train other employees in your office that handle cardholder data
the importance of security.

Review your current credit card process and make necessary
changes to be secure.

Destroy cardholder data that is currently being stored.
32