• No results found

UNIVERSITY CONTROLLER S OFFICE

N/A
N/A
Protected

Academic year: 2021

Share "UNIVERSITY CONTROLLER S OFFICE"

Copied!
42
0
0

Loading.... (view fulltext now)

Full text

(1)

UNIVERSITY CONTROLLER’S OFFICE

Payment Card Industry (PCI) Security Standards

Training Guide

(updated for 3.1 requirements)

(2)

Disclaimer:

The information in this guide is current as of the date of publishing. However, card acceptance, processing, and chargeback procedures are subject to change due to the ever changing demands of the Payment Card Industry. This guide contains information based on the current Payment Card Industry (PCI) Security Standards Council Operating Regulations. If there are any technical differences between the PCI Operating Regulations and this guide, the PCI Operating Regulations will prevail in every instance. The PCI Operating Regulations take precedence over this guide or any updates to its information. For further information about the rules or practices covered in this guide, contact Xxx xxxxx, Associate Controller, University Controller’s Office at xxx-xxx-xxxx.

Upon Course Completion:

When you are finished with all of the chapters in this course, don’t forget to complete the Online Quiz. The Quiz will cover the information learned throughout the course, and it serves as your proof of course completion. If you do not successfully complete the Quiz with a score of 100% you will not be given credit for completing the course. If you do not score 100% on your first attempt, do not be discouraged. You will be given as many chances as you need to successfully complete the quiz. If you have any questions or concerns regarding the Quiz or any other element of this course, contact Xxx xxxxx, Associate Controller at xxx-xxx-xxxx.

Notice: Throughout this course, the term “USF Employee” is expanded to include anyone working in a capacity for the University including:

- Administration - Staff - Faculty - OPS - Students - Volunteers

(3)

Course Benefits

Above all else, this course serves to provide you with the knowledge and skills necessary to ensure credit card security. It is important to recognize that everyone, not just the credit card companies, benefit from your effective application of credit card security measures:

Your Customers

• Appreciate your ability to reduce the threat of identity theft

• Trust you to complete transactions without creating duplicate or invalid charges • Enjoy peace of mind, knowing that their card is in good hands

Your Employer

• Takes pride in a skilled workforce

• Values your ability to build customer confidence

• Needs your help in limiting potential losses, fines & penalties

...and You!

• Show confidence in your ability to safely and efficiently do your job • Know that you can make informed decisions under pressure

• Can recognize key security features on valid cards • Are alert to the warning signs of fraud

Course Complete

You have now completed the reading portion of the PCI Security Program. However, in order to receive credit for this course, you must complete the Quiz. The Quiz will cover the information you have just learned, and it serves as your proof of course completion. If you do not successfully complete the Quiz with a score of 80% or better, you will not be given credit for the course. If you do not score 80% or better on your first attempt, do not be discouraged. You will be given a total of three chances to successfully complete the quiz.

(4)

Merchant Training

Payment Card Acceptance

Session 1

(5)

Learning Objectives

There are three parts to Merchant Training.

• The first section will provide basic terms and

definitions to better enable you to understand

PCI Compliance.

• The second section details the Security Policy

and PCI DSS Requirements that CSCC must meet

to accept Credit Card payments.

• The final section demonstrate the appropriate

way to accept payment cards in order to protect

both your business and your cardholders from

fraud.

The sessions should take approximately 15 minutes

each to complete.

(6)

Key Terms & Definitions

• Payment Cards – Credit Cards, Debit Cards, or

Purchasing Cards issued by a Financial

Institution.

• Merchant Account – An account, set up through

the Bank, which provides the ability to process

payment cards as payment for Goods and

Services rendered by the Account Holder (CSCC).

• Card Present Transactions – Transactions in

which the Cardholder presents the actual card to

the Merchant or processing. Usually swiped into

a terminal or register. A signature is obtained.

(7)

• Card Not-Present Transactions – Transactions in

which the cardholder gives his credit card

information to the Merchant over the phone or

sends their card information in the mail on a

designated form. A form may include a

signature. Generally, a signature is not obtained

in this type of transaction.

• E-Commerce – The ability to process payment

cards as payment for Goods or Services, through

a Merchant account using the internet. The

cardholder initiates the transactions from their

own computers. The Merchant does not handle

the cardholder data at any time during the

transaction.

• PCI-DSS - The payment card industry (PCI) Data

Security Standard (DSS) is a set of

comprehensive requirements for enhancing

payment card data security.

(8)

Cardholder Data =

• Primary Account Number (PAN).

• Cardholder Name when associated with the

PAN.

• The service code when associated with the PAN.

• Expiration Date when associated with the PAN.

• Sensitive Authentication Data =

• Full Magnetic Stripe Data (Can Never be Stored).

• CAV2/CVC2/CVVS/CID (Can never be Stored).

PIN or PIN Block (Can never be Stored).

(9)

Quiz

1. PCI stands for Payment Card Industry

o

True

o

False

2. DSS stands for Data Security Standards

o

True

o

False

3. Payment Cards are:

o

Credit Cards

o

Debit Cards

o

Purchasing Cards

o

Visa/ MasterCard/Discover/American Express

o

All of the Above

(10)

4. E- Commerce is:

o

Buying and selling on the internet.

o

The ability to process credit card payments on

the internet.

o

Both A & B

o

None of the above.

5. Credit Card Data Fields consist of:

o

Primary Account Number (PAN).

o

Sensitive Authentication Data.

o

Magnetic Stripe Data.

o

Pin

o

Expiration Date.

o

All of the Above.

(11)

PCI COMPLIANCE

Security Standards

Session 2

(12)

Who Must Comply?

• PCI applies to all CSCC locations accepting

electronic payments as legal tender. All CSCC

employees having access to cardholder

information, regardless of size, must comply

with the PCI Data Security Standards.

• As stated, if you have access to credit card

information as part of your job responsibilities

at CSCC, you are accountable for the security of

that information.

• Cardholder information should be disclosed only

for a required business purpose. It is the

employee’s responsibility to safeguard the

associated credit card data that is entrusted to

their care.

(13)

Why We Must Comply?

• Properly securing cardholder data is the

responsibility of EVERY Columbus State

Employee. It only takes a few extra seconds to

make a big difference.

• Lack of compliance to the PCI DSS, in a single

area of the College, could jeopardize the

College’s ability to accept payment Cards (Policy

9-12)

• Your support and cooperation is essential to the

College’s compliance.

• 12 Payment Card Industry Security Standards

• Each Goal Has Detailed Requirements

(14)

Build and Maintain a Secure

Network

1. Install and maintain a firewall configuration to

protect cardholder data.

2. Do not use vendor-supplied defaults for system

passwords and other security parameters.

3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data across

open, public networks.

• Never store sensitive authentication data after

authorization. Your terminals have already been

programmed by the bank for this purpose.

• Limit receipt storage amount and retention time

to that which is required by business, legal,

and/or regulatory purposes.

(15)

• Follow the College’s document disposal policy.

• Make sure all receipts & reports (Both yours and

the cardholders) have truncated card numbers …

only the last 4 digits of the card #.

Keep credit card machines out of sight and reach of

customers. When applicable, keep your computer

screen out of the line of sight of customers so they

cannot see card numbers as you enter them.

Maintain a Vulnerability

Management Program

5. Use and regularly update anti-virus software or

programs.

6. Develop and maintain secure systems and

applications.

(16)

Implement Strong Access

Control Measures

7.

Restrict access to cardholder data by business

need to know.

8. Assign a unique ID to each person with computer

access.

9. Restrict physical access to cardholder data.

• “Need to Know” means that access rights are

granted to only the least amount of data and

privileges needed to perform a job.

• Limit access to payment card processing

equipment and cardholder data to only those

individuals whose job requires such access.

• Each person with computer access should have

(17)

• DO NOT use vender-supplied default passwords

or share your password with others.

• Follow the College’s password guidelines by

using a password phrase, upper & lower case

letters, numbers, and special characters.

• Change your passwords on a regular basis.

• *** DO NOT STORE YOUR PASSWORDS IN A

NOTEBOOK, ON POST-IT NOTES, OR ANY OTHER

ACCESSIBLE MEANS!***

(18)

Regularly Monitor and Test

Networks

10. Track and monitor all access to network

resources and cardholder data.

11. Regularly test security systems and processes.

Maintain an Information

Security Policy

12. Maintain a policy that addresses information

security for all personnel.

• A strong security policy sets the tone for the

whole company and informs employees (and all

relevant system users) what is expected of

(19)

• All system users should be made aware of the

sensitivity of data and their responsibilities for

protecting it.

• An incident response plan should be

implemented.

• The College has Payment Card Acceptance

policies and procedures, and Information

security policies which may be reviewed at the

end of this lesson.

(20)

Information Security Policy

• Columbus State Community College has written

policies and procedures effective June 1, 2011 :

9 – 12

• http://www.cscc.edu/about/policy

• Program Coordinator / Information Security

(21)

Quiz

1. All CSCC employees are responsible for the

security of Credit Card information.

o

True

o

False

2. For Security Reasons Passwords have to be:

Unique and individualized.

o

The vendor default.

o

Contain upper & lower case letters, numbers,

and special characters.

o

All of the above.

o

Both A and B

o

Both A and C

(22)

3. To Protect Credit Card Data you must:

o

Never store sensitive authentication data after

authorization.

o

Follow the College’s document disposal policy.

o

Make sure all receipts & reports have truncated

card numbers … only the last 4 digits of the card

#.

o

All of the above.

4. Maintain An Information Security Policy

o

Columbus State’s PCI Compliance Policy was

effective June 1, 2011.

o

Columbus State Policy # 9-12 is for PCI

Compliance.

o

Columbus State PCI Compliance Policy requires

annual Staff Training.

o

All of the above.

(23)

CREDIT CARDS

(24)

Card Present Transactions

• Swiping the card is the most secure method of

accepting payment cards.

• Hold onto the card while the card is authorized

and the receipt is signed.

• Compare signatures on the receipt and on the

back of the card. Make sure the embossed

name matches the signed name.

• If the signature panel on the card says “Please

See ID” the card is not valid. Ask for the ID and

ask the cardholder to sign the card in front of

you. Check the signature and pictures.

• All receipts must be kept in a secure/locked

location for 18 months with “Need to Know”

access. Receipts older than 18 months must be

shredded.

(25)

Card Not-Present Transactions

Phone/Mail Order:

• Enter all the information you are prompted for.

By doing so, you will be using security prompts

to make sure the person using the card is the

cardholder.

• It is best to keep the customer on the phone

while you run the transaction. If that is not

possible, you should get the customer’s phone

number in case the card is declined.

• Shred any paper that has card information on it

– especially the CVV/CVV2 code and full card

number. If you must keep the full card number,

make sure it is stored in a secured, locked

location with receipts, with “Need to Know”

access. Never keep the CVV/CVV2 code! (The

CVV code is the 3 digit security code on the

signature panel).

(26)

Refunds

Refunds must be issued to the same card

used in the original transaction.

Refunds must be issued using the same

mode of processing that was used for the

original transaction.

The refund amount may only be up to the

amount of the original transaction.

All refunds should be dual controlled, or in

other words, approved by a supervisor.

(27)

Parts of a Credit Card – Visa,

MasterCard, Discover

(28)
(29)

Avoiding Fraud

• Be Vigilant! Taking the few extra seconds to

match signatures and look at the card you are

accepting can save you time and money later.

• If the imprinted name on the card does not

match the signature on the back of the card or

the signed receipt, do not accept the card.

• DO NOT CALL THE PHONE # ON THE BACK OF

THE CARD FOR AUTHORIZATION. An

authorization is only valid if it is obtained

through the merchant services help desk or your

payment processing device.

• Train all staff that handle payment cards on

“Acceptance Best Practices” and your

department procedures. Repeat training often.

It’s easy for us to forget, or get lazy.

(30)

Incident Response Plan

• Despite our best efforts, it is possible for our

payment card systems to be breached or

compromised. Watch for …

• Multiple completed transactions or multiple

attempts to complete transactions by the SAME

Cardholder.

• Cardholders asking for refunds to be posted to a

different payment card.

• Your day to day card swiping equipment looks

different than usual, and cannot be confirmed as

replacement equipment from your verified

vendor.

• Cardholder documents displaying card numbers,

such as faxes, event registration, are not stored

securely or disposed of correctly

(31)

If you suspect a Data Breach

• Contact your supervisor immediately.

• Supervisor will contact the Information Security

Officer and Cashier and Student Accounting

Office IMMEDIATELY.

• DO NOT disable or turn off your system, unless

directed to do so by ISO.

• Your Department will be restored with the

ability to accept payment cards as soon as

possible

(32)

Contact Information

• College Information Security Web Page:

http://www.cscc.edu/about/infosec/index.shtm

l

• Douglas Rellick

(614)287-2290

[email protected]

Program Coordinator / Information Security

Officer (IT Support Services)

(33)

Quiz

1

. Important steps when handling a credit card:

o

Hold card while it is authorized and receipt

signed.

o

Compare signature on receipt to back of credit

card.

o

Swiping the card is the most secure method.

o

All of the above.

o

Only A & B

2. What type of transactions would be considered

‘Card Not Present’

o

Phone Payments

o

Web Payments

o

Mail Payments

o

All of the above

(34)

3. What are important items on the front of a Credit

Card?

o

Expiration Date

o

Compare the embossed number to the printed

number.

o

Hologram

o

Three Digit Security Code.

o

All of the Above.

o

A, B & C Only

4. What are the key ways to avoid Fraud?

o

Staff Training on security procedures.

o

Comparing names and signatures of cards and

receipts.

o

Do not call for authorizations, only valid if

received thru system process.

(35)

Glossary

Note: All definitions listed in this section are also available in the Course Glossary.

Account number

The 16-digit account number that appears in print on the front of all valid credit cards. The number is one of the card security features that should be checked by merchants to ensure that a Card-Present transaction is valid.

Address Verification Service (AVS)

AVS allows USF Merchants that accept card-not-present transactions to compare the billing address (the address to which the card issuer sends its monthly statement for that account) given by a customer with the billing address on the card issuer’s master file before shipping an order. AVS helps merchants minimize the risk of accepting fraudulent transactions in a card-not- present environment by indicating the result of the address comparison.

Authorization

The process by which a card issuer approves or declines a credit card purchase. Authorization occurs automatically when you swipe the magnetic stripe of a payment card through a card reader. See also: Voice Authorization Center.

“Call” or “Call Center” response

A response to a merchant’s authorization request indicating that the card issuer needs more information about the card or cardholder before a transaction can be approved; also called a referral response.

(36)

Card acceptance procedures

The procedures USF Merchants and Employees must follow at the point of sale to ensure a card and cardholder are valid.

Card expiration date

See Good Thru date.

Cardholder

The person to whom a credit card is issued.

Card-Not-Present

A merchant, market, or sales environment in which transactions are completed without a valid credit card or cardholder being present. Card-not-present is used to refer to mail order, telephone order, and Internet merchants and sales environments.

Card-Present

A merchant, market or sales environment in which transactions can be completed only if both a valid credit card and cardholder are present. Card-Present transactions include traditional retail—department and grocery stores, electronics stores, boutiques, etc.—cash disbursements, and self-service situations, such as gas stations and grocery stores, where cardholders use unattended payment devices.

Card security features

The alphanumeric, pictorial, and other design elements that appear on the front and back of all valid credit card and debit cards. Card-Present merchants must check these features when processing a transaction at the point of sale to ensure that a card is valid.

(37)

Card Verification Value 2 (CVV2)

A fraud prevention system used in card-not-present transactions to ensure that the card is valid. The CVV2 is the three-digit value that is printed on the back of credit cards. Card-not-present merchants ask the customer for the CVV2 and submit it as part of their authorization request. For information security purposes, merchants are prohibited from storing CVV2 data.

Cardholder Information Security Program (CISP)

A program that establishes data security standards, procedures, and tools for all entities— merchants, service providers, issuers, and merchant banks—that store cardholder account information. CISP compliance is mandatory.

Chargeback

A transaction that is returned as a financial liability to a merchant bank by a card issuer, usually because of a disputed transaction. The merchant bank may then return or “charge back” the transaction to the merchant.

Code 10 call

A call made to the merchant’s voice authorization center when the appearance of a card or the actions of a cardholder suggest the possibility of fraud. The term “Code 10” is used so calls can be made without arousing suspicion while the cardholder is present. Specially trained operators then provide assistance to point-of-sale staff on how to handle the transaction.

Copy request

A request by a card issuer to a merchant bank for a copy or facsimile of a sales receipt for a disputed transaction. Depending on where sales receipts are stored, the merchant bank either fulfills the copy request itself or forwards it to the merchant for fulfillment. A copy request is also known as a retrieval request.

(38)

Credit receipt

A receipt that documents a refund or price adjustment a merchant has made or is making to a cardholder’s account; also called credit voucher.

Disclosure

Merchants are required to inform cardholders about their policies for merchandise returns, service cancellations, and refunds. How this information is conveyed, or disclosed, varies for Card-Present and Card-Not-Present merchants, but in general, disclosure must occur before a cardholder signs a receipt to complete the transaction.

Firewall

A security tool that blocks access from the Internet to files on a merchant’s or third-party processor’s server and is used to ensure the safety of sensitive cardholder data stored on a server.

Good Thru date

The date after which a bankcard is no longer valid, embossed on the front of all valid credit cards. The Good Thru date is one of the card security features that should be checked by merchants to ensure that a Card-Present transaction is valid. See also: Card expiration date.

High-risk merchant

A merchant that is at a high risk for chargebacks due to the nature of its business. High-risk merchants include direct marketers, travel services, outbound telemarketers, inbound teleservices, and betting establishments.

Internet Protocol address

A unique number that is used to represent individual computers in a network. All computers on the Internet have a unique IP address that is used to route messages to the correct destination.

(39)

Key-entered transaction

A transaction that is manually keyed into a point-of-sale device.

Magnetic stripe

The magnetic stripe on the back of all credit cards is encoded with account information as specified in the Payment Card Industry Operating Regulations. The stripe is “read” when a card is swiped through a Point of Sale (POS) terminal. On a valid card, the account number on the magnetic stripe matches the account number on the front of the card.

Magnetic-stripe reader

The component of a point-of-sale device that electronically reads the information on a payment card’s magnetic stripe.

Mail order/telephone order (MO/TO)

A merchant, market, or sales environment in which mail or telephone sales are the primary or a major source of income. Such transactions are frequently charged to customers’ bankcard accounts. See also: Card-not-present.

Merchant agreement

The contract between a merchant and a merchant bank under which the merchant participates in a credit card company’s payment system, accepts credit cards for payment of goods and services, and agrees to abide by certain rules governing the acceptance and processing of credit card transactions. Merchant agreements may stipulate merchant liability with regard to chargebacks and may specify time frames within which merchants are to deposit transactions and respond to requests for information.

Merchant bank

A financial institution that enters into agreements with merchants to accept credit cards as payment for goods and services; also called acquirers or acquiring banks.

(40)

Merchant Chargeback Monitoring Program (MCMP)

A program that alerts merchant banks when one of their merchants has a chargeback-to- transaction rate of over one percent. Merchants then work with the bank to reduce their chargeback rates to acceptable levels. Failure to reduce chargebacks can result in fines for a merchant.

Payment gateway

A system that provides services to Internet merchants for the authorization and clearing of online credit card transactions.

Pick-up response

This response indicates that the card issuer would like the card to be confiscated from the customer. However, USF Employees should not attempt to pick up credit cards, even when the card issuer requests this action, as this could potentially cause confrontation and safety issues.

Point-of-sale terminal (POS terminal)

The electronic device used for authorizing and processing bankcard transactions at the point of sale.

Printed number

A four-digit number that is printed below the first four digits of the printed or embossed account number on valid credit cards. The four-digit printed number should be the same as the first four digits of the account number above it. The printed four-digit number is one of the card security features that merchants should check to ensure that a Card-Present transaction is valid.

(41)

Representment

A chargeback that is rejected and returned to a card issuer by a merchant bank on the merchant’s behalf. A chargeback may be re-presented, or redeposited, if the merchant or merchant bank can remedy the problem that led to the chargeback. To be valid, a representment must be in accordance with Payment Card Industry Operating Regulations.

Sales receipt

The paper or electronic record of a bankcard transaction that a merchant submits to a merchant bank for processing and payment. In most cases, paper drafts are now generated by a merchant’s POS terminal. When a merchant fills out a draft manually, it must include an imprint of the front of the card.

Skimming

The replication of account information encoded on the magnetic stripe of a valid card and its subsequent use for fraudulent transactions in which a valid authorization occurs. The account information is captured from a valid card and then re-encoded on a counterfeit card. The term “skimming” is also used to refer to any situation in which electronically transmitted or stored account data is replicated and then re-encoded on counterfeit cards or used in some other way for fraudulent transactions.

Split tender

The use of two forms of payment, or legal tender, for a single purchase. For example, when buying a big-ticket item, a cardholder might pay half by cash or check and then put the other half on his or her credit card. Individual merchants may set their own policies about whether or not to accept split-tender transactions.

Third-party processor

A non-member organization that performs transaction authorization and processing, account record keeping, and other day-to-day business and administrative functions for issuers and merchant banks.

(42)

Transaction

The act between a cardholder and merchant that results in the sale of goods or services.

Unsigned card

A seemingly valid credit card that has not been duly signed by the legitimate cardholder. Merchants cannot accept an unsigned card until the cardholder has signed it, and the signature has been checked against a valid, government-issued Photo ID, such as a driver’s license or passport.

An authorization obtained by telephoning a voice authorization center.

An operator-staffed center that handles telephone authorization requests from merchants who do not have electronic POS terminals or whose electronic terminals are temporarily not working, or for transactions where special assistance is required. Voice authorization centers also handle manual authorization requests and Code 10 calls.

Voice authorization center

Voice authorization

References

Related documents

The province will continue to accept credit cards as a form of payment, but the actual processing of card payments will be performed on a TD Merchant Services point of sale

Using these services, Defendant(s) Doe complete online merchant applications with credit card processors to open merchant accounts to process charges to consumers' credit and

The bank that provides merchant accounts to merchants, thereby giving the merchants the ability to accept credit cards...

The bank or financial institution that accepts credit and/or debit card payments for products or services on behalf of a merchant..

The contract between a merchant and a merchant bank under which the merchant participates in a credit card company’s payment system, accepts credit cards for payment of goods

Monthly transactions number Desired processing currencies Desired settlement currencies Desired descriptor (name to appear on card statement). Desired city field

A unique number issued by the acquiring bank to identify a merchant and the merchant's terminal(s) to a host computer in the credit card processing network. Merchant Service

MDR (Merchant Discount Rate) or Service Fees Distribution Merchant Acquiring Bank Merchant Acquiring Bank Card Issuing Bank Cardholder Merchant Card Scheme Payment Switch