Credit Card Merchants - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Credit Card Merchants

Description:

All credit card companies in the U.S. have endorsed the Standard. ... on 1/26/07 with SSN's, birthdates and addresses of 1,400 currently enrolled students ... – PowerPoint PPT presentation

Number of Views:84
Avg rating:3.0/5.0
Slides: 31
Provided by: ziel
Category:

less

Transcript and Presenter's Notes

Title: Credit Card Merchants


1
Welcome
  • Credit Card Merchants

2
Discussion Topics
  • PCI-DSS/Twelve Requirements
  • Credit Card Processing Guidelines
  • Required by Departments

3
Discussion Topics
  • Universities are at Risk/Compromises
  • Accomplishments
  • PCI Website

4
Discussion Topics
  • New Goals
  • Payment Application Best Practices (PABP)
  • Credit Card Fees

5
Discussion Topics
  • Omni 3750s
  • Reconciliation
  • Graham- Leach- Bliley Act

6
What is PCI-DSS?
  • Payment Card Industry (PCI)
  • Data Security Standards (DSS) set up by Visa and
    MasterCard. (Visa Handout)
  • All credit card companies in the U.S. have
    endorsed the Standard.
  • Created so there would be common industry
    security requirements.

7
Why follow PCI Standards?
  • Protect customers against fraud and identity
    theft
  • Mandated by credit card companies If you
    accept our credit card, you must follow these
    rules
  • For the Universitys protection to avoid huge
    penalties and bad publicity

8
Twelve Requirements
  • Install and maintain a firewall configuration to
    protect cardholder data.
  • Do not use vendor-supplied defaults for system
    passwords and other security parameters.

9
Twelve Requirements
  • Protect stored cardholder data
  • a. Keep cardholder data storage to minimum
  • b. Do not store full track data,
    card- validation codes, PIN, expiration date
  • c. Mask number down to last four digits (keep
    merchant copy 18 months)

10
Twelve Requirements
  • Encrypt transmission of cardholder data across
    open, public networks.
  • Use and regularly update anti-virus software or
    programs.
  • Develop and maintain secure systems and
    applications.(testing, documentation, back-up)

11
Twelve Requirements
  • Restrict access to cardholder data by business
    need-to know.
  • Assign a unique ID to each person with computer
    access.
  • a. Delete old/inactive usersb. Passwords min
    6-8 characters, mix of alpha case, numeric, and
    symbolsc. Limit repeated access attempts

12
Twelve Requirements
  • Restrict physical access to cardholder data
  • a. Visitors access monitored
  • b. Physically secure all data
  • c. Cross-cut or incinerate hardcopy
  • d. Destroy electronic media so cardholder data
    cannot be reconstructed

13
Twelve Requirements
  • Track and monitor all access to network
    resources and cardholder data
  • Regularly test security systems and processes

14
Twelve Requirements
  • Maintain a policy that addresses information
    security for employees and contractors
  • a. Security policy
  • b. Usage policies NO WIRELESS
  • c. Approved products
  • d. Acknowledgement in writing
  • e. Background checks/screening

15
Credit Card Processing Guidelines (Handout)
  • Always changing
  • Retain merchant copy of receipt for 18 months for
    Global
  • Chuck Perkins replaced Don Cruise
  • Do not use Right Fax
  • Technical Questions Call Systems Support at
    438-5740

16
Required of Departments
  • Pre-approval on all software purchases with
    credit card capabilities
  • Signature forms for all new employees
  • Yearly compliance questionnaire (on web)
  • Update Business Practices
  • Let PCI Committee know if anything changes
    (procedures staff)

17
Universities Are At Risk
  • Eastern Illinois University had a desktop
    computer stolen on 1/26/07 with SSNs, birthdates
    and addresses of 1,400 currently enrolled
    students
  • Northwestern University laptop stolen on 5/20/07
    from Financial Aid Office with SSNs of unknown
    of students
  • Northwestern University confidential files
    available on-line on 6/1/07
  • Website www.privacyrights.org/

18
Top Three Vulnerabilities
  • Storage of Track Data (and other sensitive data)
  • Missing or Outdated Security Patches
  • Vendor Supplied Default Settings and Passwords

19
College University Breaches
  • Highest number of breaches 68 since February
    200536 of all breaches reported
  • Open networks
  • Many merchants on one campus
  • Payment processes spread over large geographical
    area

20
Compromise/Breach
  • Suspected or confirmed security breach (credit
    card numbers have been compromised)
  • Contact the eCommerce Committee ASAP
  • Comptrollers Office will work with department to
    determine extent of the breach
  • Comptrollers Office may need to contact Visa,
    Local FBI, and U.S. Secret Service

21
ISUs Accomplishments
  • PCI Compliant as of August 2007!!
  • All departments completed questionnaire
  • Processes changed in some departments
  • Credit Card numbers removed
  • Yearly training
  • Signature forms
  • PCI Website

22
PCI Website
  • www.comptroller.ilstu.edu
  • A-Z listing (PCI Compliance)
  • PCI Committee Contact Information
  • University Policy, Procedures Guidelines
  • PCI Signature Form
  • Registration for Credit Card Processing
  • Credit Card Processing Change/Termination Form
  • Omni Installation Information

23
New Goals
  • Continue to Improve PCI Websiteecommerce_at_ilstu.ed
    u for suggestions
  • PABP Requirements (Payment Application Best
    Practices)
  • Lower Credit Card Fees
  • Update Omnis/Inventory of Omnis

24
PABP
  • Payment Application Best PracticesApplies to
    Software vendors
  • Dont store sensitive data (full magnetic stripe,
    CVC2, pin)
  • Protect stored cardholder data
  • Provide secure password features
  • Software vendors must provide PABP Implementation
    Guide

25
Lower Credit Card Fees
  • Premium Credit Cards that offer Rewards
  • Business Visa/MasterCard
  • Debit Processed as Credit
  • Hand enters (Phone or Internet higher than
    In-Person Transactions)

26
Omni 3750s
  • Upgrade to only print last four digits on Summary
    Report, Customer Copy and Merchant Copy
  • Always settle before leaving office
  • Do Not allow anyone to inspect or remove unless
    you know who they are
  • Clean read heads (CardKleen Item RR1222)
  • Dont move from one merchant to another

27
Omni Hardware Info
  • Machines are under warranty for 30 days
  • Maintenance contract is 5/month
  • Repairs not cost effective
  • Prices for new machines 599
  • Ethernet / Dial-up

28
Reconciliation
  • Reconciling from Omni to deposits into Datatel
    accounts
  • Reports in Touchnet
  • Omni Settlement Report
  • Middle Tier (websites)

29
Gramm-Leach-Bliley Act
  • Safeguards Rule secure customer records and
    informationLocking rooms and file cabinets
  • Changing passwordsLimited access to information

30
  • Questions?

Telephone(309) 438-3854 E-mail
rlknapp_at_ilstu.edu
Write a Comment
User Comments (0)
About PowerShow.com