PAYMENT CARD ACCEPTANCE POLICIES - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

PAYMENT CARD ACCEPTANCE POLICIES

Description:

PAYMENT CARD ACCEPTANCE POLICIES. 1. 2. Payment Card Industry Data Security Standard (PCI DSS) ... is required, regardless of volume or method of acceptance ... – PowerPoint PPT presentation

Number of Views:112
Avg rating:3.0/5.0
Slides: 23
Provided by: administra56
Category:

less

Transcript and Presenter's Notes

Title: PAYMENT CARD ACCEPTANCE POLICIES


1
PAYMENT CARD ACCEPTANCE POLICIES
2
Payment Card Industry Data Security Standard (PCI
DSS)
  • Developed by Visa/MasterCard and has been adopted
    by other major payment card companies
  • Extensive set of guidelines that help keep
    customers payment card information safe

3
PCI DSS cont
  • Compliance with PCI DSS guidelines is required,
    regardless of volume or method of acceptance
  • Non-compliance, in the event of data exposure,
    may result in significant fines for the merchant
    of 500,000 and up
  • Each unit responsible for cost of being compliant
    and any costs resulting from a breach

4
Types of Payment Cards Accepted
  • Visa
  • MasterCard
  • American Express
  • Discover
  • Debit cards with Visa or MasterCard logo

5
Obtaining Credit Card Data (CHD)
  • Telephone
  • In-Person
  • Written
  • U.S. mail
  • Fax
  • Personal Delivery

6
Telephone Transactions
  • Accept only if person making payment is the
    cardholder
  • Suggestion
  • Cardholder faxes signed letter of approval to
    Extension office (Make sure there is NO credit
    card data on this just use approval and
    signature)
  • Enter data directly into system during phone
    conversation. Do not write down unless absolutely
    necessary.

7
In-Person
  • Accept payment card only if person making payment
    is the cardholder
  • Check photo ID
  • Cardholder (preferred) or employee enters data
    directly into online registration system

8
Written Document
  • Received by
  • U.S. mail
  • Fax
  • Personal delivery
  • Faxed information
  • Receive only on machine not networked to the
    internet
  • Machine cannot be connected to a cable phone
    line okay

9
Do Not Use Email
  • Do not request data via email
  • If receive unsolicited CHD via email
  • Strongly request user not communicate card data
    this way again
  • Suggest preferred way(s)
  • Delete message from your IN box
  • Delete your reply from your SENT box
  • Empty your trash

10
Purging CHD
  • Destroy hardcopy materials ASAP after data
    entered into system
  • Cross-cut-shred, incinerate or pulp so cardholder
    data cannot be reconstructed
  • Store in locked file until they are destroyed

11
Storage of CHD
  • Defined primarily as card and expiration date
  • Never store on desktop computers of servers
  • E.g. Excel, Word, scanned images of documents
  • Strictly forbidden to store
  • Track data from the magnetic stripe
  • Card Security Code
  • FYI Storage of only the last 4-digits is not
    storing

12
Reasons Not to Store CHD
  • No need for this information once payment
    processed
  • Avoid other detailed compliance requirements
  • Security risk and cost of breach
  • Forensic investigation 10,000
  • Onsite Audit 20,000
  • Penalties from Visa and MasterCard

13
Encrypt Transmission
  • Do not use wireless
  • Do not use email
  • Do not use networked fax
  • Okay via
  • US Mail
  • Non-networked fax
  • Over the phone
  • In person

14
Anti-virus
  • Install anti-virus software on all PCs used to
    access webCredit
  • Ensure that all anti-virus applications, tools,
    etc. are kept up-to-date

15
Restrict Access
  • Business need-to-know basis only
  • Select one person per office to handle credit
    card payments
  • CED signature to acknowledge employee
  • Restrict physical access to PCs and CHD
  • Lock office
  • Lock down PC (ctrl-alt-del)
  • Lock file cabinets if storing paper
  • Restrict access to fax if applicable

16
Unique ID
  • webCredit
  • Requires unique user ID do not share
  • Strong password rules (8-char, alpha-numeric)
  • Password change at least every 90 days (not same
    as last four used)
  • Lock-out after 3 unsuccessful attempts
  • Managed by unit
  • Revoke access for terminated users

17
Written PCI DSS Policy Adherence
  • Unit required to write own set of procedures
  • Must address all PCI DSS requirements
  • Must train employees at hire and at least
    annually
  • Must include procedures to review and update at
    least annually

18
Additional Staff Responsibilities
  • Awareness Training
  • Payment Card Security Form
  • Coordinator signature
  • CED signature
  • Background History Check
  • Required if have access to more than one card
    number at a time (e.g. if receive several at once
    in the mail)

19
Breach Reporting
  • Report suspected exposure or loss of data to MSU
    Controllers Office immediately
  • Non-compliance
  • Significant fines (up to 500,000 / card brand)
  • Each unit is responsible for the cost of being
    compliant and any costs resulting from breach

20
Web Sites of Interest
  • Payment Card Industry Security Standards Council
  • https//www.pcisecuritystandards.org/
  • University Policies and Procedures for Units that
    Accept Payment Cards
  • http//ctlr.msu.edu/COCashiers/Default.aspx
  • Managing Sensitive Data Initiative web site
  • http//lct.msu.edu/security

21
Contact Information
  • Business Office Practices
  • Mary Nelson, Controllers Office
  • 355-5023, ext 150 or nelsonm_at_ctlr.msu.edu
  • Questions about webCredit
  • 353-4420, ext 311 or webcredit_at_ais.msu.edu
    or
  • https//www.ais.msu.edu/webcredit_info/webcredit
    _intro.asp
  • Audit Concerns
  • Steve Kurncz or Mike Chandel
  • 355-5030 or kurncz_at_msu.edu or chandel_at_msu.edu

22
Questions?
Write a Comment
User Comments (0)
About PowerShow.com