PCI Data Security. Information Services & Cash Management. Contents

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "PCI Data Security. Information Services & Cash Management. Contents"

Transcription

1 PCI Data Security Information Services & Cash Management This self-directed learning module contains information you are expected to know to protect yourself, our patients, and our guests. Target Audience: All Teammates Contents Instructions... 2 Learning Objectives... 2 Module Content... 3 Job Aid... 6 Posttest Page 1 of 11

2 Instructions: The material in this module is an introduction to important general information and procedures to ensure data security, a requirement of the Payment Card Industry Data Security Standards (PCI-DSS). After completing this module, contact your supervisor to obtain additional information specific to your department. Read this module. If you have any questions about the material, ask your supervisor. Complete the online posttest at the end of this module. If a printed version of the test is taken, you must provide the results to your supervisor upon completion. The Job Aid on page 6 is relevant to individuals that are involved in the receipt and handling of cardholder data and may be customized to fit your department and then used as a quick reference guide. Learning Objectives: When you finish this module, you will be able to: Understand the importance of data security Understand your responsibilities as they relate to data security Identify key elements of the data security program Describe ways that you can prevent unauthorized disclosure of data Explain why storing or copying data onto personal computers or unsecure removable media is prohibited Describe the steps necessary to report unauthorized disclosure of data Identify the policies and procedures associated with the data security program Page 2 of 11

3 The Payment Card Industry Data Security Standards (PCI-DSS) A set of regulations created to protect cardholder data from loss or misuse. CHS is required to adhere to PCI-DSS in order to accept payment cards. Payment cards include credit and debit cards. Cardholder data also known as Confidential Data includes: Primary Account Number (PAN) Expiration Date Cardholder Name Password, , address, and other personal Confidential Data PCI-DSS applies to all formats: paper (receipts, handwritten forms, billing statements, etc.), electronic and verbal. PAN EXPIRATION DATE PCI-DSS Goals & Requirements The goals and objectives of PCI-DSS are: 1. Build and maintain a secure network 2. Protect confidential data 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Regularly monitor and test networks 6. Maintain an information security policy The effectiveness of the controls associated with the above goals relies on everyone adhering to policies and procedures in order to ensure a secure cardholder data environment. Page 3 of 11

4 Sensitive Authorization Data PCI-DSS prohibits storage of sensitive authorization data, which includes: Track Data & PV/PIN block on magnetic strip CVV2/CVC2/CID on front or back of card Magnetic strip Places Where Confidential Data May Exist Most of us are accustomed to using credit and/or debit cards when pumping gas, buying groceries or while at the mall. Here at CHS, payment cards are an accepted payment method in various locations, including but not limited to: Carolinas Healthcare System Medical Group, System Billing Office or Central Billing Office Admitting, Registration, or Cashier Gift Shop, Cafeteria or Coffee Shop Pharmacy Clinics and Urgent Care Foundation Health Club or Fitness Center Rehab Facility Any department or service selling/renting medical equipment and supplies Common Types of Data Breaches The most common types of data breaches include, but are not limited to: Technology attacks - Hacking Lost or stolen equipment Laptops, USB drives Stolen or copied paper records Inadvertent disclosure Malicious insiders Page 4 of 11

5 How PCI-DSS Impacts You Whether you are directly involved with the receipt and handling of card payments, you are required to ensure a secure environment that promotes data security: Do not share your passwords with anyone. The CHS Support Center or Information Services will NEVER ask you for your password. Never use text, , or instant messaging to transmit Confidential Data. Never photocopy or scan credit card numbers that are written on paper or the actual cards themselves. (i.e. Scan to on Xerox machines, Click-on DMS, Hyland Onbase, etc.) Properly dispose of Confidential Data. Use the Asset Transfer and Disposal eform to engage Information Services in the proper disposal of electronic media, computer equipment, or credit card terminal equipment. Do not disable, uninstall or otherwise bypass security controls (e.g. antivirus, use someone else s user ID and password, connect to the Guest wireless network). Lock computer or log out when unattended and use lock-down kits or other appropriate anti-theft mechanisms to secure laptops or other portable devices. Prevent credit card terminals or credit card processing computers from physical access by unauthorized persons. Do not create spreadsheets or documents to store credit card numbers, or otherwise store any sensitive credit card information electronically on CHS equipment. Always be attentive to suspicious activity and report issues to the CHS Support Center at immediately if: o An unknown person wants to modify or install something on a credit card reader or Point-of-Sale (POS) unit. o You clicked on a suspicious link, pop-up window or opened a suspicious attachment. o Computer equipment, including credit processing equipment, is lost or stolen. o You have reason to believe someone may have your password. Report suspected or known breaches of confidential data to your Supervisor, Facility Privacy Director, CHS Corporate Privacy at or the Customer Care Line at Page 5 of 11

6 Attestation of Compliance All teammates are required to attest their compliance to proper confidential data handling security standards. Additionally, CHS must complete an Attestation of Compliance document annually as a declaration of our compliance status with the Payment Card Industry Data Security Standard (PCI DSS). JOB AID 1 Steps to secure the CHS data environment 1 Safe Handling of Cardholder Data When receiving and handling a payment card directly from a customer: o Check the name on the card with a photo I.D. o Compare the signature with the one on the back of the card. o Process immediately. o Shield the card from view of others. When receiving cardholder data by Phone: o Ensure the accuracy of cardholder information by asking the caller to repeat the card number back to you. o Never say the card number back to the customer. This practice ensures that no one will overhear this sensitive information. When receiving cardholder data by Fax: o Cardholder data may not be received by Fax unless the fax machine is located in a highly secured area restricted to teammates that are authorized to process payment card transactions. Cardholder data must NEVER be sent, accepted or solicited via , Instant Messaging or Text. If a patient or customer sends you an , Instant Message or Text containing cardholder data, reply to the sender WITHOUT including the original message and: o Notify the sender of acceptable methods of payment. o Notify the sender that the original message with cardholder data was deleted. o Do not print, forward, or retain the message in any format. Page 6 of 11

7 o Delete the message & empty the Trash/Deleted Items/Recycle Bin. When receiving cardholder data by Web Payment: o CHS teammates should only use approved web payment solutions (e.g. TrustVault). Teammates are responsible for verifying all web payment applications with their Manager. o CHS teammates should not create webpages that request or collect cardholder data. Process payment card transactions immediately when cardholder data is received: o Card swiped/entered into a dial-up swipe terminal. o Card swiped or entered into a POS terminal. o With the exception of virtual terminal solutions (e.g. TrustVault), cardholder data should NEVER be entered into a computer. Cardholder data may not be electronically stored on any device in any format including local hard drives, personal network drives, CD s, USB drives or any other local computing device. No electronic cardholder data storage is allowed outside of the approved applications and servers maintained by CHS Information Services. Cardholder data may not be photocopied, scanned, or photographed. Equipment and physical facilities must be properly secured: o Use of door locks after business hours. o Security cameras and alarms. o Proper issuance & collection of badge/key access. o Regular inspection of equipment (e.g. lock down kits, card readers, etc.) to detect tampering or substitution (e.g. addition of card skimmers to card readers, serial number changes, broken or different colored casing). Report any issues to your manager or a security officer IMMEDIATELY! Departments that use computer equipment or POS terminals to process card payments must ensure that: o Teammates use difficult to guess passwords that are at least 8 characters in length and include a combination of letters, numbers and special characters. Page 7 of 11

8 o Teammates issued a POS access card must protect the card from loss, and never share the card with others. o In the event of a lost or stolen POS access card, the employee must inform his/her manager immediately. o Any changes, repairs or replacement of equipment (including card readers) must be arranged and coordinated through Cash Management and facilitated by authorized Information Services personnel only. ALWAYS VERIFY! Cardholder data may not be written down. If a department has appropriate business justification to write down cardholder data, they must do so using a Credit Card Payment Form and follow these safety procedures: o Maintain a secured storage location for these forms. o Process the transaction as soon as possible but no later than ONE business day from the date received. o Credit Card Payment Forms that cannot be processed immediately must be properly locked inside of a secure storage compartment Storage may be a drawer, overhead bin, closet, etc. Storage MAY NOT be a portable lockable device such as a briefcase, cashbox, etc. Storage must not be labeled or marked so as to identify its contents. When cardholder data is present, the storage location must be locked at all times. The payment must be processed within ONE business day of being received. Only teammates who have completed this training module should have access to the storage. Properly dispose of the Credit Card Payment Form (e.g. cross-cut shredder or locked shred bin for 3 rd party disposal). Page 8 of 11

9 In the event of a suspected breach or loss of payment card data, teammates are obligated to notify the CHS Support Center at within 24 hours. Review the following CHS Policies: o IS.PHI Communications Environment Acceptable Use Policy o IS.PHI Information Services Security Policy o FIN PCI Data Security Standard Policy Page 9 of 11

10 Posttest Name: Date: Circle the correct answer. 1. CHS is required to comply with PCI-DSS because: a. CHS is a large organization b. CHS accepts payment cards c. CHS is not required to comply with PCI-DSS d. PCI-DSS is part of HIPAA 2. PCI-DSS only applies to Information Services since they maintain all of the CHS electronic systems a. True b. False 3. PCI-DSS only applies to CHS teammates that handle card payment transactions: a. True b. False 4. My responsibilities to protect confidential data include: a. Keeping my password secret b. Never using text, , or instant messaging to transmit confidential data c. Locking my computer or logging out when leaving it unattended d. All of the above 5. I can store cardholder data electronically as long as I: a. Properly dispose of it using an Asset Transfer and Disposal eform b. Encrypt the data and properly dispose of it using an Asset Transfer and Disposal eform c. Store it on my personal drive and password protect the file d. I am never allowed to store electronic cardholder data 6. I am responsible for reporting a suspected or known breach of confidential data. To report a suspected or known data breach I should: a. Contact my Supervisor b. Contact my Facility Privacy Director c. Contact the CHS Corporate Privacy Department d. Any of the above Page 10 of 11

11 7. PCI-DSS only applies to electronic confidential data: a. True b. False 8. If I accidentally click on a link from an unknown sender I should: a. Do nothing; my anti-virus software will protect my computer and confidential data b. Contact the CHS Support Center at c. Close my browser and restart my computer d. Follow the data breach reporting process 9. If an unknown person is tampering with a credit card device, I should: a. Do nothing and let them finish b. Report the incident to the CHS Support Center c. Call 911 immediately d. Either b or c 10. It is ok for me to replace credit card equipment without authorization and verification: a. True b. False 11. The following are signs that indicate a device has been tampered with: a. The device serial number has been changed b. The card reader is colored differently than normal c. A card skimmer has been added to the device d. All of the above 12. By clicking Yes below, I attest that I have read and understand the Information Services Security Policy, the CHS Communications Environment Acceptable Use Policy and the PCI Data Security Standard Policy: a. Yes b. No Page 11 of 11

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry

More information

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS) CSU, Chico Credit Card Handling Security Standard Effective Date: July 28, 2015 1.0 INTRODUCTION This standard provides guidance to ensure that credit card acceptance and ecommerce processes comply with

More information

Policy for Protecting Customer Data

Policy for Protecting Customer Data Policy for Protecting Customer Data Store Name Store Owner/Manager Protecting our customer and employee information is very important to our store image and on-going business. We believe all of our employees

More information

LSE PCI-DSS Cardholder Data Environments Information Security Policy

LSE PCI-DSS Cardholder Data Environments Information Security Policy LSE PCI-DSS Cardholder Data Environments Information Security Policy Written By: Jethro Perkins, Information Security Manager Reviewed By: Ali Lindsley, PCI-DSS Project Manager Endorsed By: PCI DSS project

More information

Viterbo University Credit Card Processing & Data Security Procedures and Policy

Viterbo University Credit Card Processing & Data Security Procedures and Policy The requirements for PCI-DSS compliance are quite numerous and at times extremely complicated due to their interdependent nature and scope. The University has deemed it necessary for those areas currently

More information

2014 Core Training 1

2014 Core Training 1 2014 Core Training 1 Course Agenda Review of Key Privacy Laws/Regulations: Federal HIPAA/HITECH regulations State privacy laws Privacy & Security Policies & Procedures Huntsville Hospital Health System

More information

6-8065 Payment Card Industry Compliance

6-8065 Payment Card Industry Compliance 0 0 0 Yosemite Community College District Policies and Administrative Procedures No. -0 Policy -0 Payment Card Industry Compliance Yosemite Community College District will comply with the Payment Card

More information

Purpose: To comply with the Payment Card Industry Data Security Standards (PCI DSS)

Purpose: To comply with the Payment Card Industry Data Security Standards (PCI DSS) Procedure Credit Card Handling and Security for Departments/Divisions and Elected/Appointed Offices Last Update: January 19, 2016 References: Credit Card Payments Policy Purpose: To comply with the Payment

More information

Information Security Policy

Information Security Policy Information Security Policy Contents Version: 1 Contents... 1 Introduction... 2 Anti-Virus Software... 3 Media Classification... 4 Media Handling... 5 Media Retention... 6 Media Disposal... 7 Service Providers...

More information

Information Technology

Information Technology Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing

More information

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES This document describes Eastern Oklahoma State College s policy and procedures for the proper

More information

Privacy and Security For Managers

Privacy and Security For Managers Privacy and Security For Managers This self directed learning module contains information all CHS Teammates are expected to know in order to protect our patients, our guests, and ourselves. Target Audience:

More information

POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101. DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101. DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101 DIVISION: Finance & Administration TITLE: Policy & Procedures for Credit Card Merchants DATE: October 24, 2011 Authorized by: K. Ann Mead, VP for Finance & Administration

More information

CREDIT CARD PROCESSING POLICY AND PROCEDURES

CREDIT CARD PROCESSING POLICY AND PROCEDURES CREDIT CARD PROCESSING POLICY AND PROCEDURES Note: For purposes of this document, debit cards are treated the same as credit cards. Any reference to credit cards includes credit and debit card transactions.

More information

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL PAYMENT CARD INDUSTRY COMPLIANCE (PCI) Effective June 1, 2011 Page 1 of 6 (1) Definitions a. Payment Card Industry Data Security Standards (PCI-DSS): A set of standards established by the Payment Card

More information

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration Andrews University Payment Card Acceptance Policies & Procedures Prepared by Financial Administration July 12, 2011 Part I: Introduction of Policy and Purpose Formatted: Font: 12 pt In order to protect

More information

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Mission Statement Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance

More information

PHI- Protected Health Information

PHI- Protected Health Information HIPAA Policy 2014 The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information and grants certain rights to patients. Clarkson

More information

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data PCI Training for Retail Jamboree Staff Volunteers Securing Cardholder Data Securing Cardholder Data Introduction This PowerPoint presentation is designed to educate Retail Jamboree Staff volunteers on

More information

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder

More information

Credit Card Handling Security Standards

Credit Card Handling Security Standards Credit Card Handling Security Standards Overview This document is intended to provide guidance to merchants (colleges, departments, auxiliary organizations or individuals) regarding the processing of charges

More information

Standards for Business Processes, Paper and Electronic Processing

Standards for Business Processes, Paper and Electronic Processing Payment Card Acceptance Information and Procedure Guide (for publication on the Treasury Webpages) A companion guide to University policy 6120, Payment Card Acceptance Standards for Business Processes,

More information

Office of Finance and Treasury

Office of Finance and Treasury Office of Finance and Treasury How to Accept & Process Credit and Debit Card Transactions Procedure Related Policy Title Credit Card Processing Policy For University Merchant Locations Responsible Executive

More information

University of San Francisco

University of San Francisco University of San Francisco Acceptable Use Policy (AUP) & Agreement for POS Devices and PCI Network 1. Purpose University of San Francisco (USF) provides access to the PCI network for processing CASHNet

More information

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format. Policy Number: 339 Policy Title: Credit Card Processing Policy, Procedure, & Standards Review Date: 07-23-15 Approval Date: 07-27-15 POLICY: All individuals involved in handling credit and debit card transactions

More information

3. Internet Credit Card Processing System generates a daily batch release report 4. Reporting Deposits to the University Depository

3. Internet Credit Card Processing System generates a daily batch release report 4. Reporting Deposits to the University Depository Internal Credit/Debit Card Processing Policies and Procedures for University of Tennessee Merchants Merchant: DBA Effective: Date Reviewed: Date Revised: Date 1. General Statement 2. Point-of-Sale Processing

More information

Appendix 1 Payment Card Industry Data Security Standards Program

Appendix 1 Payment Card Industry Data Security Standards Program Appendix 1 Payment Card Industry Data Security Standards Program PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect

More information

HIPAA Privacy & Security Health Insurance Portability and Accountability Act

HIPAA Privacy & Security Health Insurance Portability and Accountability Act HIPAA Privacy & Security Health Insurance Portability and Accountability Act ASSOCIATE EDUCATION St. Elizabeth Medical Center Origin and Purpose of HIPAA In 2003, Congress enacted new rules that would

More information

McGill Merchant Manual

McGill Merchant Manual McGill Merchant Manual The McGill Merchant Manual is a complementary document to the Merchant (PCI) Policy and Procedures and serves to aid Merchants in ensuring their operations comply with Payment Card

More information

PCI DSS Security Awareness Training for University of Tennessee Credit Card Merchants. UT System Administration Information Security Office

PCI DSS Security Awareness Training for University of Tennessee Credit Card Merchants. UT System Administration Information Security Office PCI DSS Security Awareness Training for University of Tennessee Credit Card Merchants UT System Administration Information Security Office Agenda Overview of PCI DSS Compliance versus Non-Compliance PCI

More information

PCI Policies 2011. Appalachian State University

PCI Policies 2011. Appalachian State University PCI Policies 2011 Appalachian State University Table of Contents Section 1: State and Contractual Requirements Governing Campus Credit Cards A. Cash Collection Point Approval for Departments B. State Requirements

More information

Policies and Procedures

Policies and Procedures Policies and Procedures Provided by PROGuard The following are policies and procedures which need to be enforced to ensure PCI DSS compliance. In order to answer yes to the questions and pass the SAQ,

More information

CREDIT CARD POLICY DRAFT

CREDIT CARD POLICY DRAFT APPROVED BY Ronald J. Paprocki I. Policy Statement Any office of the University that processes credit card transactions may do so only in the manner approved by the University Treasury Office and in compliance

More information

Hang Seng HSBCnet Security. May 2016

Hang Seng HSBCnet Security. May 2016 Hang Seng HSBCnet Security May 2016 1 Security The Bank aims to provide you with a robust, reliable and secure online environment in which to do business. We seek to achieve this through the adoption of

More information

Information Security Handbook for Employees

Information Security Handbook for Employees Information Security Handbook for Employees Providing our patients with excellence in healthcare includes protecting their information This handbook was prepared by Tom Walsh Consulting, LLC for the Kansas

More information

HIPAA Privacy & Security Training for Clinicians

HIPAA Privacy & Security Training for Clinicians HIPAA Privacy & Security Training for Clinicians Agenda This training will cover the following information: Overview of Privacy Rule and Security Rules Using and disclosing Protected Health Information

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals Electronic Cardholder

More information

HIPAA and You The Basics

HIPAA and You The Basics HIPAA and You The Basics The Purpose of HIPAA Privacy Rules 1. Provide strong federal protections for privacy rights Ensure individual trust in the privacy and security of his or her health information

More information

TERMINAL CONTROL MEASURES

TERMINAL CONTROL MEASURES UCR Cashiering & Payment Card Services TERMINAL CONTROL MEASURES Instructions: Upon completion, please sign and return to cashandmerchant@ucr.edu when requesting a stand-alone dial up terminal. The University

More information

Dartmouth College Merchant Credit Card Policy for Processors

Dartmouth College Merchant Credit Card Policy for Processors Mission Statement Dartmouth College Merchant Credit Card Policy for Processors Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance with the

More information

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014 HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors

More information

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY. Processing Electronic Card Payments

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY. Processing Electronic Card Payments ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY Processing Electronic Card Payments Introduction and Policy Aim The Payment Card Industry Data Security Standard (PCI-DSS) is a worldwide information

More information

PCI Security Awareness for Campus Payment Card Merchants

PCI Security Awareness for Campus Payment Card Merchants PCI Security Awareness for Campus Payment Card Merchants Read this document carefully. Sign, date, and return the last page to your supervisor, who is required to store the documentation for 1 year. Retain

More information

Credit Card Security

Credit Card Security Credit Card Security Created 16 Apr 2014 Revised 16 Apr 2014 Reviewed 16 Apr 2014 Purpose This policy is intended to ensure customer personal information, particularly credit card information and primary

More information

8.03 Health Insurance Portability and Accountability Act (HIPAA)

8.03 Health Insurance Portability and Accountability Act (HIPAA) Human Resource/Miscellaneous Page 1 of 5 8.03 Health Insurance Portability and Accountability Act (HIPAA) Policy: It is the policy of Licking/Knox Goodwill Industries, Inc., to maintain the privacy of

More information

PCI Security Awareness for ECU Payment Card Merchants

PCI Security Awareness for ECU Payment Card Merchants PCI Security Awareness for ECU Payment Card Merchants Read this document carefully. Sign, date, and return the last page to your departmental PCI coordinator, who is required to store the documentation

More information

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures 1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities

More information

Target Audience: All Non-Management CHS Employees, Students, Volunteers, and Physicians

Target Audience: All Non-Management CHS Employees, Students, Volunteers, and Physicians This self-directed learning module contains information all CHS employees are expected to know in order to protect our patients protected health information. Target Audience: All Non-Management CHS Employees,

More information

Cal Poly PCI DSS Compliance Training and Information. Information Security http://security.calpoly.edu 1

Cal Poly PCI DSS Compliance Training and Information. Information Security http://security.calpoly.edu 1 Cal Poly PCI DSS Compliance Training and Information Information Security http://security.calpoly.edu 1 Training Objectives Understanding PCI DSS What is it? How to comply with requirements Appropriate

More information

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index Index Section 5.1 Purpose.... 2 Section 5.2 Definitions........2 Section 5.3 Validation Information.....2 Section 5.4 Procedures for Opening New Accounts....3 Section 5.5 Procedures for Existing Accounts...

More information

Miami University. Payment Card Data Security Policy

Miami University. Payment Card Data Security Policy Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that

More information

PCI Data Security and Classification Standards Summary

PCI Data Security and Classification Standards Summary PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers

More information

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration

More information

HIPAA Education Level One For Volunteers & Observers

HIPAA Education Level One For Volunteers & Observers UK HealthCare HIPAA Education Page 1 September 1, 2009 HIPAA Education Level One For Volunteers & Observers ~ What does HIPAA stand for? H Health I Insurance P Portability A And Accountability A - Act

More information

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows: What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers

More information

HIPAA: Bigger and More Annoying

HIPAA: Bigger and More Annoying HIPAA: Bigger and More Annoying Instructor: Laney Kay, JD Contact information: 4640 Hunting Hound Lane Marietta, GA 30062 (770) 312-6257 (770) 998-9204 (fax) laney@laneykay.com www.laneykay.com OFFICIAL

More information

Credit and Debit Card Handling Policy Updated October 1, 2014

Credit and Debit Card Handling Policy Updated October 1, 2014 Credit and Debit Card Handling Policy Updated October 1, 2014 City of Parkville 8880 Clark Ave. Parkville, MO 64152 Hours: 8:00-5:00 p.m. Monday -Friday Phone Number 816-741-7676 Email: cityhall@parkvillemo.gov

More information

Privacy & Security Standards to Protect Patient Information

Privacy & Security Standards to Protect Patient Information Privacy & Security Standards to Protect Patient Information Health Insurance Portability & Accountability Act (HIPAA) 12/16/10 Topics An An Introduction to to HIPAA HIPAA Patient Rights Rights Routine

More information

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Payment Card Industry (PCI) Policy Manual. Network and Computer Services Payment Card Industry (PCI) Policy Manual Network and Computer Services Forward This policy manual outlines acceptable use Black Hills State University (BHSU) or University herein, Information Technology

More information

Huddersfield New College Further Education Corporation

Huddersfield New College Further Education Corporation Huddersfield New College Further Education Corporation Card Payments Policy (including information security and refunds) 1.0 Policy Statement Huddersfield New College Finance Office handles sensitive cardholder

More information

Accepting Payment Cards and ecommerce Payments

Accepting Payment Cards and ecommerce Payments Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont

More information

PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson

PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson Overview What is PCI? MCCS Compliance PCI DSS Technical Requirements MCCS Information Security Policies

More information

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number 95.51 PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number 95.51 PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9. 95.5 of 9. PURPOSE.. To establish a policy that outlines the requirements for compliance to the Payment Card Industry Data Security Standards (PCI-DSS). Compliance with this standard is a condition of

More information

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY. 2014 October

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY. 2014 October CREDIT CARD NUMBER HANDLING PROCEDURES POLICY 2014 October Royal Roads University Page 1 of 6 21 October 2014 Table of Contents Policy Statement... 3 Rationale... 3 Applicability of the Policy... 3 Definitions...

More information

HIPAA Training for Hospice Staff and Volunteers

HIPAA Training for Hospice Staff and Volunteers HIPAA Training for Hospice Staff and Volunteers Hospice Education Network Objectives Explain the purpose of the HIPAA privacy and security regulations Name three patient privacy rights Discuss what you

More information

Payment Card Industry Data Security Standard PCI DSS

Payment Card Industry Data Security Standard PCI DSS Payment Card Industry Data Security Standard PCI DSS What is PCI DSS? Requirements developed by the five card brands: VISA, Mastercard, AMEX, JCB and Discover. Their aim was to put together a common set

More information

HIPAA Security Training Manual

HIPAA Security Training Manual HIPAA Security Training Manual The final HIPAA Security Rule for Montrose Memorial Hospital went into effect in February 2005. The Security Rule includes 3 categories of compliance; Administrative Safeguards,

More information

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY PURPOSE The Payment Card Industry Data Security Standard was established by the credit card industry in response to an increase in identify theft

More information

University Policy Accepting and Handling Payment Cards to Conduct University Business

University Policy Accepting and Handling Payment Cards to Conduct University Business BROWN UNIVERSITY University Policy Accepting and Handling Payment Cards to Conduct University Business Table of Contents Purpose... 2 Scope... 2 Authorization... 2 Establishing a new account... 2 Policy

More information

OF MICHIGAN HEALTH SYSTEM

OF MICHIGAN HEALTH SYSTEM 1 PHI - Protected Health Information UNIVERSITY OF MICHIGAN HEALTH SYSTEM Updated 09/23/2013 2 Q: Is PHI the same as the medical record? A: No. protects more than the official medical record. Lots of other

More information

SELF-LEARNING MODULE (SLM) 2012 HIPAA Education Privacy Basics and Intermediate Modules

SELF-LEARNING MODULE (SLM) 2012 HIPAA Education Privacy Basics and Intermediate Modules SELF-LEARNING MODULE (SLM) 2012 HIPAA Education Privacy Basics and Intermediate Modules Page 2 Index Privacy 101 and Intermediate Privacy Self-Learning Module 2012 HIPAA Education 3 Instructions Index

More information

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account

More information

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: Boston College Policy ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: PURPOSE OF POLICY: The purpose of this policy is to establish procedures for accepting payment cards at Boston College

More information

HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N

HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N 1 COURSE OVERVIEW This course is broken down into 4 modules: Module 1: HIPAA Omnibus Rule - What you need to know to remain

More information

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services Louisiana State University Finance and Administrative Services Operating Procedure FASOP: AS-22 CREDIT CARD MERCHANT POLICY Scope: All campuses served by Louisiana State University (LSU) Office of Accounting

More information

University of York Policy on the Management of Debit/ Credit Card Data

University of York Policy on the Management of Debit/ Credit Card Data University of York Policy on the Management of Debit/ Credit Card Data Version 1.0 25th February 2015 Index 1 Introduction and Policy Statement 1.1 The Payment Card Industry Data Security Standard (PCI

More information

HIPAA Privacy & Security Rules

HIPAA Privacy & Security Rules HIPAA Privacy & Security Rules HITECH Act Applicability If you are part of any of the HIPAA Affected Areas, this training is required under the IU HIPAA Privacy and Security Compliance Plan pursuant to

More information

Welcome to the Duke Medicine Credit Card PCI Education session.

Welcome to the Duke Medicine Credit Card PCI Education session. Welcome to the Duke Medicine Credit Card PCI Education session. During this session, we will explain the Duke Medicine Credit Card PCI Policy and Procedure that has been implemented to ensure we are in

More information

HIPAA Privacy and Security

HIPAA Privacy and Security HIPAA Privacy and Security Course ID: 1020 - Credit Hours: 2 Author(s) Kevin Arnold, RN, BSN Accreditation KLA Education Services LLC is accredited by the State of California Board of Registered Nursing,

More information

HIPAA and Health Information Privacy and Security

HIPAA and Health Information Privacy and Security HIPAA and Health Information Privacy and Security Revised 7/2014 What Is HIPAA? H Health I Insurance P Portability & A Accountability A - Act HIPAA Privacy and Security Rules were passed to protect patient

More information

Business Online Banking Client Setup Form

Business Online Banking Client Setup Form Business Online Banking Client Setup Form *All available fields must be filled out prior to submission to ensure proper processing. New Setup Maintenance on Existing Customer Company Name: Tax ID: Address:

More information

CREDIT CARD SECURITY POLICY PCI DSS 2.0

CREDIT CARD SECURITY POLICY PCI DSS 2.0 Responsible University Official: University Compliance Officer Responsible Office: Business Office Reviewed Date: 10/29/2012 CREDIT CARD SECURITY POLICY PCI DSS 2.0 Introduction and Scope Introduction

More information

Information Security Training 2012

Information Security Training 2012 Information Security Training 2012 Authored by: Gwinnett Medical Center Information Security Department Modified for affiliated schools students & instructors by: Linda Horst, RN, BSN, BC Objectives After

More information

SHS Annual Information Security Training

SHS Annual Information Security Training SHS Annual Information Security Training Information Security: What is It? The mission of the SHS Information Security Program is to Protect Valuable SHS Resources Information Security is Everyone s Responsibility

More information

b. USNH requires that all campus organizations and departments collecting credit card receipts:

b. USNH requires that all campus organizations and departments collecting credit card receipts: USNH Payment Card Industry Data Security Standard (PCI DSS) Version 3 Administration and Department Policy Draft Revision 3/12/2013 1. Purpose. The purpose of this policy is to assist the University System

More information

Computing Services Information Security Office. Security 101

Computing Services Information Security Office. Security 101 Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification,

More information

BSHSI Security Awareness Training

BSHSI Security Awareness Training BSHSI Security Awareness Training Originally developed by the Greater New York Hospital Association Edited by the BSHSI Education Team Modified by HSO Security 7/1/2008 1 What is Security? A requirement

More information

Information Security Manager Training

Information Security Manager Training Information Security Manager Training Kent Swagler CCEP Director, Corporate Compliance Direct line (314) 923-3097 Cell (314) 575-8334 kswagler@metrostlouis.org Information Security Manager Training Overview

More information

HIPAA Training for Staff and Volunteers

HIPAA Training for Staff and Volunteers HIPAA Training for Staff and Volunteers Objectives Explain the purpose of the HIPAA privacy, security and breach notification regulations Name three patient privacy rights Discuss what you can do to help

More information

University of Virginia Credit Card Requirements

University of Virginia Credit Card Requirements University of Virginia Credit Card Requirements The University of Virginia recognizes that e-commerce is critical for the efficient operation of the University, and in particular for collecting revenue.

More information

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business DELAWARE COLLEGE OF ART AND DESIGN 600 N MARKET ST WILMINGTON DELAWARE 19801 302.622.8000 INFORMATION SECURITY POLICY including Policy for Credit Card Acceptance to Conduct College Business stuff\policies\security_information_policy_with_credit_card_acceptance.doc

More information

Department PCI Self-Assessment Questionnaire Version 1.1

Department PCI Self-Assessment Questionnaire Version 1.1 Department PCI Self-Assessment Questionnaire Version 1.1 2009 Attestation of Compliance Instructions for Submission This Department PCI Self-Assessment Questionnaire has been developed as an assessment

More information

Information Security

Information Security Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff

More information

Liverpool Hope University. PCI DSS Policy

Liverpool Hope University. PCI DSS Policy Liverpool Hope University PCI DSS Policy Document Control Date Revision/Amendment Details & Reason Author 26 th March 2015 Updates G. Donelan 23 rd June 2015 Audit Committee 7 th July 2015 University Council

More information

Saint Louis University Merchant Card Processing Policy & Procedures

Saint Louis University Merchant Card Processing Policy & Procedures Saint Louis University Merchant Card Processing Policy & Procedures Overview: Policies and procedures for processing credit card transactions and properly storing credit card data physically and electronically.

More information

Accounting and Administrative Manual Section 100: Accounting and Finance

Accounting and Administrative Manual Section 100: Accounting and Finance No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security

More information