1 UNIVERSITY CONTROLLER S OFFICE Payment Card Industry (PCI) Security Standards Training Guide (updated for 3.1 requirements) February 2016
2 Disclaimer: The information in this guide is current as of the date of publishing. However, card acceptance, processing, and chargeback procedures are subject to change due to the ever changing demands of the Payment Card Industry. This guide contains information based on the current Payment Card Industry (PCI) Security Standards Council Operating Regulations. If there are any technical differences between the PCI Operating Regulations and this guide, the PCI Operating Regulations will prevail in every instance. The PCI Operating Regulations take precedence over this guide or any updates to its information. For further information about the rules or practices covered in this guide, contact Xxx xxxxx, Associate Controller, University Controller s Office at xxx-xxx-xxxx. Upon Course Completion: When you are finished with all of the chapters in this course, don t forget to complete the Online Quiz. The Quiz will cover the information learned throughout the course, and it serves as your proof of course completion. If you do not successfully complete the Quiz with a score of 100% you will not be given credit for completing the course. If you do not score 100% on your first attempt, do not be discouraged. You will be given as many chances as you need to successfully complete the quiz. If you have any questions or concerns regarding the Quiz or any other element of this course, contact Xxx xxxxx, Associate Controller at xxx-xxx-xxxx. Notice: Throughout this course, the term USF Employee is expanded to include anyone working in a capacity for the University including: - Administration - Staff - Faculty - OPS - Students - Volunteers
3 Course Benefits Above all else, this course serves to provide you with the knowledge and skills necessary to ensure credit card security. It is important to recognize that everyone, not just the credit card companies, benefit from your effective application of credit card security measures: Your Customers Appreciate your ability to reduce the threat of identity theft Trust you to complete transactions without creating duplicate or invalid charges Enjoy peace of mind, knowing that their card is in good hands Your Employer Takes pride in a skilled workforce Values your ability to build customer confidence Needs your help in limiting potential losses, fines & penalties...and You! Show confidence in your ability to safely and efficiently do your job Know that you can make informed decisions under pressure Can recognize key security features on valid cards Are alert to the warning signs of fraud Course Complete You have now completed the reading portion of the PCI Security Program. However, in order to receive credit for this course, you must complete the Quiz. The Quiz will cover the information you have just learned, and it serves as your proof of course completion. If you do not successfully complete the Quiz with a score of 80% or better, you will not be given credit for the course. If you do not score 80% or better on your first attempt, do not be discouraged. You will be given a total of three chances to successfully complete the quiz.
4 Merchant Training Payment Card Acceptance Session 1
5 Learning Objectives There are three parts to Merchant Training. The first section will provide basic terms and definitions to better enable you to understand PCI Compliance. The second section details the Security Policy and PCI DSS Requirements that CSCC must meet to accept Credit Card payments. The final section demonstrate the appropriate way to accept payment cards in order to protect both your business and your cardholders from fraud. The sessions should take approximately 15 minutes each to complete.
6 Key Terms & Definitions Payment Cards Credit Cards, Debit Cards, or Purchasing Cards issued by a Financial Institution. Merchant Account An account, set up through the Bank, which provides the ability to process payment cards as payment for Goods and Services rendered by the Account Holder (CSCC). Card Present Transactions Transactions in which the Cardholder presents the actual card to the Merchant or processing. Usually swiped into a terminal or register. A signature is obtained.
7 Card Not-Present Transactions Transactions in which the cardholder gives his credit card information to the Merchant over the phone or sends their card information in the mail on a designated form. A form may include a signature. Generally, a signature is not obtained in this type of transaction. E-Commerce The ability to process payment cards as payment for Goods or Services, through a Merchant account using the internet. The cardholder initiates the transactions from their own computers. The Merchant does not handle the cardholder data at any time during the transaction. PCI-DSS - The payment card industry (PCI) Data Security Standard (DSS) is a set of comprehensive requirements for enhancing payment card data security.
8 Cardholder Data = Primary Account Number (PAN). Cardholder Name when associated with the PAN. The service code when associated with the PAN. Expiration Date when associated with the PAN. Sensitive Authentication Data = Full Magnetic Stripe Data (Can Never be Stored). CAV2/CVC2/CVVS/CID (Can never be Stored). PIN or PIN Block (Can never be Stored).
9 Quiz 1. PCI stands for Payment Card Industry o True o False 2. DSS stands for Data Security Standards o True o False 3. Payment Cards are: o Credit Cards o Debit Cards o Purchasing Cards o Visa/ MasterCard/Discover/American Express o All of the Above
10 4. E- Commerce is: o Buying and selling on the internet. o The ability to process credit card payments on the internet. o Both A & B o None of the above. 5. Credit Card Data Fields consist of: o Primary Account Number (PAN). o Sensitive Authentication Data. o Magnetic Stripe Data. o Pin o Expiration Date. o All of the Above.
11 PCI COMPLIANCE Security Standards Session 2
12 Who Must Comply? PCI applies to all CSCC locations accepting electronic payments as legal tender. All CSCC employees having access to cardholder information, regardless of size, must comply with the PCI Data Security Standards. As stated, if you have access to credit card information as part of your job responsibilities at CSCC, you are accountable for the security of that information. Cardholder information should be disclosed only for a required business purpose. It is the employee s responsibility to safeguard the associated credit card data that is entrusted to their care.
13 Why We Must Comply? Properly securing cardholder data is the responsibility of EVERY Columbus State Employee. It only takes a few extra seconds to make a big difference. Lack of compliance to the PCI DSS, in a single area of the College, could jeopardize the College s ability to accept payment Cards (Policy 9-12) Your support and cooperation is essential to the College s compliance. 12 Payment Card Industry Security Standards Each Goal Has Detailed Requirements
14 Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. Never store sensitive authentication data after authorization. Your terminals have already been programmed by the bank for this purpose. Limit receipt storage amount and retention time to that which is required by business, legal, and/or regulatory purposes.
15 Follow the College s document disposal policy. Make sure all receipts & reports (Both yours and the cardholders) have truncated card numbers only the last 4 digits of the card #. Keep credit card machines out of sight and reach of customers. When applicable, keep your computer screen out of the line of sight of customers so they cannot see card numbers as you enter them. Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs. 6. Develop and maintain secure systems and applications.
16 Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. Need to Know means that access rights are granted to only the least amount of data and privileges needed to perform a job. Limit access to payment card processing equipment and cardholder data to only those individuals whose job requires such access. Each person with computer access should have their own unique ID and Password.
17 DO NOT use vender-supplied default passwords or share your password with others. Follow the College s password guidelines by using a password phrase, upper & lower case letters, numbers, and special characters. Change your passwords on a regular basis. *** DO NOT STORE YOUR PASSWORDS IN A NOTEBOOK, ON POST-IT NOTES, OR ANY OTHER ACCESSIBLE MEANS!***
18 Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel. A strong security policy sets the tone for the whole company and informs employees (and all relevant system users) what is expected of them.
19 All system users should be made aware of the sensitivity of data and their responsibilities for protecting it. An incident response plan should be implemented. The College has Payment Card Acceptance policies and procedures, and Information security policies which may be reviewed at the end of this lesson.
20 Information Security Policy Columbus State Community College has written policies and procedures effective June 1, 2011 : Program Coordinator / Information Security Officer (ISO) Douglas Rellick
21 Quiz 1. All CSCC employees are responsible for the security of Credit Card information. o True o False 2. For Security Reasons Passwords have to be: Unique and individualized. o The vendor default. o Contain upper & lower case letters, numbers, and special characters. o All of the above. o Both A and B o Both A and C
22 3. To Protect Credit Card Data you must: o Never store sensitive authentication data after authorization. o Follow the College s document disposal policy. o Make sure all receipts & reports have truncated card numbers only the last 4 digits of the card #. o All of the above. 4. Maintain An Information Security Policy o Columbus State s PCI Compliance Policy was effective June 1, o Columbus State Policy # 9-12 is for PCI Compliance. o Columbus State PCI Compliance Policy requires annual Staff Training. o All of the above. o Please continue to part 3 Credit Cards
23 CREDIT CARDS Session 3
24 Card Present Transactions Swiping the card is the most secure method of accepting payment cards. Hold onto the card while the card is authorized and the receipt is signed. Compare signatures on the receipt and on the back of the card. Make sure the embossed name matches the signed name. If the signature panel on the card says Please See ID the card is not valid. Ask for the ID and ask the cardholder to sign the card in front of you. Check the signature and pictures. All receipts must be kept in a secure/locked location for 18 months with Need to Know access. Receipts older than 18 months must be shredded.
25 Card Not-Present Transactions Phone/Mail Order: Enter all the information you are prompted for. By doing so, you will be using security prompts to make sure the person using the card is the cardholder. It is best to keep the customer on the phone while you run the transaction. If that is not possible, you should get the customer s phone number in case the card is declined. Shred any paper that has card information on it especially the CVV/CVV2 code and full card number. If you must keep the full card number, make sure it is stored in a secured, locked location with receipts, with Need to Know access. Never keep the CVV/CVV2 code! (The CVV code is the 3 digit security code on the signature panel).
26 Refunds Refunds must be issued to the same card used in the original transaction. Refunds must be issued using the same mode of processing that was used for the original transaction. The refund amount may only be up to the amount of the original transaction. All refunds should be dual controlled, or in other words, approved by a supervisor.
27 Parts of a Credit Card Visa, MasterCard, Discover
28 NEW EMV Technology
29 Avoiding Fraud Be Vigilant! Taking the few extra seconds to match signatures and look at the card you are accepting can save you time and money later. If the imprinted name on the card does not match the signature on the back of the card or the signed receipt, do not accept the card. DO NOT CALL THE PHONE # ON THE BACK OF THE CARD FOR AUTHORIZATION. An authorization is only valid if it is obtained through the merchant services help desk or your payment processing device. Train all staff that handle payment cards on Acceptance Best Practices and your department procedures. Repeat training often. It s easy for us to forget, or get lazy.
30 Incident Response Plan Despite our best efforts, it is possible for our payment card systems to be breached or compromised. Watch for Multiple completed transactions or multiple attempts to complete transactions by the SAME Cardholder. Cardholders asking for refunds to be posted to a different payment card. Your day to day card swiping equipment looks different than usual, and cannot be confirmed as replacement equipment from your verified vendor. Cardholder documents displaying card numbers, such as faxes, event registration, are not stored securely or disposed of correctly
31 If you suspect a Data Breach Contact your supervisor immediately. Supervisor will contact the Information Security Officer and Cashier and Student Accounting Office IMMEDIATELY. DO NOT disable or turn off your system, unless directed to do so by ISO. Your Department will be restored with the ability to accept payment cards as soon as possible
32 Contact Information College Information Security Web Page: l Douglas Rellick (614) Program Coordinator / Information Security Officer (IT Support Services)
33 Quiz 1. Important steps when handling a credit card: o Hold card while it is authorized and receipt signed. o Compare signature on receipt to back of credit card. o Swiping the card is the most secure method. o All of the above. o Only A & B 2. What type of transactions would be considered Card Not Present o Phone Payments o Web Payments o Mail Payments o All of the above
34 3. What are important items on the front of a Credit Card? o Expiration Date o Compare the embossed number to the printed number. o Hologram o Three Digit Security Code. o All of the Above. o A, B & C Only 4. What are the key ways to avoid Fraud? o Staff Training on security procedures. o Comparing names and signatures of cards and receipts. o Do not call for authorizations, only valid if received thru system process. o All of the above.
35 Glossary Note: All definitions listed in this section are also available in the Course Glossary. Account number The 16-digit account number that appears in print on the front of all valid credit cards. The number is one of the card security features that should be checked by merchants to ensure that a Card-Present transaction is valid. Address Verification Service (AVS) AVS allows USF Merchants that accept card-not-present transactions to compare the billing address (the address to which the card issuer sends its monthly statement for that account) given by a customer with the billing address on the card issuer s master file before shipping an order. AVS helps merchants minimize the risk of accepting fraudulent transactions in a card-notpresent environment by indicating the result of the address comparison. Authorization The process by which a card issuer approves or declines a credit card purchase. Authorization occurs automatically when you swipe the magnetic stripe of a payment card through a card reader. See also: Voice Authorization Center. Call or Call Center response A response to a merchant s authorization request indicating that the card issuer needs more information about the card or cardholder before a transaction can be approved; also called a referral response.
36 Card acceptance procedures The procedures USF Merchants and Employees must follow at the point of sale to ensure a card and cardholder are valid. Card expiration date See Good Thru date. Cardholder The person to whom a credit card is issued. Card-Not-Present A merchant, market, or sales environment in which transactions are completed without a valid credit card or cardholder being present. Card-not-present is used to refer to mail order, telephone order, and Internet merchants and sales environments. Card-Present A merchant, market or sales environment in which transactions can be completed only if both a valid credit card and cardholder are present. Card-Present transactions include traditional retail department and grocery stores, electronics stores, boutiques, etc. cash disbursements, and self-service situations, such as gas stations and grocery stores, where cardholders use unattended payment devices. Card security features The alphanumeric, pictorial, and other design elements that appear on the front and back of all valid credit card and debit cards. Card-Present merchants must check these features when processing a transaction at the point of sale to ensure that a card is valid.
37 Card Verification Value 2 (CVV2) A fraud prevention system used in card-not-present transactions to ensure that the card is valid. The CVV2 is the three-digit value that is printed on the back of credit cards. Card-not-present merchants ask the customer for the CVV2 and submit it as part of their authorization request. For information security purposes, merchants are prohibited from storing CVV2 data. Cardholder Information Security Program (CISP) A program that establishes data security standards, procedures, and tools for all entities merchants, service providers, issuers, and merchant banks that store cardholder account information. CISP compliance is mandatory. Chargeback A transaction that is returned as a financial liability to a merchant bank by a card issuer, usually because of a disputed transaction. The merchant bank may then return or charge back the transaction to the merchant. Code 10 call A call made to the merchant s voice authorization center when the appearance of a card or the actions of a cardholder suggest the possibility of fraud. The term Code 10 is used so calls can be made without arousing suspicion while the cardholder is present. Specially trained operators then provide assistance to point-of-sale staff on how to handle the transaction. Copy request A request by a card issuer to a merchant bank for a copy or facsimile of a sales receipt for a disputed transaction. Depending on where sales receipts are stored, the merchant bank either fulfills the copy request itself or forwards it to the merchant for fulfillment. A copy request is also known as a retrieval request.
38 Credit receipt A receipt that documents a refund or price adjustment a merchant has made or is making to a cardholder s account; also called credit voucher. Disclosure Merchants are required to inform cardholders about their policies for merchandise returns, service cancellations, and refunds. How this information is conveyed, or disclosed, varies for Card-Present and Card-Not-Present merchants, but in general, disclosure must occur before a cardholder signs a receipt to complete the transaction. Firewall A security tool that blocks access from the Internet to files on a merchant s or third-party processor s server and is used to ensure the safety of sensitive cardholder data stored on a server. Good Thru date The date after which a bankcard is no longer valid, embossed on the front of all valid credit cards. The Good Thru date is one of the card security features that should be checked by merchants to ensure that a Card-Present transaction is valid. See also: Card expiration date. High-risk merchant A merchant that is at a high risk for chargebacks due to the nature of its business. High-risk merchants include direct marketers, travel services, outbound telemarketers, inbound teleservices, and betting establishments. Internet Protocol address A unique number that is used to represent individual computers in a network. All computers on the Internet have a unique IP address that is used to route messages to the correct destination.
39 Key-entered transaction A transaction that is manually keyed into a point-of-sale device. Magnetic stripe The magnetic stripe on the back of all credit cards is encoded with account information as specified in the Payment Card Industry Operating Regulations. The stripe is read when a card is swiped through a Point of Sale (POS) terminal. On a valid card, the account number on the magnetic stripe matches the account number on the front of the card. Magnetic-stripe reader The component of a point-of-sale device that electronically reads the information on a payment card s magnetic stripe. Mail order/telephone order (MO/TO) A merchant, market, or sales environment in which mail or telephone sales are the primary or a major source of income. Such transactions are frequently charged to customers bankcard accounts. See also: Card-not-present. Merchant agreement The contract between a merchant and a merchant bank under which the merchant participates in a credit card company s payment system, accepts credit cards for payment of goods and services, and agrees to abide by certain rules governing the acceptance and processing of credit card transactions. Merchant agreements may stipulate merchant liability with regard to chargebacks and may specify time frames within which merchants are to deposit transactions and respond to requests for information. Merchant bank A financial institution that enters into agreements with merchants to accept credit cards as payment for goods and services; also called acquirers or acquiring banks.
40 Merchant Chargeback Monitoring Program (MCMP) A program that alerts merchant banks when one of their merchants has a chargeback-totransaction rate of over one percent. Merchants then work with the bank to reduce their chargeback rates to acceptable levels. Failure to reduce chargebacks can result in fines for a merchant. Payment gateway A system that provides services to Internet merchants for the authorization and clearing of online credit card transactions. Pick-up response This response indicates that the card issuer would like the card to be confiscated from the customer. However, USF Employees should not attempt to pick up credit cards, even when the card issuer requests this action, as this could potentially cause confrontation and safety issues. Point-of-sale terminal (POS terminal) The electronic device used for authorizing and processing bankcard transactions at the point of sale. Printed number A four-digit number that is printed below the first four digits of the printed or embossed account number on valid credit cards. The four-digit printed number should be the same as the first four digits of the account number above it. The printed four-digit number is one of the card security features that merchants should check to ensure that a Card-Present transaction is valid.
41 Representment A chargeback that is rejected and returned to a card issuer by a merchant bank on the merchant s behalf. A chargeback may be re-presented, or redeposited, if the merchant or merchant bank can remedy the problem that led to the chargeback. To be valid, a representment must be in accordance with Payment Card Industry Operating Regulations. Sales receipt The paper or electronic record of a bankcard transaction that a merchant submits to a merchant bank for processing and payment. In most cases, paper drafts are now generated by a merchant s POS terminal. When a merchant fills out a draft manually, it must include an imprint of the front of the card. Skimming The replication of account information encoded on the magnetic stripe of a valid card and its subsequent use for fraudulent transactions in which a valid authorization occurs. The account information is captured from a valid card and then re-encoded on a counterfeit card. The term skimming is also used to refer to any situation in which electronically transmitted or stored account data is replicated and then re-encoded on counterfeit cards or used in some other way for fraudulent transactions. Split tender The use of two forms of payment, or legal tender, for a single purchase. For example, when buying a big-ticket item, a cardholder might pay half by cash or check and then put the other half on his or her credit card. Individual merchants may set their own policies about whether or not to accept split-tender transactions. Third-party processor A non-member organization that performs transaction authorization and processing, account record keeping, and other day-to-day business and administrative functions for issuers and merchant banks.
42 Transaction The act between a cardholder and merchant that results in the sale of goods or services. Unsigned card A seemingly valid credit card that has not been duly signed by the legitimate cardholder. Merchants cannot accept an unsigned card until the cardholder has signed it, and the signature has been checked against a valid, government-issued Photo ID, such as a driver s license or passport. Voice authorization An authorization obtained by telephoning a voice authorization center. Voice authorization center An operator-staffed center that handles telephone authorization requests from merchants who do not have electronic POS terminals or whose electronic terminals are temporarily not working, or for transactions where special assistance is required. Voice authorization centers also handle manual authorization requests and Code 10 calls.
General Industry terms Address Verification: A service provided through which the merchant verifies the Cardholder s address. Primarily used by Mail/Telephone order merchants. Not a guarantee that a transaction
Address Verification: A service provided through which the merchant verifies the Cardholder s address. Primarily used by Mail/Telephone order merchants. Not a guarantee that a transaction is valid. Agreement:
Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing
Credit/Debit Card Processing Requirements and Best Practices Adele Honeyman Oregon State Treasury Training Specialist 1 What? What do I need to know about excepting credit cards? Who s involved, how it
New Account Reference Guide Welcome to BBVA Compass Merchant Services Thank you for choosing BBVA Compass as your Merchant Services provider. BBVA Compass is dedicated to providing your business with the
Department PCI Self-Assessment Questionnaire Version 1.1 2009 Attestation of Compliance Instructions for Submission This Department PCI Self-Assessment Questionnaire has been developed as an assessment
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder
Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont
Payment Card Acceptance Information and Procedure Guide (for publication on the Treasury Webpages) A companion guide to University policy 6120, Payment Card Acceptance Standards for Business Processes,
Effective Date: August 2008 Approval: December 17, 2015 PCI General Policy Maintenance of Policy: Office of Student Accounts PURPOSE: To protect against the exposure and possible theft of account and personal
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
Merchant Guide to the Visa Address Verification Service Merchant Guide to the Visa Address Verification Service TABLE OF CONTENTS Table of Contents Merchant Guide to the Visa Address Verification Service
White Paper Card Acceptance Best Practices Playing it Safe at the Point of Sale Fraudulent activity costs U.S. businesses billions. And that is just lost revenue. When you consider the associated damage
Credit Card Handling Security Standards Overview This document is intended to provide guidance to merchants (colleges, departments, auxiliary organizations or individuals) regarding the processing of charges
Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry
DELAWARE COLLEGE OF ART AND DESIGN 600 N MARKET ST WILMINGTON DELAWARE 19801 302.622.8000 INFORMATION SECURITY POLICY including Policy for Credit Card Acceptance to Conduct College Business stuff\policies\security_information_policy_with_credit_card_acceptance.doc
Welcome Kit Table of Contents Important Account Information... Welcome to TouchSuite Merchant Services... Help Desk Card Enclosed... Your Merchant ID (MID)... 3 3 3 3 Customer Support Numbers... 4 Card
EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES This document describes Eastern Oklahoma State College s policy and procedures for the proper
Copyright 2008-2010 Software Technology, Inc. 1621 Cushman Drive Lincoln, NE 68512 (402) 423-1440 www.tabs3.com Portions copyright Microsoft Corporation Tabs3, PracticeMaster, and the pinwheel symbol (
CREDIT CARD PROCESSING POLICY AND PROCEDURES Note: For purposes of this document, debit cards are treated the same as credit cards. Any reference to credit cards includes credit and debit card transactions.
Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Mission Statement Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance
CSU, Chico Credit Card Handling Security Standard Effective Date: July 28, 2015 1.0 INTRODUCTION This standard provides guidance to ensure that credit card acceptance and ecommerce processes comply with
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
Finance & Accounting and Merchant Services Cardholder Information Security Program (CISP) Training Guide Disclaimer: The information in this guide is current as of the date of publishing. However, card
Best Practices for Credit Card Acceptance to Minimize Fraud By implementing best practices in credit card processing, you decrease the likelihood of fraudulent transactions and chargebacks. In general,
McGill Merchant Manual The McGill Merchant Manual is a complementary document to the Merchant (PCI) Policy and Procedures and serves to aid Merchants in ensuring their operations comply with Payment Card
Payment Card Industry Data Security Standards PCI DSS Rhonda Chorney Manager, Revenue Capital & General Accounting Today s Agenda 1. What is PCI DSS? 2. Where are we today? 3. Why is compliance so important?
PROTECT YOUR BUSINESS FROM LOSSES WHILE ACCEPTING CREDIT CARDS TABLE OF CONTENTS Introduction...1 Preventing Fraud in a Card-Present Environment...2 How to Reduce Chargebacks in a Card-Present Environment...4
Avoiding Fraud Learn to recognize the warning signs for fraud and follow these card acceptance guidelines to reduce your risk. Intoduction Fraud comes in many forms and hurts merchants of all sizes. Whether
Merchant Card Processing Best Practices Background: The major credit card companies (VISA, MasterCard, Discover, and American Express) have published a uniform set of data security standards that ALL merchants
Powering e-commerce Globally What Can I Do to Minimize E-Commerce Chargebacks? Chargebacks are not going away. And now there are new rules. Selling products and services online and using credit cards for
CREDIT CARD NUMBER HANDLING PROCEDURES POLICY 2014 October Royal Roads University Page 1 of 6 21 October 2014 Table of Contents Policy Statement... 3 Rationale... 3 Applicability of the Policy... 3 Definitions...
Saint Louis University Merchant Card Processing Policy & Procedures Overview: Policies and procedures for processing credit card transactions and properly storing credit card data physically and electronically.
CREDIT CARD PROCESSING GLOSSARY OF TERMS 3DES A highly secure encryption system that encrypts data 3 times, using 3 64-bit keys, for an overall encryption key length of 192 bits. Also called triple DES.
UCR Cashiering & Payment Card Services TERMINAL CONTROL MEASURES Instructions: Upon completion, please sign and return to firstname.lastname@example.org when requesting a stand-alone dial up terminal. The University
Datalink Bankcard Services How To Spot & Prevent Fraudulent Credit Card Activity White Paper 2013 According to statistics from the U.S. Department of Justice and the Consumer Sentinel Network, credit card
WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS I. Introduction, Background and Purpose This Merchant Account Agreement (the Merchant Agreement or Agreement ) is entered
PCI Policies 2011 Appalachian State University Table of Contents Section 1: State and Contractual Requirements Governing Campus Credit Cards A. Cash Collection Point Approval for Departments B. State Requirements
UNIVERSITY OF NORTH DAKOTA FINANCE & OPERATIONS POLICY LIBRARY ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS Policy 2.3, Accepting Credit Cards and Electronic Checks to Conduct
APPROVED BY Ronald J. Paprocki I. Policy Statement Any office of the University that processes credit card transactions may do so only in the manner approved by the University Treasury Office and in compliance
Clark Brands Payment Methods Manual First Data Locations Table of Contents Introduction... 3 Valid Card Types... 3 Authorization Numbers, Merchant ID Numbers and Request for Copy Fax Numbers... 4 Other
BROWN UNIVERSITY University Policy Accepting and Handling Payment Cards to Conduct University Business Table of Contents Purpose... 2 Scope... 2 Authorization... 2 Establishing a new account... 2 Policy
Merchant Solutions Protecting your business from card fraud Fraudsters use a variety of methods to trick unsuspecting merchants. It is crucial that you understand how fraud can impact your business and
Card Acceptance Guide Your Guide to Debit and Credit Acceptance and Processing www.monerisusa.comw w m Important Information Your merchant account representative Merchant Help Desk Telephone authorization
Prepared by Treasury Office. This amends A8.710 dated July 2001. A8.710 April 2005 A8.700 TREASURY P 1 of 5 A8.710 Credit Card Program 1. Purpose To provide uniform procedures for the processing of credit
Publication Date 2009-08-11 Issued by: Financial Services Chief Information Officer Revision V 1.0 POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS Overview: There
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
Appendix 1 Payment Card Industry Data Security Standards Program PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect
BACKGROUND State of Wisconsin agencies accepted more than 6 million credit/debit card payments annually through the following payment channels: Point of Sale (State agency location) Point of Sale (Retail-agent
Retrieval & Chargeback Best Practices A Merchant User s Guide to Help Manage Disputes Version Three November, 2010 www.firstdata.com THIS PAGE INTENTIONALLY LEFT BLANK. Developed by: First Data Payment
SUBJECT: Policy and Procedures PAGE: 1 of 5 INTRODUCTION During fiscal year 2014, State of Wisconsin agencies accepted approximately 6 million credit/debit card payments through the following payment channels:
Fraud Protection, You and Your Bank Maximize your chances to minimize your losses Presentation for Missouri GFOA April 2011 By: Terry Endres, VP, Government Treasury Solutions Phone: 314-466-6774 Terry.email@example.com
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
The requirements for PCI-DSS compliance are quite numerous and at times extremely complicated due to their interdependent nature and scope. The University has deemed it necessary for those areas currently
GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY PURPOSE The Payment Card Industry Data Security Standard was established by the credit card industry in response to an increase in identify theft
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire C-VT Version 2.0 October 2010 Attestation of Compliance, SAQ C-VT Instructions for Submission
1 BWA Merchant Services Credit Card Fraud Protection User Guide 2 Contents: 1. How to reduce the risk of card present fraud... 3 2. How to reduce the risk of card not present fraud... 5 3. Delivering the
Name: Dept: Date: Received Training Outline - Quick Reference Guide - DO NOT VOID Job Aid - Departmental Refund with Instructions - Video Notes Unit 1: Security Presentation Initial Unit 2: Presentation
Ball State University Credit/Debit Card Handling Policy and Procedures I. Background Ball State University accepts payments in various forms including cash, checks and electronic fund transfers. University
University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor
Best Practices for Internet Merchants The following best practices, taken from various experts, are offered to help you avoid being victimized by Internet fraud. Experience suggests that there are certain
CardControl 3.0 Credit Card Processing Overview Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new
BUSINESS POLICY TO: All Members of the University Community 2012:12 DATE: April 2012 CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05) Contents Section 1 Policy Statement... 2 Section
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals Electronic Cardholder
Office of Finance and Treasury How to Accept & Process Credit and Debit Card Transactions Procedure Related Policy Title Credit Card Processing Policy For University Merchant Locations Responsible Executive
Dear Valued Merchant, Welcome to Central Payment thank you for becoming our client. We are committed to providing our merchants with outstanding customer service and superior products. It is our company
THE ABC S of CREDIT CARD TERMINOLGY ACH Credit A transaction through the ACH network that results in money being placed in the receiver's account at the destination financial institution. Acquiring Bank
Rules for Visa Merchants Card Acceptance and Chargeback Management Guidelines Rules for Visa Merchants Card Acceptance and Chargeback Management Guidelines Table of Contents Introduction..............................................................
Online Payment Processing Definitions From Credit Research Foundation (http://www.crfonline.org/) The following glossary represents definitions for commonly-used terms in online payment processing. Address
Risk Management Best Practices 11 September 2014 Mitigating Fraud Risk Through Card Data Verification AP, Canada, CEMEA, LAC, U.S. Issuers, Processors With a number of cardholder payment options (e.g.,
Credit and Debit Card Handling Policy Updated October 1, 2014 City of Parkville 8880 Clark Ave. Parkville, MO 64152 Hours: 8:00-5:00 p.m. Monday -Friday Phone Number 816-741-7676 Email: firstname.lastname@example.org
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers For use with PCI DSS Version 3.1 Revision 1.1 July 2015 Section 1: Assessment