Langara College PCI Awareness Training

Transcription

1 Langara College PCI Awareness Training

2 Have you heard of PCI? Due to the increase of credit card fraud and identity theft, major credit card companies like Visa, MasterCard and Amex have formed a security council called the Payment Card Industry Security Standards Council (PCI-SSC). PCI-SSC s mission is to enhance payment card data security to minimize credit card fraud worldwide. For more information about PCI-SSC please visit their website at:

3 PCI-SSC The PCI Council was formed to protect cardholder data by educating merchants & the public about PCI Security. PCI has established 12 high level security standards consisting of up to 254 stringent requirements that merchants worldwide must achieve and maintain. Awareness is key for preventing payment card fraud!

4 Welcome to PCI awareness training Welcome to Payment Card Industry (PCI) awareness training on secure credit and debit card handling practices at Langara College. PCI Data Security Standards (PCI DSS) encompasses both credit and debit cards. For the purposes of this training, reference is made to payment cards, which means both credit and debit cards. This training will provide you with information on what you need to know as a Langara employee, and also how to protect your own payment cards.

5 Who needs training? To achieve and maintain PCI compliance requirements, the following training must be completed annually by: New and existing employees that handle and/or process payment cards. New and existing employees that MAY come in contact with payment card numbers or information.

6 You play a crucial role in protecting Langara from credit and debit card fraud To ensure we process payment card transactions safely and securely, we developed this training to educate employees on: 1. Why credit and debit card security is important 2. What the PCI project is all about 3. What the risks might be if Langara experienced a breach 4. What precautions employees should take when handling payment card information

7 Have you ever thought about How many credit cards you have in your wallet? How often you use your credit or debit card to purchase goods or services? How many credit cards you process or handle each day? If you re using a credit card safely?

8 Why should secure payment card handling be important to you? Every year 540,400 Canadians suffer financial loss due to credit card fraud The convenience of online purchasing has increased the exposure of credit card information and personal data to hackers Victims of fraud can experience huge financial losses, invasion of privacy and identity theft Safe and secure credit card handling is everyone s responsibility

9 Is your information secure? Between April and September 2014, Home Depot was hacked by unauthorized user(s) compromising over 56 million credit cards and user accounts. Other notable cases: 40 million customers affected 1.16 million credit cards affected 2.6 million credit cards affected 36% of Canadian companies in a study had experienced one or more cyber attacks in 2014

10 How do hackers steal information? Techniques: Phishing - s that direct you to enter your personal information in a fake website that looks legitimate. Spyware - to intercept or take control of your computer. Skimming RFID readers can be used to create a duplicate of your credit card. Hacking unauthorized access of your computer network

11 How does PCI apply to my work? College Policy establishes guidelines to protect Langara from possible repercussions of non-compliance including: Revocation of credit card acceptance privileges and resulting effects on business operations Fraudulent manipulation of cardholder data Damage to Langara s reputation Potential legal issues and insurance claims Substantial card issuer fines Loss of customer trust Help protect the college s business and reputation by recognizing your responsibilities in safe credit card handling!

12 Why is PCI important? Departments such as the Registrar s Office, International Education, Continuing Studies, the Bookstore and Financial Services accept credit and debit card payments. To protect the Langara community, every business unit that comes into contact with payment card transactions must follow secure card handling procedures In order to continue accepting payment cards, we must adhere to the security standards established by the PCI Council.

13 Why is PCI important? (Cont d) 94% of PCI DSS compliant companies say compliance improves their relationship with business partners $100K+ Potential cost of monthly fines for non-compliance PCI requirements $5.5M Average cost of a data breach 2.35 years Average time it takes merchants to become PCI compliant

14 How do we process credit cards? Langara uses PIN Pads for in-person transactions and various third-party applications to process online credit card payments. A PIN Pad is an electronic device used to input and encrypt the cardholder s Personal Identification Number (PIN) for debit and credit card transactions PIN Pads are also know as: Stand-alone terminals, Credit/debit machines, POS device/point of Sale terminal, Moneris device

15 Keeping our PIN Pads & Payment Processing Equipment Secure To help keep our PIN Pads and payment processing equipment secure: Check daily to ensure the PIN Pad is safeguarded against tampering or replacement with a fraudulent device Only allow authorized staff to operate credit card handling equipment Ensure the credit card terminal truncates the card account number so that only the last 4 digits are visible

16 Do Not Store Payment Card Data NEVER save and store payment card data in: Electronic files such as Excel, Word, PowerPoint or Shared drive folders, on your desktop or personal folders A document - if you write down a credit card number, destroy or delete it immediately after the transaction

17 Phone Transactions When accepting credit card information over the phone, ensure: The credit card number is entered into a PIN Pad device or online third party payment application If written down, the credit card number is destroyed or deleted immediately after processing the transaction The credit card number is not saved in a document

18 In-person transactions In-person credit card payments require, The credit card be present at the time of payment. The credit card be inserted into the PIN Pad device if it contains chip technology and a PIN is entered. Swiping the card if it does not have chip technology, and a signature is provided. That credit card numbers not be manually entered into a PIN Pad device for in-person transactions.

19 Keeping current on PCI It is important for all Langara employees that handle or may come in contact with credit card information to keep up with any changes that effect credit card security by reviewing this online information annually. Langara has current policy and procedures for handling credit and debit cards ( The best way to ensure you re up to date is to visit Langara s PCI website ( You can also check out the PCI website at: If you are aware of any areas or new processes where cardholder data exists and/or is not being adequately secured please talk to your manager and review Langara s current policy and procedures (see link above).

20 Keeping current on PCI: PCI Project The project objectives are to ensure Langara is compliant with PCI requirements by implementing new, or enhancing current processes to secure credit and debit card transactions. One of the strategies for PCI compliance is to outsource the processing of credit card information to a third party, which reduces the work that Langara must do to ensure compliancy. If a credit card breach were to occur, the consequences will affect all business units within the college. Current project status (as of July 2015): Initial assessment complete Analysis and documentation of non-compliant areas complete Employee Security awareness training started in Fall 2015 Analysis and implementation of solutions for non-compliant areas in progress For more information, please visit the project website:

21 Congratulations! You have completed your annual PCI online awareness information review. By reviewing this online module you acknowledge and understand the information presented. If you have any questions regarding the information provided in this online module or do not understand the implications of the policy, please contact Financial Services.