You will already have read and understood the following documentation, however do go back to any of these if you are unsure of what they cover:

Transcription

1 Pay Payment Card Industry Data Security Standards (PCI DSS) Quick Reference Guide Overview You should have already been trained, and possibly refreshed, in PCI DSS requirements, and how the standards relate to your employment duties at UWE. This guide will remind you of your responsibilities, and what is required of you operationally during your daily duties, to ensure the safety of cardholder data. You will already have read and understood the following documentation, however do go back to any of these if you are unsure of what they cover: UWE PCI DSS policy (and other policies linked into the document such as IT Security Policy); UWE Incident response Plan (section 11 of the PCI DSS Policy) details of what action should be taken in the event of a card data breach; what information needs to be reported, and who to report it to; UWE PDQ Management policy - for Managers responsible for Income Collection in their area. Reminder: What is PCI DSS? PCI DSS is a global standard of best practice that was designed by card payment brands, to increase security and decrease fraud relating to cardholder data. MasterCard or Visa can, and will, impose substantial financial penalties for non-compliance, with further financial penalties for any actual data breach incidents that arise. If there is a continued breach of data security, as a final resort, the University s permission to process card data may be removed. Reminder: How does PCI DSS relate to what I do? The following table summarises the key requirements for each payment method, which if properly followed, will greatly reduce the risk of cardholder data being stolen. Some of the scenarios might not be relevant or appropriate to you, however if you are unsure how to apply PCI DSS to your processes, please seek advice from your manager. Remember, the best defence against cardholder data theft is not to store it if we do not have it, it cannot be stolen from us.

2 Pay Payment method Do... Don t... Online Encourage students / customers to make payments online themselves where possible, and if not possible, offer an alternative payment method. DO NOT WRITE DOWN CARD DETAILS Face-to-face using a card terminal (PDQ cardholder present) PDQ terminal security However, in exceptional circumstances, card payments can be processed online if the student/customer cannot/will not pay online, by a trained member of staff working in the Income Office. Ensure that you are aware of how to detect a fraudulent key-logging device being installed to your computer (see Appendix 1), as this will enable cardholder data to be stolen. Once you have entered the amount, the customer should put their card in the terminal for chip and pin transactions, or pass their card over the terminal for contactless transactions. If your terminal prints the full Primary Account Number (PAN 16-digit card number) on the merchant (UWE) copy of the receipt, you must bring this to your manager s attention or contact the PCI DSS team immediately. Always keep the device in view during business hours, and locked away with restricted access outside of business hours. Managers are responsible for ensuring that PDQ s are properly and securely managed and controlled. DO NOT READ OUT CARD DETAILS Staff should not need to handle the customer s card.

3 PDQ terminal checks Always co-operate with the annual device audit undertaken by the Income Office Manager. Regularly inspect the device to detect tampering (see Appendix 1) or substitution (by checking the serial number or other device characteristics), as this will enable cardholder data to be stolen. Telephone (cardholder not present) Ensure that adequate controls exist for visitors of your restricted area where card payments are processed (if applicable e.g. Conference Centre); Ensure that all students and staff wear UWE identification lanyards; Ensure that all external visitors are authorised to enter, and escorted at all times; Ensure that all external visitors are identified and given a visitor badge, which is returned when they leave; Ensure that an external visitor log is maintained. Telephone payments are discouraged; students/customers are encouraged to pay online themselves. However, in exceptional circumstances, card payments can be processed by telephone if the payer cannot/will not pay online. If a telephone payment is taken, you must enter the details straight into the University s online software. If the software is not available for any reason, you should arrange to call the customer back when it is available, and then enter the details directly into the software during the call. Ensure you are aware of how to detect fraudulent key-logging device being installed on your computer. DO NOT READ OUT CARD DETAILS. DO NOT WRITE DOWN CARD DETAILS DO NOT RECORD TELEPHONE CALLS Calls where card payments are taken must never be recorded

4 Telephone (cardholder not present) cont d.. Card details received by post (application forms) Card details received by Card details received by fax or messaging technologie s (i.e. instant messaging and chat) Application forms may contain cardholder data, which must be securely locked away, with restricted access, until needed. Payment transactions must be processed as soon as possible, and within 5 working days of receiving the application form. After the payment has been processed, the application form should be hand delivered to the Income Office within 2 working days. The Income Office must immediately crossshred the card details section of the applications form, and securely store the rest of the form. Card details received by must be immediately and permanently deleted without being processed by permanently deleting it from Recover Deleted Items after it has been originally deleted. Card details received by fax must be crossshredded without being processed. Card details received by message must be deleted without being processed. If you receive cardholder details in any of these methods, the student / customer directly and advise them to pay online, or in person. DO NOT READ OUT CARD DETAILS When processing a card payment via telephone in a busy working area, never read the customer s card details back to them, in case you are overheard. You can confirm part of the number (e.g. the last 4 digits) if necessary. Never ask a customer to their card details to you. If a customer s you card details, you must not process them, or forward them onto another member of staff. Never ask a customer to provide cardholder details by any of these methods. Card details received by fax ore messaging must not be processed.

5 Physical storage and disposal of card data Electronic storage of card data Dealing with declined card transaction What should I do if I suspect someone has gained unauthorised access to card data? Cardholder data should only be retained and securely stored (locked away with restricted access), if there is a business need to do so If you are unsure if card details should be kept, check with your line manager. If you have any card data stored electronically, you must contact the PCI DSS team immediately (e.g. data stored in files, efax, recorded telephone calls) If you collect CCTV, you must ensure that it cannot capture card data. Advise the customer immediately if a card transaction is declined and offer an alternative payment option. If processed via a PDQ device, give the customer the customer copy receipt stating that the payment was declined and securely store the merchant copy. If processed online, advise the customer that they must contact their card issuer and offer an alternative payment option. If there has been a break in to an area where cardholder data is processed, or you believe a terminal has been tampered with, you must follow the PCI DSS policy section 11 - Incident Response Plan. Stop using that terminal/pc immediately and disconnect the network or telephone line - ensure that you keep the device under your watchful eye until told otherwise. Immediately record known or suspected incident details and your Line Manager, Income Office Manager, Data Protection Compliance Officer data data.protection@uwe.ac.uk and PCI DSS Team Finance.systems@uwe.ac.uk NEVER TAKE COPIES OF CARDHOLDER DATA E.g. on paper, spreadsheets, USB drives, or network shares. Card data must never be stored electronically if it is on our networks, there is the potential for unauthorised access. This includes data stored in files on your computer or network; electronic images, such as efax; recorded telephone calls. Do not take a note of the card details and try to re-process at a later date. Do not change anything on the terminal/pc. Do not unplug the terminal/pc. Do not continue to use the terminal/pc.

6 Pay Appendix 1 How to detect fraudulent tampering of your PDQ terminal and/or computer What is skimming? Skimming is a method used by criminals to capture data from the magnetic stripe on the back of a card. How does skimming work? Typically, someone in a workplace uses a small, manual skimmer to steal information from a card s magnetic stripe. That information is sold to criminals, put onto a counterfeit card and used to make fraudulent purchases. While making it look like they are performing maintenance, criminals can open the PDQ terminal and install the skimmer. In some circumstances, they remove the existing PDQ terminal and replace it with one already modified. They can also install a device on one of the PDQ terminal s communication cables, capturing the card information during its transmission. You should be vigilant of any potential skimming activity and take actions to prevent this criminal activity in your workplace. What does a skimming device look like? Skimming devices, or skimmers, come in many shapes and sizes, and are small and portable, with a slot where the card can be swiped and skimmed. Many of these devices are hand held but some can be installed inside the PDQ card terminal, or on one of its cables or connections. Manual Skimmer captures data Stored on the magnetic stripe of the card. Compact Manual Skimmer smaller version of the manual skimmer, can be concealed more easily. What is key logging? Key logging is where a device (key logger) is plugged into your computer s USB port by criminals, to record key strokes to capture data typed in. Hardware Key logger connected to your computer s USB port records keystrokes and stores the data.