PCI Policies Appalachian State University
|
|
- Evelyn Reed
- 6 years ago
- Views:
Transcription
1 PCI Policies 2011 Appalachian State University
2 Table of Contents Section 1: State and Contractual Requirements Governing Campus Credit Cards A. Cash Collection Point Approval for Departments B. State Requirements C. Contractual Requirements Concerning Fees D. Statutory Requirements Governing Transaction Fees E. The Credit Card Compliance Committee Section 2: Payment Card Industry Data Security Standards (PCI-DSS) Section 3: Campus Operating Policies A. Merchant Accounts and Credit Card Transactions B. Accepted Methods for Processing Credit Card Transactions C. Financial Controls D. Reporting Requirements for Actual or Suspected Security Incidents Terms: MSA PCI DSS STMS SAQ OSC NCOSC Master Service Agreement Payment Card Industry Data Security Standard SunTrust Merchant Services Self Assessment Questionnaire Office of State Controller North Carolina Office of State Controller CVV Card Verification Code or Value Also known as Card Validation Code or Value, or Card Security Code. Refers to either: (1) magnetic-stripe data, or (2) printed security features. (1) Data element on a card's magnetic stripe that uses secure cryptographic process to protect data integrity on the stripe, and reveals any alteration or counterfeiting. Referred to as CAV, CVC, CVV, or CSC depending on payment card brand. The following list provides the terms for each card brand: CVC Card Validation Code (MasterCard payment cards) _ CVV Card Verification Value (Visa and Discover payment cards)
3 _ CSC Card Security Code (American Express) (2) For Discover, JCB, MasterCard, and Visa payment cards, the second type of card verification value or code is the rightmost three-digit value printed in the signature panel area on the back of the card. For American Express payment cards, the code is a four-digit unembossed number printed above the PAN on the face of the payment cards. The code is uniquely associated with each individual piece of plastic and ties the PAN to the plastic. The following list provides the terms for each card brand: _ CID Card Identification Number (American Express and Discover payment cards) _ CAV2 Card Authentication Value 2 (JCB payment cards) _ CVC2 Card Validation Code 2 (MasterCard payment cards) _ CVV2 Card Verification Value 2 (Visa payment cards)
4 Section 1: State and Contractual Requirements Governing Campus Credit Cards A. Cash Collection Point Approval for Departments All departments must get approval from the University Controller to sell goods or services. A copy of this approval will be on file in the Office of Internal Audits. Furthermore, additional and separate approval must be obtained from the Credit Card Compliance Committee in order for the department to accept credit cards from its customers as a payment option. Approval is only given to departments that meet Payment Card Industry Data Security Standards, attend training and comply with University PCI policies, NCOSC Electronic Commerce Policies and State Cash Management Law. B. State Requirements Senate Bill 222 passed in 1999 amended several statutes that authorized the State Controller to issue policies relating to "electronic payments," which support the Statewide Electronic Commerce Program (SECP). All entities subject to the State's Cash Management Law, and all entities that participate in one or both of the Master Services Agreements (Electronic Funds Transfer and Merchant Cards) are subject to the policies. Entities are encouraged to be fully aware of the policies to ensure compliance. As a prerequisite for participating under the MSA, Appalachian State University is required to comply with all card association rules. This includes the rules pertaining to the PCI Data Security Standard. C. Contractual Requirements Concerning Fines A department can be fined by a card association even if a security breach has not occurred. It is uncertain as to how aggressive the card associations will be in levying fines for such non-compliant merchants that might be detected. Visa has announced its fine structure. Effective September 30, 2007, Visa will levy a monthly fine of $25,000 to any level 1 merchant (department) detected as non-compliant. Effective December 31, 2007, Visa will levy a monthly fine of $5,000 to any level 2 merchant detected as noncompliant. Departments at Appalachian State University are considered level 2 merchants. In the event of a breach, all fines and expenses associated with the breach will be borne by the department accepting the credit card that was compromised. Related expenses in addition to the fine could include but are not limited to labor and supply cost
5 associated with identifying and notifying the population exposed by the breach. All costs associated with any required external audits will also be paid by the department, which could be significant. E. Statutory Requirements Governing Transaction Fees University Policy on transaction fees: The University does not allow transaction fees to be assessed on credit card transactions. F. The Credit Card Compliance Committee In an effort to ensure compliance with MSA, State s Cash Management Law and PCI DSS, the Credit Card Compliance Committee has been established. This committee is made up of members from Business Affairs, Internal Audits and Information Technology. This Committee has been charged to provide oversight of credit card activity, the University s participation in the MSA and compliance with PCI Standards. North Carolina State Controller s Office requires that each participant must participate in any security assessments and security scans required by the associations and/or OSC, in order to be and to remain compliant with Payment Card Industry (PCI) Security Standards, and be responsible for any fines levied as the result of not being compliant. Section 2 - Payment Card Industry Data Security Standards (PCI-DSS) PCI-DSS are national standards from the Card Association and apply to all organizations anywhere in the country that process, transmit or store credit cardholder information. The University and all departments that process payment card data have a contractual obligation to adhere to the PCI-DSS and for annually certifying their continued compliance by submitting the PCI-DSS Self Assessment Questionnaire (SAQ) appropriate to their credit card activities. Any costs incurred by a participant to become and remain compliant with the PCI Data Security Standards, including but not limited to an annual penetration test (if applicable), shall be borne by the participant. Any costs incurred by the University associated with an onsite security audit or a forensic investigation that may be required shall be borne by the department. Individual credit card information is confidential. Failure to maintain strict controls over this data could result in unauthorized use of credit card data. Credit card information is confidential information and should be treated with great care.
6 Key Data Control Items 1. Under no circumstances should a department store sensitive authentication data (track data from the magnetic stripe, card-validation code CVV2 data,) after authorization (not even if encrypted). 2. Never send or request cardholder information to be sent via . Departmental forms (web and mail order forms) should be designed so that credit card information can be easily and completely removed from the registration information. You should never ask for the CVV2 code to be mailed to you unless you have a strong business case for the number i.e. shipping a product. Just having the CVV2 code increases the department s liability. Once the credit card has been processed, all credit card information must be destroyed immediately via a cross shredder. It is not sufficient to simply mark out the credit card information. Websites and forms should state that credit card information should never be ed to the department. 3. Customer records located within a department should be stored only if there is a documented business need and in a locked non-portable cabinet dedicated solely to these records. The Controller s Office will approve each department s business need, a proper retention schedule and method of disposing or deleting sensitive card holder information. 4. Access to these records should be limited to only those employees who need this information to perform approved duties. 5. Under no circumstances should a department retain electronically (including Excel files, thumb drives, shadow databases, etc.) the card numbers and expiration dates of the customer credit cards. 6. Make sure all access to storage areas is secure and that all visitors are authorized to enter areas that cardholder data is processed or maintained. 7. Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data. 8. Do not use wireless PCs for processing credit card data unless approved in writing by the Credit Card Compliance Committee.
7 9. All personnel who have direct access to on-line credit card information are required to attend the PCI Security Training and to have read the University Credit Card Policy. 10. All credit card information temporarily recorded on paper should be processed immediately and then the paper document should be properly destroyed in cross cut shredder. 11. The customer copy of the credit card receipt can only contain the last 4 digits of the credit card number. It is required that departments use double truncation which permits only the last 4 digits to be printed on both the merchant and customer receipt. 12. Never send credit card information to the University Archives. Receipts should be destroyed via cross cut shredder immediately after the approved business need has expired. 13. Departments must assure that all university computers have installed the most recent updated versions of the University recommended antivirus, spyware detection software and other recommended security software. All general purpose (desktop) computers that handle credit card data must run an approved university build and be configured as a sensitive data workstation. Exceptions to this policy must be documented with compensating controls to replace the protections provided by the university build and sensitive data workstation configuration. Section 3 - Campus Operating Policies A. Merchant Accounts and Credit Card Transactions Departments cannot negotiate their own contracts with credit card processing companies. All merchant accounts for accepting credit cards must be approved by the Credit Card Compliance Committee and participate in the State s MSA. Each Department is responsible for all expenses associated with credit card merchant accounts and it cannot adjust the price of goods or services based on the method of payment. B. Accepted Methods for Processing Credit Card Transactions There are 2 accepted methods for processing transactions: (1) First Data Connect, and (2) card swipe terminal. Other methods of processing credit cards and other gateways
8 are not permitted unless authorized in writing by the Credit Card Compliance Committee and North Carolina State Controller s Office. A department planning to allow its customers to use credit cards over the web will be responsible for designing the departmental website. This website will serve as the window to the approved gateway. Credit card information must not be stored directly on the department s webpage nor entered into the website. The website and its connection to the approved gateway will be reviewed by the Credit Card Compliance Committee to ensure that it meets Payment Card Industry Data Security Standards. C. Financial Controls When an item or service is purchased using a credit card, and a refund is necessary, the refund must be credited to the same credit card account from which the purchase was made. All transactions must be settled and recorded daily in the University s financial system via proper reporting to The Cashier s Office. The department s (merchant s) copy of the receipt should not contain the full card number and expiration date. The merchant s copy of the receipt should only contain the full number and expiration date if there is a business reason for doing so. The merchant copy of the receipts must be kept in a secure place (i.e. locked cabinet with minimal access) for no more than 90 days. At the end of 90 days, the receipts should be destroyed in a secure manner, via cross cut shredder. Departments must assure that all university computers have installed the most recent updated versions of the University recommended antivirus, spyware detection software and other recommended security software. All general purpose (desktop) computers that handle credit card data must run an approved university build and be configured as a sensitive data workstation. Exceptions to this policy must be documented with compensating controls to replace the protections provided by the university build and sensitive data workstation configuration. D. Reporting Requirements for Actual or Suspected Security Incidents Departments must report any actual or suspected security incident in which cardholder information may have been compromised. The incident should be reported to Credit Card Compliance Committee and the University Controller. If the incident involved the loss or suspected compromise of stored or processed electronic data, it must also be reported to the IT Security Officer. THIS MUST BE DONE IMMEDIATELY. The University must report all breaches to the State Controller s Office within 24 HOURS OF DECTECTION.
9
Appendix 1 Payment Card Industry Data Security Standards Program
Appendix 1 Payment Card Industry Data Security Standards Program PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect
05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013
05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of
Information Technology
Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing
INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business
DELAWARE COLLEGE OF ART AND DESIGN 600 N MARKET ST WILMINGTON DELAWARE 19801 302.622.8000 INFORMATION SECURITY POLICY including Policy for Credit Card Acceptance to Conduct College Business stuff\policies\security_information_policy_with_credit_card_acceptance.doc
University of Virginia Credit Card Requirements
University of Virginia Credit Card Requirements The University of Virginia recognizes that e-commerce is critical for the efficient operation of the University, and in particular for collecting revenue.
Policy Title: Payment Cards Policy Effective Date: 5/5/2010. Policy Number: FA-PO-1214 Date of Last Revision: 11/5/2014
Policy Title: Effective Date: 5/5/2010 Policy Number: FA-PO-1214 Date of Last Revision: 11/5/2014 Oversight Department: Financial Services Next Review Date: 10/1/2016 1. PURPOSE The for Radford University
TERMINAL CONTROL MEASURES
UCR Cashiering & Payment Card Services TERMINAL CONTROL MEASURES Instructions: Upon completion, please sign and return to cashandmerchant@ucr.edu when requesting a stand-alone dial up terminal. The University
COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL
PAYMENT CARD INDUSTRY COMPLIANCE (PCI) Effective June 1, 2011 Page 1 of 6 (1) Definitions a. Payment Card Industry Data Security Standards (PCI-DSS): A set of standards established by the Payment Card
UW Platteville Credit Card Handling Policy
UW Platteville Credit Card Handling Policy Issued: December 2011 Revision History: November 7, 2013; July 11, 2014; November 1, 2014; August 24, 2015 Overview: In order for UW Platteville to accept credit
Credit Card Processing and Security Policy
Credit Card Processing and Security Policy Policy Number: Reserved for future use Responsible Official: Vice President of Administration and Finance Responsible Office: Student Account Services Effective
POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS
Publication Date 2009-08-11 Issued by: Financial Services Chief Information Officer Revision V 1.0 POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS Overview: There
BUSINESS POLICY. TO: All Members of the University Community 2012:12. CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05)
BUSINESS POLICY TO: All Members of the University Community 2012:12 DATE: April 2012 CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05) Contents Section 1 Policy Statement... 2 Section
6-8065 Payment Card Industry Compliance
0 0 0 Yosemite Community College District Policies and Administrative Procedures No. -0 Policy -0 Payment Card Industry Compliance Yosemite Community College District will comply with the Payment Card
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
University Policy Accepting and Handling Payment Cards to Conduct University Business
BROWN UNIVERSITY University Policy Accepting and Handling Payment Cards to Conduct University Business Table of Contents Purpose... 2 Scope... 2 Authorization... 2 Establishing a new account... 2 Policy
PCI General Policy. Effective Date: August 2008. Approval: December 17, 2015. Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:
Effective Date: August 2008 Approval: December 17, 2015 PCI General Policy Maintenance of Policy: Office of Student Accounts PURPOSE: To protect against the exposure and possible theft of account and personal
Credit Card Handling Security Standards
Credit Card Handling Security Standards Overview This document is intended to provide guidance to merchants (colleges, departments, auxiliary organizations or individuals) regarding the processing of charges
POLICY SECTION 509: Electronic Financial Transaction Procedures
Page 1 POLICY SECTION 509: Electronic Financial Transaction Procedures Source: NDSU President NDSU VP for Finance and Administration NDSU VP for Information Technology A. Purpose / Rationale Many NDSU
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
Frequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
Accepting Payment Cards and ecommerce Payments
Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont
University Policy Accepting Credit Cards to Conduct University Business
BROWN UNIVERSITY University Policy Accepting Credit Cards to Conduct University Business Purpose Brown University requires all departments that are involved with credit card handling to do so in compliance
POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101. DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants
POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101 DIVISION: Finance & Administration TITLE: Policy & Procedures for Credit Card Merchants DATE: October 24, 2011 Authorized by: K. Ann Mead, VP for Finance & Administration
Viterbo University Credit Card Processing & Data Security Procedures and Policy
The requirements for PCI-DSS compliance are quite numerous and at times extremely complicated due to their interdependent nature and scope. The University has deemed it necessary for those areas currently
SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder
b. USNH requires that all campus organizations and departments collecting credit card receipts:
USNH Payment Card Industry Data Security Standard (PCI DSS) Version 3 Administration and Department Policy Draft Revision 3/12/2013 1. Purpose. The purpose of this policy is to assist the University System
New York University University Policies
New York University University Policies Title: Payment Card Industry Data Security Standard Policy Effective Date: April 11, 2012 Supersedes: N/A Issuing Authority: Executive Vice President for Finance
2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)
CSU, Chico Credit Card Handling Security Standard Effective Date: July 28, 2015 1.0 INTRODUCTION This standard provides guidance to ensure that credit card acceptance and ecommerce processes comply with
Payment Cardholder Data Handling Procedures (required to accept any credit card payments)
Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry
CREDIT CARD PROCESSING POLICY AND PROCEDURES
CREDIT CARD PROCESSING POLICY AND PROCEDURES Note: For purposes of this document, debit cards are treated the same as credit cards. Any reference to credit cards includes credit and debit card transactions.
SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES
SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES POLICY STATEMENT Introduction Some San Diego State University Research Foundation
Fraud - Preparing Data Card Transactions
Liverpool Hope University PCI DSS Policy Document Control Date Revision/Amendment Details & Reason Author 26 th March 2015 Updates G. Donelan 23 rd June 2015 Audit Committee 7 th July 2015 University Council
Accounting and Administrative Manual Section 100: Accounting and Finance
No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security
Credit and Debit Card Handling Policy Updated October 1, 2014
Credit and Debit Card Handling Policy Updated October 1, 2014 City of Parkville 8880 Clark Ave. Parkville, MO 64152 Hours: 8:00-5:00 p.m. Monday -Friday Phone Number 816-741-7676 Email: cityhall@parkvillemo.gov
Payment Card Industry Data Security Standards
Payment Card Industry Data Security Standards PCI DSS Rhonda Chorney Manager, Revenue Capital & General Accounting Today s Agenda 1. What is PCI DSS? 2. Where are we today? 3. Why is compliance so important?
Vanderbilt University
Vanderbilt University Payment Card Processing and PCI Compliance Policy and Procedures Manual PCI Compliance Office Information Technology Treasury VUMC Finance Table of Contents Policy... 2 I. Purpose...
GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY
GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY PURPOSE The Payment Card Industry Data Security Standard was established by the credit card industry in response to an increase in identify theft
UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents
UNL PAYMENT CARD POLICY AND PROCEDURES Table of Contents Payment Card Merchant Security Standards Policy and Procedures... 2 Introduction... 4 Payment Card Industry Data Security Standard... 4 Definitions...
ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY. Processing Electronic Card Payments
ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY Processing Electronic Card Payments Introduction and Policy Aim The Payment Card Industry Data Security Standard (PCI-DSS) is a worldwide information
ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS
UNIVERSITY OF NORTH DAKOTA FINANCE & OPERATIONS POLICY LIBRARY ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS Policy 2.3, Accepting Credit Cards and Electronic Checks to Conduct
Failure to follow the following procedures may subject the state to significant losses, including:
SUBJECT: Policy and Procedures PAGE: 1 of 5 INTRODUCTION During fiscal year 2014, State of Wisconsin agencies accepted approximately 6 million credit/debit card payments through the following payment channels:
How To Complete A Pci Ds Self Assessment Questionnaire
Department PCI Self-Assessment Questionnaire Version 1.1 2009 Attestation of Compliance Instructions for Submission This Department PCI Self-Assessment Questionnaire has been developed as an assessment
688 Sherbrooke Street West, Room 730 James Administration Building, Room 524
'McGill Sylvia Franke, LL.B., B.Sc. Albert Caponi, C.A. Chief Information Officer Assistant Vice-Principal (Financial Services) 688 Sherbrooke Street West, Room 730 James Administration Building, Room
Becoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data
PCI Training for Retail Jamboree Staff Volunteers Securing Cardholder Data Securing Cardholder Data Introduction This PowerPoint presentation is designed to educate Retail Jamboree Staff volunteers on
Understanding Payment Card Industry (PCI) Data Security
Understanding Payment Card Industry (PCI) Data Security Office of the State Controller November 2010 State of North Carolina The Enemy Major Security Breaches TJ-Max Heartland Hannaford Foods BJ s Wholesale
What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:
What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International
Important Info for Youth Sports Associations
Important Info for Youth Sports Associations What the Heck is PCI DSS and Why Should I Care? Joe Posey Terrapin Financial Services Your Club is an ecommerce Business You accept online registration over
Dartmouth College Merchant Credit Card Policy for Managers and Supervisors
Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Mission Statement Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009
University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor
Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance
Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name
How To Control Credit Card And Debit Card Payments In Wisconsin
BACKGROUND State of Wisconsin agencies accepted more than 6 million credit/debit card payments annually through the following payment channels: Point of Sale (State agency location) Point of Sale (Retail-agent
PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014
PCI Data Security Standards Presented by Pat Bergamo for the NJTC February 6, 2014 Introduction 3/3/2014 2 Your Speaker Patrick Bergamo, CISSP Director of Information Security & Delivery Delta Corporate
Payment Card Acceptance Administrative Policy
Administrative Procedure Approved By: Brandon Gilliland, Associate Vice President for Finance & Controller Effective Date: October 1, 2014 History: Approval Date: September 25, 2014 Revisions: Type: Administrative
Clark University's PCI Compliance Policy
ï» Clark University's PCI Compliance Policy Who Should Read this Policy: All persons who have access to credit card information, including: Every employee that accesses handles or maintains credit card
Standards for Business Processes, Paper and Electronic Processing
Payment Card Acceptance Information and Procedure Guide (for publication on the Treasury Webpages) A companion guide to University policy 6120, Payment Card Acceptance Standards for Business Processes,
CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011
CREDIT CARD MERCHANT PROCEDURES MANUAL Effective Date: 5/25/2011 Updated: May 25, 2011 TABLE OF CONTENTS Introduction... 1 Third-Party Vendors... 1 Merchant Account Set-up... 2 Personnel Requirements...
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
UNLV Payment Card Merchant Policy Credit Card Handling Responsibilities and Procedures
UNLV Payment Card Merchant Policy Credit Card Handling Responsibilities and Procedures Background Colleges and universities have traditionally had open networks of information that foster the exchange
WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS
WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS I. Introduction, Background and Purpose This Merchant Account Agreement (the Merchant Agreement or Agreement ) is entered
UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL
UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Credit Card Handling and Acceptance Policy Policy Number: C3875 Effective Date: November 8, 2006 Issuing Authority: Office of VP Business and
Ball State University Credit/Debit Card Handling Policy and Procedures
Ball State University Credit/Debit Card Handling Policy and Procedures I. Background Ball State University accepts payments in various forms including cash, checks and electronic fund transfers. University
EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES
EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES This document describes Eastern Oklahoma State College s policy and procedures for the proper
Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire C-VT Version 2.0 October 2010 Attestation of Compliance, SAQ C-VT Instructions for Submission
Emory University & Emory Healthcare
Emory University & Emory Healthcare Payment Card Processing and Compliance Policy and Procedures Manual Office of Cash and Debt Management Mailstop 1599-001-1AE 1599 Clifton Road, 3 rd Floor Atlanta, GA
Dartmouth College Merchant Credit Card Policy for Processors
Mission Statement Dartmouth College Merchant Credit Card Policy for Processors Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance with the
Josiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other SAQ-Eligible Merchants and Service Providers Version 2.0 October 2010 Document
This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected
This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.
University of Oregon Policy Statement Development Form
University of Oregon Policy Statement Development Form Policy Title: Electronic Commerce Policy submitted by: Name: Mark McCulloch Phone: 541 346 6249 Email: mmccullo@uoregon.edu Organization: Business
McGill Merchant Manual
McGill Merchant Manual The McGill Merchant Manual is a complementary document to the Merchant (PCI) Policy and Procedures and serves to aid Merchants in ensuring their operations comply with Payment Card
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.
Policy Number: 339 Policy Title: Credit Card Processing Policy, Procedure, & Standards Review Date: 07-23-15 Approval Date: 07-27-15 POLICY: All individuals involved in handling credit and debit card transactions
References: County Policy Manual- Credit Card Payments; Vendor Remote Access Request Form
Procedure Credit Card Processing Vendor Evaluation, Contracting, and Management Last Update: January 19, 2016 References: County Policy Manual- Credit Card Payments; Vendor Remote Access Request Form Purpose:
ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:
Boston College Policy ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: PURPOSE OF POLICY: The purpose of this policy is to establish procedures for accepting payment cards at Boston College
Cal Poly PCI DSS Compliance Training and Information. Information Security http://security.calpoly.edu 1
Cal Poly PCI DSS Compliance Training and Information Information Security http://security.calpoly.edu 1 Training Objectives Understanding PCI DSS What is it? How to comply with requirements Appropriate
UCSD Credit Card Processing Policy & Procedure
UCSD Credit Card Processing Policy & Procedure The Payment Process UCSD accepts Visa, MasterCard, American Express and Discover credit cards. We perform credit transactions only, no debit sales with cash
PCI Compliance Information Packet for Volunteers - Credit Card Processing for Product Sales and Online Camp / Event Registration
PCI Compliance Information Packet for Volunteers - Credit Card Processing for Product Sales and Online Camp / Event Registration Table of Contents Introduction to Credit Card Processing for Product Sales
The University of Georgia Credit/Debit Card Processing Procedures
The University of Georgia Credit/Debit Card Processing Procedures The University of Georgia currently accepts four major credit cards (MasterCard, Visa, Discover and American Express) for payment of services
Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration
Andrews University Payment Card Acceptance Policies & Procedures Prepared by Financial Administration July 12, 2011 Part I: Introduction of Policy and Purpose Formatted: Font: 12 pt In order to protect
Payment Card Industry Data Security Standards Compliance
Payment Card Industry Data Security Standards Compliance Please turn off, or to vibrate, all cell-phones/electronics Expected course length: 1 Hour Questions are welcomed. Who Created It? & What Is It?
http://www4.uwm.edu/bfs/depts/acct/creditcardacceptance/credit-card-acceptance.cfm
Section: Accounting Revised Date: 05/31/2011 Procedure: 2.2.23 Credit Card Acceptance Home Page http://www4.uwm.edu/bfs/depts/acct/creditcardacceptance/credit-card-acceptance.cfm Operating Principles:
Policies and Procedures. Merchant Card Services Office of Treasury Operations
Policies and Procedures Merchant Card Services Office of Treasury Operations 1 Welcome! Table of Contents: Introduction Establishing Payment Card Services Payment Card Acceptance Procedures Payment Card
Office of Finance and Treasury
Office of Finance and Treasury How to Accept & Process Credit and Debit Card Transactions Procedure Related Policy Title Credit Card Processing Policy For University Merchant Locations Responsible Executive
Saint Louis University Merchant Card Processing Policy & Procedures
Saint Louis University Merchant Card Processing Policy & Procedures Overview: Policies and procedures for processing credit card transactions and properly storing credit card data physically and electronically.
Your Compliance Classification Level and What it Means
General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe
Purpose: To comply with the Payment Card Industry Data Security Standards (PCI DSS)
Procedure Credit Card Handling and Security for Departments/Divisions and Elected/Appointed Offices Last Update: January 19, 2016 References: Credit Card Payments Policy Purpose: To comply with the Payment
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage
PCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates
PCI-DSS Compliance Ron Dinwiddie Chief Technology Officer J. Spargo & Associates Agenda What is PCI Compliance Why is PCI Important How does this impact me? Becoming PCI Compliant JSA PCI Strategy Risk
Validation of PCI Compliance Requirements NC Office of the State Controller June 23, 2015
Validation of PCI Compliance Requirements NC Office of the State Controller June 23, 2015 Purpose The purpose of this document is to provide instructions to entities that subscribe to merchant cards processing
PCI Compliance Overview
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
The University of Michigan Treasurer s Office Card Services. Merchant Services Policy Document
Merchant # (Treasurer s Office Use Only): The University of Michigan Treasurer s Office Card Services Merchant Services Policy Document Business Purpose: Merchant Name (25 characters max): Originator:
PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson
PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson Overview What is PCI? MCCS Compliance PCI DSS Technical Requirements MCCS Information Security Policies
ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:
Boston College Policy ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: PURPOSE OF POLICY: The purpose of this policy is to establish procedures for accepting payment cards at Boston College