Payment Card Industry (PCI) Policy Manual. Network and Computer Services
|
|
- Rodger Booker
- 5 years ago
- Views:
Transcription
1 Payment Card Industry (PCI) Policy Manual Network and Computer Services
2 Forward This policy manual outlines acceptable use Black Hills State University (BHSU) or University herein, Information Technology (IT) Network and Computer Services (NCS) and applies to students, faculty, staff, visitors, guests, affiliated campus organizations or non- profit groups, and other individuals, groups and organizations relying on the Black Hills State University as a host through contractual relationships (users). BHSU operates under the governing control of South Dakota Board of Regents (SDBOR). All policies in this manual are superseded by South Dakota Codified Law and SDBOR policies. Should you have any questions regarding use of IT systems, please contact NCS.
3 Table of Contents Compliance with Payment Card Industry (PCI) Policy Compliance with Payment Card Industry Data Security Standards (PCI DSS) Credit Card Processing (PCI DSS) Credit Cardholder Data Access Control in Compliance with Payment Card Industry Data Security Standards (PCI DSS) Authorizing Third Party Service Providers in Compliance with Payment Card Industry Data Security Standards (PCI DSS) Use of Employee Facing Technologies in Compliance with Payment Card Industry Data Security Standards (PCI DSS) Information Security Responsibilities Related to Compliance with Payment Card Industry Data Security Standards (PCI DSS) Vulnerability Scans in Compliance with Payment Card Industry Data Security Standards (PCI DSS)... 15
4
5 Compliance with Payment Card Industry (PCI) Policy Introduction The payment card industry (PCI) denotes the debit, credit, prepaid, e- purse, ATM (Automated Teller Machine), and POS (Point of Sale) cards and associated businesses. The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures. PCI DSS comprises a minimum set of requirements for protecting cardholder data. Definitions Access Control: Mechanisms that limit availability of information or information- processing resources only to authorized persons or applications. Card Verification Code or Value: Data element on a card'ʹs magnetic stripe that uses a secure cryptographic process to protect data integrity on the stripe and reveals any alteration or counterfeiting (referred to as CAV, CVC, CVV or CSC, depending on payment card) CVC Card Validation Code (MasterCard payment cards) CVV Card Verification Value (Visa and Discover payment cards) CSC Card Security Code (American Express) Cardholder Data: Cardholder data is any personally identifiable information associated with a user of a credit/debit. Primary account number (PAN), name, expiry date, and card verification value 2 (CVV2) are included in this definition. Cardholder Data Environment: Area of computer system network that possesses cardholder data or sensitive authentication data and those systems and segments that directly attach or support cardholder processing, storage, or transmission. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder Network and Computer Services - Information Technology Policy Manual 1
6 data from those that do not, may reduce the scope of the cardholder data environment and thus the scope of the PCI assessment. Data: Pieces of information from which understandable information is derived. Data are a collection of information or facts usually gathered as the result of experience, observation, experiment or processes within a computer system or premises. Data may consist of numbers, words or images, particularly as measurements or observations of a set of variables. Data are often viewed as the lowest level of abstraction from which information and knowledge are derived. Database: Structured format for organizing and maintaining easily retrievable information. Simple database examples are tables and spreadsheets. Degaussing: Also called disk degaussing, it is the process or technique that demagnetizes the disk so that all data stored on the disk are permanently destroyed. Disk Encryption: Technique or technology (either software or hardware) for encrypting all stored data on a device (e.g., hard disk, flash drive). Alternatively, File- Level Encryption or Column- Level Database Encryption is used to encrypt contents of specific files or columns. ecommerce: Business transactions over electronic means. This normally means the internet, but can include any electronic interaction including automated phone banks, touch screen kiosks, or even ATMs. Transactions can include debit/credit cards, but also include any electronic transfer of funds via ACH. Encryption: Process of converting information into a form only intelligible to holders of a specific cryptographic key. The use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure. Full Magnetic Stripe Data: Also referred to as track data. Data encoded in the magnetic stripe or chip is used for authorization during payment transactions. Can be the magnetic stripe image on a chip or the data on the track 1 and/or track 2 portion of the magnetic stripe. Entities must not retain full magnetic stripe data after obtaining transaction authorization. Primary Account Number (PAN): Acronym for primary account number and also referred to as account number. Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account. 2 Network and Computer Services - Information Technology Policy Manual
7 Removable Electronic Media: Media that store digitized data and can be easily removed and/or transported from one computer system to another. Examples of removable electronic media include CD- ROM, DVD- ROM, USB flash drives and removable hard drives. Sanitization: Process for deleting sensitive data from a file, device or system; or for rendering data useless if accessed in an attack Secure Wipe: Also called secure delete, a program utility used to delete specific files permanently from a computer system Sensitive Authentication Data: Security- related information (card validation codes/values, full magnetic- stripe data, PINs and PIN blocks) used to authenticate cardholders, appearing in plain- text or otherwise unprotected form Service Code: Three- digit or four- digit value in magnetic- stripe that follows the expiration date of the payment card on the track data. It is used for various things such as defining service attributes, differentiating between international and national interchange or identifying usage restrictions. System Components: Any network component, server or application included in or connected to the cardholder data environment Types of Data: Data may be in electronic media or in hardcopy format. The following is a list of where data and, specifically, cardholder data may reside: Electronic Media: Electronic media are the bits and bytes contained in hard drives, random access memory (RAM), read- only memory (ROM), disks, memory devices, phones, mobile computing devices, networking equipment and various others. Hard drives Tapes/media CDs DVDs Compact flash drives, SD Dynamic Random Access Memory (DRAM) Read Only Memory (ROM and the different variations thereof) Random Access Memory (RAM) Flash cards USB drives, removable media, memory sticks Network and Computer Services - Information Technology Policy Manual 3
8 Hardcopy Format: Hard copy media are physical representations of information. Paper printouts, printers, facsimile ribbons, drums and platens are all examples of hardcopy media. Paper receipts or other supporting hardcopy documents and receipts Credit card printouts from processing machines Invoices Purchase orders Off- line hard copy batch printouts Other hardcopy formats as identified by organizations 4 Network and Computer Services - Information Technology Policy Manual
9 Compliance with Payment Card Industry Data Security Standards (PCI DSS) NUMBER: OFFICE OF RECORD: Network and Computer Services ISSUED BY: Director of Network and Computer Services APPROVED BY: Dr. Kay Schallenkamp, President EFFECTIVE DATE: October 17, 2012 REVIEWED DATE: February 14, 2013 REPLACES: N/A Purpose In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, Black Hills State University has established a formal policy and supporting procedures regarding PCI Security Policies. This policy shall be reviewed by the NCS director or designee on an annual basis for compliance and for ensuring its adequacy and relevancy regarding the University'ʹs needs and goals. Scope This policy applies to all Black Hills State University PCI DSS related security policies. Policy Black Hills State University shall publish all PCI DSS related policies on the BHSU web site. The policies shall also be disseminated to all relevant vendors, contractors, and business partners. Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Please see the Employee Handbook for guidelines. Network and Computer Services - Information Technology Policy Manual 5
10 Credit Card Processing (PCI DSS) NUMBER: OFFICE OF RECORD: Network and Computer Services ISSUED BY: Director of Network and Computer Services APPROVED BY: Dr. Kay Schallenkamp, President EFFECTIVE DATE: November 11, 2012 REVIEWED DATE: February 14, 2013 REPLACES: October 17, 2012 Purpose In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, Black Hills State University (BHSU) has established a formal policy for credit card processing. This policy shall be reviewed for content and compliance by the NCS director or designee on an annual basis. Scope This policy applies to all systems that are subject to PCI DSS requirements. Policy BHSU employees who receive credit card information on paper shall process the transaction immediately. As soon as the transaction has been processed, the credit card information shall be destroyed by shredding through a cross- cut shredder. Credit card transactions shall not be conducted via e- mail or other unsecured communication methods (chat, instant messaging, voic , etc.) nor stored on any form of media such as a computer, flash drive, external hard- drive, etc. (including scanned images). If an employee receives an or other unsecured communication with cardholder data, that employee must delete the message immediately. The employee must then contact the sender to inform them that the transaction cannot be processed and to provide an alternative means to complete their transaction. If it is necessary for staff to accept credit card information over the phone, the information is to be written on a piece of paper and hand- delivered to the appropriate office for processing. The paper containing the credit card information shall be held in secure storage until the transaction is verified. It 6 Network and Computer Services - Information Technology Policy Manual
11 shall then continue to be held in secure storage until it is shredded on a cross- cut shredder. Credit card information may be faxed to an office. However, the fax machine must be in a secure area. Faxed information must be immediately hand delivered to the appropriate office for processing. Any electronic memory on fax/scanning machines used to disseminate credit card information must be fully erased or physically destroyed when the equipment is retired. All forms shall be designed so that any credit card information can be easily cut off and shredded after processing. Any forms containing cardholder information must be held in secure storage, until the transaction is verified, and then it shall be shredded on a cross- cut shredder. Terminals and underlying applications must be configured to mask the PAN when displayed. The security code shall not be requested for any transaction unless through an authorized third party service provider. All terminals and underlying systems must be configured to truncate account numbers on printed copies of receipts. Recurring payments shall be handled by the credit card service provider and will not require access to the PAN by BHSU employees. Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Please see the Employee Handbook for guidelines. Revision History October November 2012 (Clarified electronic cardholder data transaction) Network and Computer Services - Information Technology Policy Manual 7
12 Credit Cardholder Data Access Control in Compliance with Payment Card Industry Data Security Standards (PCI DSS) NUMBER: OFFICE OF RECORD: Network and Computer Services ISSUED BY: Director of Network and Computer Services APPROVED BY: Dr. Kay Schallenkamp, President EFFECTIVE DATE: October 17, 2012 REVIEWED DATE: February 14, 2013 REPLACES: October 17, 2012 Purpose In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, Black Hills State University has established a formal policy and supporting procedures regarding cardholder data access control. This policy shall be reviewed for content and compliance by the NCS director or designee on an annual basis. Scope This policy applies to all systems in the cardholder data environment. Policy Black Hills State University shall protect cardholder data by ensuring the following access controls are in place in the cardholder data environment: Access rights for privileged users are restricted to the fewest privileges necessary to perform job responsibilities Privileges are assigned to individuals based on job classification and function, such as Role- Based Access Control (RBAC) An e- mail process is utilized to request access to cardholder. This request must specify the privileges requested and the duration of the request. The message must be submitted to the Director of Network and Computer Services by the individual s supervisor. Access controls are implemented via an automated access control system Access control systems are in place on all system components Access control systems are configured to enforce privileges assigned to individuals based on job classification and function 8 Network and Computer Services - Information Technology Policy Manual
13 Access control systems have a deny all setting Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Please see the Employee Handbook for guidelines. Network and Computer Services - Information Technology Policy Manual 9
14 Authorizing Third Party Service Providers in Compliance with Payment Card Industry Data Security Standards (PCI DSS) NUMBER: OFFICE OF RECORD: Network and Computer Services ISSUED BY: Director of Network and Computer Services APPROVED BY: Dr. Kay Schallenkamp, President EFFECTIVE DATE: October 17, 2012 REVIEWED DATE: February 14, 2013 REPLACES: N/A Purpose In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, Black Hills State University has established formal procedures regarding the addition of an authorized third party service provider. This policy shall be reviewed for content and compliance by the NCS director or designee on an annual basis. Scope This policy applies to the addition of any third party service provider to the list of authorized service providers. Policy To add a new Service Provider, a department must: 1. Discuss the reasons for adding the Service Provider with the Controller or Vice President for Finance and Administration. 2. The credentials of the Service Provider must be researched. To be considered, the Service Provider should be a Level 1 processer and be named on the list of processors approved by Visa and MasterCard. 3. Obtain a copy of the proposed contract from the Service Provider. 4. Submit the contract to the Controller and Vice President for Finance and Administration. Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Please see the Employee Handbook for guidelines. 10 Network and Computer Services - Information Technology Policy Manual
15 Use of Employee Facing Technologies in Compliance with Payment Card Industry Data Security Standards (PCI DSS) NUMBER: OFFICE OF RECORD: Network and Computer Services ISSUED BY: Director of Network and Computer Services APPROVED BY: Dr. Kay Schallenkamp, President EFFECTIVE DATE: October 17, 2012 REVIEWED DATE: February 14, 2013 REPLACES: N/A Purpose In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, Black Hills State University (BHSU) has established a formal policy and supporting procedures regarding the use of employee facing technologies. This policy shall be reviewed for content and compliance by the NCS director or designee on an annual basis. Scope This policy applies to all BHSU employees facing mobile technology used in the cardholder data environment. Employees facing mobile technologies are system components and additional IT resources deemed critical by Black Hills State University. Some examples of employee facing technologies are: Remote access technologies Wireless technologies Removable electronic media Laptops Personal Data Assistants (PDA) Cell phone For definitions of certain terms see the Compliance with Payment Card Industry Data Security Standards (PCI DSS) policy document. Policy BHSU will ensure that the usage policies for critical employee facing technologies shall adhere to the following conditions for purposes of complying with the Payment Card Network and Computer Services - Information Technology Policy Manual 11
16 Industry Data Security Standards (PCI DSS) initiatives (Security Standards Council 2009): BHSU shall require explicit management approval to use the technologies. BHSU shall require all technology use be authenticated with user ID and password or other authentication item. BHSU maintains a list of all devices. BHSU shall require acceptable uses for the technology. BHSU shall require acceptable network locations for the technology. BHSU shall require a list of company- approved products. BHSU shall require automatic disconnect of sessions for remote- access technologies after a specific period of inactivity. BHSU shall require activation of remote- access technologies used by vendors only when needed by vendors, with immediate deactivation after use. BHSU shall prohibit copying, moving or storage of cardholder data onto local hard drives or removable electronic media when accessing such data via remote- access technologies. Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Please see the Employee Handbook for guidelines. 12 Network and Computer Services - Information Technology Policy Manual
17 Information Security Responsibilities Related to Compliance with Payment Card Industry Data Security Standards (PCI DSS) NUMBER: OFFICE OF RECORD: Network and Computer Services ISSUED BY: Director of Network and Computer Services APPROVED BY: Dr. Kay Schallenkamp, President EFFECTIVE DATE: October 17, 2012 REVIEWED DATE: February 14, 2013 REPLACES: N/A Purpose In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, Black Hills State University (BHSU) has established a formal policy and supporting procedures regarding Information Security Responsibilities. This policy shall be reviewed for content and compliance by the NCS director or designee on an annual basis. Scope This policy applies to all employees and contractors who have access to the BHSU cardholder data environment. Policy BHSU shall ensure that the Information Security Responsibilities policy adheres to the following conditions for purposes of complying with the Payment Card Industry Data Security Standards (PCI DSS) initiatives (Security Standards Council 2009): Formal assignment of information security is to be given to the BHSU Chief Information Officer (CIO) and Director of Network and Computer Services. The responsibility for creating and distributing security policies and procedures is to be formally assigned to the CIO and Director of Network and Computer Services. The responsibility for monitoring and analyzing security alerts and distributing information to appropriate information security and business Network and Computer Services - Information Technology Policy Manual 13
18 unit management personnel is to be formally assigned to the Network and Computer Services Network Security Officer. The responsibility for creating and distributing security incident response and escalation procedures is to be formally assigned to the BHSU Network Security Officer. The responsibility for administering user account and authentication management is to be formally assigned to the Director of BHSU Network and Computer Services. The responsibility for monitoring and controlling all access to cardholder data is to be formally assigned to the Controller. Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Please see the Employee Handbook for guidelines. 14 Network and Computer Services - Information Technology Policy Manual
19 Vulnerability Scans in Compliance with Payment Card Industry Data Security Standards (PCI DSS) NUMBER: OFFICE OF RECORD: Network and Computer Services ISSUED BY: Director of Network and Computer Services APPROVED BY: Dr. Kay Schallenkamp, President EFFECTIVE DATE: October 17, 2012 REVIEWED DATE: February 14, 2013 REPLACES: N/A Purpose In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, Black Hills State University (BHSU) has established a formal policy for conducting vulnerability scans. This policy shall be reviewed for content and compliance by the NCS director or designee on an annual basis. Scope This policy applies to all systems that are subject PCI DSS requirements. Policy BHSU shall conduct quarterly internal/external vulnerability scans for all hosts in the campus cardholder data environment. Audited external scans will be performed by an authorized third party. Internal scans shall be performed by the BHSU Infrastructure Security Manager or designee. Logs of the quarterly internal/external scans shall be provided to the Director of Network and Computer Services. Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Please see the Employee Handbook for guidelines. Network and Computer Services - Information Technology Policy Manual 15
20
21
BUSINESS POLICY. TO: All Members of the University Community 2012:12. CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05)
BUSINESS POLICY TO: All Members of the University Community 2012:12 DATE: April 2012 CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05) Contents Section 1 Policy Statement... 2 Section
Miami University. Payment Card Data Security Policy
Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that
Credit Card Processing and Security Policy
Credit Card Processing and Security Policy Policy Number: Reserved for future use Responsible Official: Vice President of Administration and Finance Responsible Office: Student Account Services Effective
6-8065 Payment Card Industry Compliance
0 0 0 Yosemite Community College District Policies and Administrative Procedures No. -0 Policy -0 Payment Card Industry Compliance Yosemite Community College District will comply with the Payment Card
PCI Data Security and Classification Standards Summary
PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers
CREDIT CARD SECURITY POLICY PCI DSS 2.0
Responsible University Official: University Compliance Officer Responsible Office: Business Office Reviewed Date: 10/29/2012 CREDIT CARD SECURITY POLICY PCI DSS 2.0 Introduction and Scope Introduction
COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL
PAYMENT CARD INDUSTRY COMPLIANCE (PCI) Effective June 1, 2011 Page 1 of 6 (1) Definitions a. Payment Card Industry Data Security Standards (PCI-DSS): A set of standards established by the Payment Card
Information Technology
Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing
PCI General Policy. Effective Date: August 2008. Approval: December 17, 2015. Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:
Effective Date: August 2008 Approval: December 17, 2015 PCI General Policy Maintenance of Policy: Office of Student Accounts PURPOSE: To protect against the exposure and possible theft of account and personal
Accounting and Administrative Manual Section 100: Accounting and Finance
No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security
Payment Cardholder Data Handling Procedures (required to accept any credit card payments)
Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry
Credit Card Security
Credit Card Security Created 16 Apr 2014 Revised 16 Apr 2014 Reviewed 16 Apr 2014 Purpose This policy is intended to ensure customer personal information, particularly credit card information and primary
Managed Hosting & Datacentre PCI DSS v2.0 Obligations
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
Credit Card Handling Security Standards
Credit Card Handling Security Standards Overview This document is intended to provide guidance to merchants (colleges, departments, auxiliary organizations or individuals) regarding the processing of charges
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)
CSU, Chico Credit Card Handling Security Standard Effective Date: July 28, 2015 1.0 INTRODUCTION This standard provides guidance to ensure that credit card acceptance and ecommerce processes comply with
PCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core
PCI PA - DSS Point ipos Implementation Guide VeriFone Vx820 using the Point ipos Payment Core Version 1.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page
University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009
University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor
PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
Policy for Accepting Payment (Credit) Card and Ecommerce Payments
Policy for Accepting Payment (Credit) Card and Ecommerce Payments 1 Revision Control Document Title: File Reference: Credit Card Handling Policy and Procedure PCI Policy020212.docx Date By Action Pages
New York University University Policies
New York University University Policies Title: Payment Card Industry Data Security Standard Policy Effective Date: April 11, 2012 Supersedes: N/A Issuing Authority: Executive Vice President for Finance
CREDIT CARD PROCESSING POLICY AND PROCEDURES
CREDIT CARD PROCESSING POLICY AND PROCEDURES Note: For purposes of this document, debit cards are treated the same as credit cards. Any reference to credit cards includes credit and debit card transactions.
PCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core
PCI PA - DSS Point BKX Implementation Guide Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core Version 2.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566
CREDIT CARD PROCESSING & SECURITY POLICY
FINANCE AND TREASURY POLICIES AND PROCEDURES E071 CREDIT CARD PROCESSING & SECURITY POLICY PURPOSE The purpose of this policy is to establish guidelines for processing charges/credits on Credit Cards to
How To Complete A Pci Ds Self Assessment Questionnaire
Department PCI Self-Assessment Questionnaire Version 1.1 2009 Attestation of Compliance Instructions for Submission This Department PCI Self-Assessment Questionnaire has been developed as an assessment
This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.
Policy Number: 339 Policy Title: Credit Card Processing Policy, Procedure, & Standards Review Date: 07-23-15 Approval Date: 07-27-15 POLICY: All individuals involved in handling credit and debit card transactions
Becoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
Payment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Introduction Purpose Audience Implications Sensitive Digital Data Management In an effort to protect credit card information from unauthorized access, disclosure
GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY
GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY PURPOSE The Payment Card Industry Data Security Standard was established by the credit card industry in response to an increase in identify theft
Standards for Business Processes, Paper and Electronic Processing
Payment Card Acceptance Information and Procedure Guide (for publication on the Treasury Webpages) A companion guide to University policy 6120, Payment Card Acceptance Standards for Business Processes,
PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data
PCI Training for Retail Jamboree Staff Volunteers Securing Cardholder Data Securing Cardholder Data Introduction This PowerPoint presentation is designed to educate Retail Jamboree Staff volunteers on
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder
CAL POLY POMONA FOUNDATION. Policy for Accepting Payment (Credit) Card and Ecommerce Payments
CAL POLY POMONA FOUNDATION Policy for Accepting Payment (Credit) Card and Ecommerce Payments 1 PURPOSE The purpose of this policy is to establish business processes and procedures for accepting payment
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals Electronic Cardholder
University Policy Accepting and Handling Payment Cards to Conduct University Business
BROWN UNIVERSITY University Policy Accepting and Handling Payment Cards to Conduct University Business Table of Contents Purpose... 2 Scope... 2 Authorization... 2 Establishing a new account... 2 Policy
Appendix 1 Payment Card Industry Data Security Standards Program
Appendix 1 Payment Card Industry Data Security Standards Program PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage
Purpose: To comply with the Payment Card Industry Data Security Standards (PCI DSS)
Procedure Credit Card Handling and Security for Departments/Divisions and Elected/Appointed Offices Last Update: January 19, 2016 References: Credit Card Payments Policy Purpose: To comply with the Payment
Viterbo University Credit Card Processing & Data Security Procedures and Policy
The requirements for PCI-DSS compliance are quite numerous and at times extremely complicated due to their interdependent nature and scope. The University has deemed it necessary for those areas currently
University of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES
EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES This document describes Eastern Oklahoma State College s policy and procedures for the proper
SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business
DELAWARE COLLEGE OF ART AND DESIGN 600 N MARKET ST WILMINGTON DELAWARE 19801 302.622.8000 INFORMATION SECURITY POLICY including Policy for Credit Card Acceptance to Conduct College Business stuff\policies\security_information_policy_with_credit_card_acceptance.doc
b. USNH requires that all campus organizations and departments collecting credit card receipts:
USNH Payment Card Industry Data Security Standard (PCI DSS) Version 3 Administration and Department Policy Draft Revision 3/12/2013 1. Purpose. The purpose of this policy is to assist the University System
PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00
PCI PA - DSS Point XSA Implementation Guide Atos Worldline Banksys XENTA SA Version 1.00 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page number 2 (16)
FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY
FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account
Saint Louis University Merchant Card Processing Policy & Procedures
Saint Louis University Merchant Card Processing Policy & Procedures Overview: Policies and procedures for processing credit card transactions and properly storing credit card data physically and electronically.
This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.
- 1. Policy Statement All card processing activities and related technologies must comply with the Payment Card Industry Data Security Standard (PCI-DSS) in its entirety. Card processing activities must
PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01
PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01 Information updated: 21 October 2012 SAFEGUARDING CARDHOLDER
CREDIT CARD NUMBER HANDLING PROCEDURES POLICY. 2014 October
CREDIT CARD NUMBER HANDLING PROCEDURES POLICY 2014 October Royal Roads University Page 1 of 6 21 October 2014 Table of Contents Policy Statement... 3 Rationale... 3 Applicability of the Policy... 3 Definitions...
PCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate
Josiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
TERMINAL CONTROL MEASURES
UCR Cashiering & Payment Card Services TERMINAL CONTROL MEASURES Instructions: Upon completion, please sign and return to cashandmerchant@ucr.edu when requesting a stand-alone dial up terminal. The University
POLICY SECTION 509: Electronic Financial Transaction Procedures
Page 1 POLICY SECTION 509: Electronic Financial Transaction Procedures Source: NDSU President NDSU VP for Finance and Administration NDSU VP for Information Technology A. Purpose / Rationale Many NDSU
Accepting Payment Cards and ecommerce Payments
Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont
The following are responsible for the accuracy of the information contained in this document:
AskUGA 1 of 5 Credit/Debit Cards Responsible administrator: Senior Vice President for Finance and Administration Related Procedure: The Credit/Debit Card Processing Procedures Responsible department: Bursar's
Policies and Procedures
Policies and Procedures Provided by PROGuard The following are policies and procedures which need to be enforced to ensure PCI DSS compliance. In order to answer yes to the questions and pass the SAQ,
Merchant Card Processing Best Practices
Merchant Card Processing Best Practices Background: The major credit card companies (VISA, MasterCard, Discover, and American Express) have published a uniform set of data security standards that ALL merchants
ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:
Boston College Policy ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: PURPOSE OF POLICY: The purpose of this policy is to establish procedures for accepting payment cards at Boston College
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
Appendix 1 - Credit Card Security Incident Response Plan
Appendix 1 - Credit Card Security Incident Response Plan 1 Contents Revisions/Approvals... i Purpose... 2 Scope/Applicability... 2 Authority... 2 Security Incident Response Team... 2 Procedures... 3 Incident
Emory University & Emory Healthcare
Emory University & Emory Healthcare Payment Card Processing and Compliance Policy and Procedures Manual Office of Cash and Debt Management Mailstop 1599-001-1AE 1599 Clifton Road, 3 rd Floor Atlanta, GA
PCI Policies 2011. Appalachian State University
PCI Policies 2011 Appalachian State University Table of Contents Section 1: State and Contractual Requirements Governing Campus Credit Cards A. Cash Collection Point Approval for Departments B. State Requirements
Information Security Handbook
Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...
. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume.
Credit Card Procedures and Policies Texas A&M Health Science Center offers university departments the convenience of accepting credit cards in payment for goods and services provided. All University departments
Standard: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: March 2011. Information Supplement: Protecting Telephone-based Payment Card Data
Standard: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: March 2011 Information Supplement: Protecting Telephone-based Payment Card Data Table of Contents Executive Summary 3 Clarification of
Vanderbilt University
Vanderbilt University Payment Card Processing and PCI Compliance Policy and Procedures Manual PCI Compliance Office Information Technology Treasury VUMC Finance Table of Contents Policy... 2 I. Purpose...
Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
PCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services
Louisiana State University Finance and Administrative Services Operating Procedure FASOP: AS-22 CREDIT CARD MERCHANT POLICY Scope: All campuses served by Louisiana State University (LSU) Office of Accounting
PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES
SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES POLICY STATEMENT Introduction Some San Diego State University Research Foundation
Steps for staying PCI DSS compliant Visa Account Information Security Guide October 2009
Steps for staying PCI DSS compliant Visa Account Information Security Guide October 2009 The guide describes how you can make sure your business does not store sensitive cardholder data Contents 1 Contents
PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson
PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson Overview What is PCI? MCCS Compliance PCI DSS Technical Requirements MCCS Information Security Policies
CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011
CREDIT CARD MERCHANT PROCEDURES MANUAL Effective Date: 5/25/2011 Updated: May 25, 2011 TABLE OF CONTENTS Introduction... 1 Third-Party Vendors... 1 Merchant Account Set-up... 2 Personnel Requirements...
LSE PCI-DSS Cardholder Data Environments Information Security Policy
LSE PCI-DSS Cardholder Data Environments Information Security Policy Written By: Jethro Perkins, Information Security Manager Reviewed By: Ali Lindsley, PCI-DSS Project Manager Endorsed By: PCI DSS project
E-Market Policy Accepting Online Payment for Conducting University Business
Accepting Online Payment for Conducting University Business Responsible Office: Bursar s Office Contact: bursar@hartford.edu Effective Date: July 1, 2011 Last Revised: June 20, 2011 Last Reviewed: June
CSU, Chico Credit Card PCI-DSS Risk Assessment
CSU, Chico Credit Card PCI-DSS Risk Assessment Division/ Department Name: Merchant ID Financial Account Location (University, Auxiliary Organization) Business unit functional contact: : Title: Telephone:
Enforcing PCI Data Security Standard Compliance
Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security & VideoSurveillance Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 The
University of Maine System ADMINISTRATIVE PRACTICE LETTER
Page 1 of 21 INDEX I. PURPOSE II. APPLICABILITY III. AUTHORITY AND RESPONSIBILITIES A. Card Processing Authority within the University of Maine System B. Credit Card Coordinator Responsibilities C. Merchant
ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:
Boston College Policy ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: PURPOSE OF POLICY: The purpose of this policy is to establish procedures for accepting payment cards at Boston College
McGill Merchant Manual
McGill Merchant Manual The McGill Merchant Manual is a complementary document to the Merchant (PCI) Policy and Procedures and serves to aid Merchants in ensuring their operations comply with Payment Card
How To Control Credit Card And Debit Card Payments In Wisconsin
BACKGROUND State of Wisconsin agencies accepted more than 6 million credit/debit card payments annually through the following payment channels: Point of Sale (State agency location) Point of Sale (Retail-agent
Information Security Policy
Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems
POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101. DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants
POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101 DIVISION: Finance & Administration TITLE: Policy & Procedures for Credit Card Merchants DATE: October 24, 2011 Authorized by: K. Ann Mead, VP for Finance & Administration
Failure to follow the following procedures may subject the state to significant losses, including:
SUBJECT: Policy and Procedures PAGE: 1 of 5 INTRODUCTION During fiscal year 2014, State of Wisconsin agencies accepted approximately 6 million credit/debit card payments through the following payment channels:
05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013
05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of
COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6
1. Procedure Title: PCI Compliance Program COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6 2. Procedure Purpose and Effect: All Colorado State University departments that accept credit/debit
Information Security Policy
Information Security Policy Contents Version: 1 Contents... 1 Introduction... 2 Anti-Virus Software... 3 Media Classification... 4 Media Handling... 5 Media Retention... 6 Media Disposal... 7 Service Providers...
Fraud Protection, You and Your Bank
Fraud Protection, You and Your Bank Maximize your chances to minimize your losses Presentation for Missouri GFOA April 2011 By: Terry Endres, VP, Government Treasury Solutions Phone: 314-466-6774 Terry.m.endres@baml.com
Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance
Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name
Frequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures
Page 1 SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures SOURCE: NDSU President NDSU VP for Finance and Administration NDSU VP for Information Technology It is the University s responsibility
CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number 95.51 PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.
95.5 of 9. PURPOSE.. To establish a policy that outlines the requirements for compliance to the Payment Card Industry Data Security Standards (PCI-DSS). Compliance with this standard is a condition of
Virginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval
Credit Card Processing Overview
CardControl 3.0 Credit Card Processing Overview Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new