PCI Data Security. Information Services & Cash Management. Contents

Transcription

1 PCI Data Security Information Services & Cash Management This self-directed learning module contains information you are expected to know to protect yourself, our patients, and our guests. Target Audience: All Teammates Contents Instructions... 2 Learning Objectives... 2 Module Content... 3 Job Aid... 6 Posttest Page 1 of 11

2 Instructions: The material in this module is an introduction to important general information and procedures to ensure data security, a requirement of the Payment Card Industry Data Security Standards (PCI-DSS). After completing this module, contact your supervisor to obtain additional information specific to your department. Read this module. If you have any questions about the material, ask your supervisor. Complete the online posttest at the end of this module. If a printed version of the test is taken, you must provide the results to your supervisor upon completion. The Job Aid on page 6 is relevant to individuals that are involved in the receipt and handling of cardholder data and may be customized to fit your department and then used as a quick reference guide. Learning Objectives: When you finish this module, you will be able to: Understand the importance of data security Understand your responsibilities as they relate to data security Identify key elements of the data security program Describe ways that you can prevent unauthorized disclosure of data Explain why storing or copying data onto personal computers or unsecure removable media is prohibited Describe the steps necessary to report unauthorized disclosure of data Identify the policies and procedures associated with the data security program Page 2 of 11

3 The Payment Card Industry Data Security Standards (PCI-DSS) A set of regulations created to protect cardholder data from loss or misuse. CHS is required to adhere to PCI-DSS in order to accept payment cards. Payment cards include credit and debit cards. Cardholder data also known as Confidential Data includes: Primary Account Number (PAN) Expiration Date Cardholder Name Password, , address, and other personal Confidential Data PCI-DSS applies to all formats: paper (receipts, handwritten forms, billing statements, etc.), electronic and verbal. PAN EXPIRATION DATE PCI-DSS Goals & Requirements The goals and objectives of PCI-DSS are: 1. Build and maintain a secure network 2. Protect confidential data 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Regularly monitor and test networks 6. Maintain an information security policy The effectiveness of the controls associated with the above goals relies on everyone adhering to policies and procedures in order to ensure a secure cardholder data environment. Page 3 of 11

4 Sensitive Authorization Data PCI-DSS prohibits storage of sensitive authorization data, which includes: Track Data & PV/PIN block on magnetic strip CVV2/CVC2/CID on front or back of card Magnetic strip Places Where Confidential Data May Exist Most of us are accustomed to using credit and/or debit cards when pumping gas, buying groceries or while at the mall. Here at CHS, payment cards are an accepted payment method in various locations, including but not limited to: Carolinas Healthcare System Medical Group, System Billing Office or Central Billing Office Admitting, Registration, or Cashier Gift Shop, Cafeteria or Coffee Shop Pharmacy Clinics and Urgent Care Foundation Health Club or Fitness Center Rehab Facility Any department or service selling/renting medical equipment and supplies Common Types of Data Breaches The most common types of data breaches include, but are not limited to: Technology attacks - Hacking Lost or stolen equipment Laptops, USB drives Stolen or copied paper records Inadvertent disclosure Malicious insiders Page 4 of 11

5 How PCI-DSS Impacts You Whether you are directly involved with the receipt and handling of card payments, you are required to ensure a secure environment that promotes data security: Do not share your passwords with anyone. The CHS Support Center or Information Services will NEVER ask you for your password. Never use text, , or instant messaging to transmit Confidential Data. Never photocopy or scan credit card numbers that are written on paper or the actual cards themselves. (i.e. Scan to on Xerox machines, Click-on DMS, Hyland Onbase, etc.) Properly dispose of Confidential Data. Use the Asset Transfer and Disposal eform to engage Information Services in the proper disposal of electronic media, computer equipment, or credit card terminal equipment. Do not disable, uninstall or otherwise bypass security controls (e.g. antivirus, use someone else s user ID and password, connect to the Guest wireless network). Lock computer or log out when unattended and use lock-down kits or other appropriate anti-theft mechanisms to secure laptops or other portable devices. Prevent credit card terminals or credit card processing computers from physical access by unauthorized persons. Do not create spreadsheets or documents to store credit card numbers, or otherwise store any sensitive credit card information electronically on CHS equipment. Always be attentive to suspicious activity and report issues to the CHS Support Center at immediately if: o An unknown person wants to modify or install something on a credit card reader or Point-of-Sale (POS) unit. o You clicked on a suspicious link, pop-up window or opened a suspicious attachment. o Computer equipment, including credit processing equipment, is lost or stolen. o You have reason to believe someone may have your password. Report suspected or known breaches of confidential data to your Supervisor, Facility Privacy Director, CHS Corporate Privacy at or the Customer Care Line at Page 5 of 11

6 Attestation of Compliance All teammates are required to attest their compliance to proper confidential data handling security standards. Additionally, CHS must complete an Attestation of Compliance document annually as a declaration of our compliance status with the Payment Card Industry Data Security Standard (PCI DSS). JOB AID 1 Steps to secure the CHS data environment 1 Safe Handling of Cardholder Data When receiving and handling a payment card directly from a customer: o Check the name on the card with a photo I.D. o Compare the signature with the one on the back of the card. o Process immediately. o Shield the card from view of others. When receiving cardholder data by Phone: o Ensure the accuracy of cardholder information by asking the caller to repeat the card number back to you. o Never say the card number back to the customer. This practice ensures that no one will overhear this sensitive information. When receiving cardholder data by Fax: o Cardholder data may not be received by Fax unless the fax machine is located in a highly secured area restricted to teammates that are authorized to process payment card transactions. Cardholder data must NEVER be sent, accepted or solicited via , Instant Messaging or Text. If a patient or customer sends you an , Instant Message or Text containing cardholder data, reply to the sender WITHOUT including the original message and: o Notify the sender of acceptable methods of payment. o Notify the sender that the original message with cardholder data was deleted. o Do not print, forward, or retain the message in any format. Page 6 of 11

7 o Delete the message & empty the Trash/Deleted Items/Recycle Bin. When receiving cardholder data by Web Payment: o CHS teammates should only use approved web payment solutions (e.g. TrustVault). Teammates are responsible for verifying all web payment applications with their Manager. o CHS teammates should not create webpages that request or collect cardholder data. Process payment card transactions immediately when cardholder data is received: o Card swiped/entered into a dial-up swipe terminal. o Card swiped or entered into a POS terminal. o With the exception of virtual terminal solutions (e.g. TrustVault), cardholder data should NEVER be entered into a computer. Cardholder data may not be electronically stored on any device in any format including local hard drives, personal network drives, CD s, USB drives or any other local computing device. No electronic cardholder data storage is allowed outside of the approved applications and servers maintained by CHS Information Services. Cardholder data may not be photocopied, scanned, or photographed. Equipment and physical facilities must be properly secured: o Use of door locks after business hours. o Security cameras and alarms. o Proper issuance & collection of badge/key access. o Regular inspection of equipment (e.g. lock down kits, card readers, etc.) to detect tampering or substitution (e.g. addition of card skimmers to card readers, serial number changes, broken or different colored casing). Report any issues to your manager or a security officer IMMEDIATELY! Departments that use computer equipment or POS terminals to process card payments must ensure that: o Teammates use difficult to guess passwords that are at least 8 characters in length and include a combination of letters, numbers and special characters. Page 7 of 11

8 o Teammates issued a POS access card must protect the card from loss, and never share the card with others. o In the event of a lost or stolen POS access card, the employee must inform his/her manager immediately. o Any changes, repairs or replacement of equipment (including card readers) must be arranged and coordinated through Cash Management and facilitated by authorized Information Services personnel only. ALWAYS VERIFY! Cardholder data may not be written down. If a department has appropriate business justification to write down cardholder data, they must do so using a Credit Card Payment Form and follow these safety procedures: o Maintain a secured storage location for these forms. o Process the transaction as soon as possible but no later than ONE business day from the date received. o Credit Card Payment Forms that cannot be processed immediately must be properly locked inside of a secure storage compartment Storage may be a drawer, overhead bin, closet, etc. Storage MAY NOT be a portable lockable device such as a briefcase, cashbox, etc. Storage must not be labeled or marked so as to identify its contents. When cardholder data is present, the storage location must be locked at all times. The payment must be processed within ONE business day of being received. Only teammates who have completed this training module should have access to the storage. Properly dispose of the Credit Card Payment Form (e.g. cross-cut shredder or locked shred bin for 3 rd party disposal). Page 8 of 11

9 In the event of a suspected breach or loss of payment card data, teammates are obligated to notify the CHS Support Center at within 24 hours. Review the following CHS Policies: o IS.PHI Communications Environment Acceptable Use Policy o IS.PHI Information Services Security Policy o FIN PCI Data Security Standard Policy Page 9 of 11

10 Posttest Name: Date: Circle the correct answer. 1. CHS is required to comply with PCI-DSS because: a. CHS is a large organization b. CHS accepts payment cards c. CHS is not required to comply with PCI-DSS d. PCI-DSS is part of HIPAA 2. PCI-DSS only applies to Information Services since they maintain all of the CHS electronic systems a. True b. False 3. PCI-DSS only applies to CHS teammates that handle card payment transactions: a. True b. False 4. My responsibilities to protect confidential data include: a. Keeping my password secret b. Never using text, , or instant messaging to transmit confidential data c. Locking my computer or logging out when leaving it unattended d. All of the above 5. I can store cardholder data electronically as long as I: a. Properly dispose of it using an Asset Transfer and Disposal eform b. Encrypt the data and properly dispose of it using an Asset Transfer and Disposal eform c. Store it on my personal drive and password protect the file d. I am never allowed to store electronic cardholder data 6. I am responsible for reporting a suspected or known breach of confidential data. To report a suspected or known data breach I should: a. Contact my Supervisor b. Contact my Facility Privacy Director c. Contact the CHS Corporate Privacy Department d. Any of the above Page 10 of 11

11 7. PCI-DSS only applies to electronic confidential data: a. True b. False 8. If I accidentally click on a link from an unknown sender I should: a. Do nothing; my anti-virus software will protect my computer and confidential data b. Contact the CHS Support Center at c. Close my browser and restart my computer d. Follow the data breach reporting process 9. If an unknown person is tampering with a credit card device, I should: a. Do nothing and let them finish b. Report the incident to the CHS Support Center c. Call 911 immediately d. Either b or c 10. It is ok for me to replace credit card equipment without authorization and verification: a. True b. False 11. The following are signs that indicate a device has been tampered with: a. The device serial number has been changed b. The card reader is colored differently than normal c. A card skimmer has been added to the device d. All of the above 12. By clicking Yes below, I attest that I have read and understand the Information Services Security Policy, the CHS Communications Environment Acceptable Use Policy and the PCI Data Security Standard Policy: a. Yes b. No Page 11 of 11