Payment Card Industry Data Security Standard PCI DSS

Transcription

1 Payment Card Industry Data Security Standard PCI DSS

2 What is PCI DSS? Requirements developed by the five card brands: VISA, Mastercard, AMEX, JCB and Discover. Their aim was to put together a common set of security principles. The purpose of PCI DSS is to ensure that businesses are providing a secure environment for their customers to make payment by reducing risk of card data theft and fraud. PCI DSS is mainly about the Primary Account Number (PAN), the 16 digit number on the front of a card. If we store this in any format, it must be protected from unauthorised access. Most PCI DSS requirements are specific to. However, any member of staff who comes into contact with the PAN needs to be aware of PCI DSS, and understand how they can reduce the risk of card data theft and fraud. 2

3 12 Requirements of PCI DSS Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel 3

4 Why is PCI DSS Important to Us? Compliance with PCI DSS is a requirement of our contract with our acquirer, Global Payments, as well as other software and service providers. We need to be compliant in order to take card payments. Being compliant shows we have worked to reduce the risk of data theft and provide a secure payment environment for our customers. 4

5 Consequences of Breach The consequences of a security breach resulting in customer card data being accessed by an unauthorised party can be wide-ranging: Inconvenience and distress to our customers card data theft and fraud can be very distressing, and take time to resolve. Financial: lost income the University may lose money due to fraudulent transactions. Financial the University could be fined if card data is lost. We could be assessed as a high risk, level 1 merchant. We would then need to have external verification of our security, which would be expensive and time consuming for the University. The University could lose its ability to take card payments, resulting in increased workload and potential loss of business. Reputational damage perhaps the most damaging consequence of all, as data security breaches tend to get a lot of publicity. Complying with PCI DSS requirements does not guarantee that a security breach will not occur, but it reduces the risk, and our liability. 5

6 How Does PCI DSS Relate to What I Do? As a member of staff who takes card payments or handles cardholder data, you have a responsibility to carry out your work according to procedures and University policy regarding PCI DSS. By doing this you are protecting your customer s data from theft, protecting the University from the consequences of a data security breach, and protecting yourself in the event of a breach. 6

7 How Does PCI DSS Relate to What I Do? Primary Account Number (PAN) this is the long number on the front of the card. If you need to retain this, it should be securely stored in a designated lockable place at all times. There are a number of ways you might come into contact with the PAN: From customers over the phone, fax or by post, when you take Cardholder Not Present transactions. Face-to-face transactions, the PAN is printed on the customer s card. Old merchant copies of receipts will have the PAN printed on them. After the switchover to Global Payments, the terminals will not print this data therefore the merchant copies do not come under PCI DSS, but it s still good practice to store them securely. CVC the authorisation number on the back of the card. This is Sensitive Authentication Data (SAD) and must never be stored with the PAN. PDQ terminals should be stored securely so that they cannot be tampered with. You should be able to identify if changes are made. 7

8 Processes Where PCI DSS Needs to be Considered The best defence against cardholder data theft is not to store it if we do not keep it, it cannot be stolen from us. Where possible, you should limit the amount of cardholder data you store. If you do not store the PAN, PCI DSS does not apply. The following slides highlight ways you should take PCI DSS into account when dealing with card data. The list does not cover all situations, and some of the scenarios might not be relevant or appropriate to you. If you are unsure how to apply PCI DSS to your processes, please seek advice from your manager. 8

9 Payments Made in Person Staff should not need to handle the customer s card. For contactless payments, the customer should pass their card over the terminal. If using chip and pin, the customer should put their card in the terminal, and remove it at the end of the transaction. If you do not handle the card, you do not come into contact with the card holder data. Some terminals print the full Primary Account Number (PAN) on the merchant copy of the receipt. Remember that this is data could be a target for thieves, and should be securely stored. 9

10 Skimming One way for criminals to obtain card data is by tampering with the PDQ terminals by adding equipment that reads card holder data as the payment is being processed. This is called skimming. It is important to ensure that terminals are not tampered with. Portable terminals should be kept out of reach of customers and the public, and stored securely out of hours. You should be able to recognise if a terminal has been tampered with by comparing it against a reference photo. If you think your terminal may have been tampered with, stop using it and alert your manager immediately. 10

11 Payments Made in Person Merchant copies of till receipts that display the full PAN must be securely stored at all times in a designated, locked place with restricted access. They must not be left out on a counter. 11

12 If Someone Calls to Make a Card Payment Enter the details straight into the terminal. If the terminal is not available, you should arrange to call the customer back when the terminal is available, and then enter the details directly into the terminal. If this is not possible, and your manager allows, you can write down the details and process the payment when the terminal is available. This should be within the same business day. 12

13 Telephone Payments If a terminal is not available to take a payment when a customer calls and you are not able to call them back later, you can write down the details The card details should be securely stored in a locked location. The card detail should only be kept until the payment has been processed Once the payment has been processed, the written card details should be destroyed by cross shredding not by putting them in confidential waste bins 13

14 Be Aware It is important to be aware of what is going on around you, and ensure that no-one can overhear the customer s card details while you are processing the transaction: If you work in a public area, e.g. a reception desk, do not read the customer s card details back to them, in case you are overheard. If you need to check the details, ask the customer to repeat them. Calls where card payments are taken must never be recorded, as this counts as electronic storage of the card data. 14

15 Card Details Received by Fax Card data received by fax can be considered secure, as long as the fax machine is located in a secure area, and only staff authorised to access cardholder data have access to it. If a customer tells you they will be sending details by fax, ask them to call before they send it to ensure that someone will be there to receive it, so the details are not left on the fax machine. After the payment has been processed, we are not allowed to store the CVC number and it should be removed from the form and destroyed. The PAN should also be removed and destroyed, so no card holder data is stored. 15

16 Payment via Fax Faxes containing card data should be collected by an authorised member of staff as soon as they arrive If the payment cannot be processed straight away, the card data should be stored securely until it is processed Once the payment has been processed, at minimum the CVC number, and ideally the PAN, should be removed and destroyed by cross shredding

17 Card Details Received by Post Card details received by post (e.g. postal donation forms) should be addressed to and opened by authorised staff. Transactions should be processed as soon as possible, within a maximum of 5 working days. After the payment has been processed, we are not allowed to store the CVC number and it should be removed from the form and destroyed. Ideally the PAN should also be removed and destroyed, so no card holder data is stored. 17

18 Payment via Post Letters containing card data should be opened by an authorised member of staff The card data should be stored securely until it is processed Once the payment has been processed, at minimum the CVC number, and ideally the PAN, should be removed and destroyed by cross shredding 18

19 Payments Made Online Online payments should be encouraged where possible as the University and individual staff members do not have access to the cardholder data at any time. They also save you time and are more efficient Do not put a payment through online on behalf of a customer, either over the phone or in person. If the customer is unable to pay online themselves, offer an alternative method of payment. 19

20 Card Details Received by is not a secure method of sending or receiving information, so you should never ask a customer to their card details to you. If a customer sends them to you in this way, you must not process them. If we accept and process details sent by , we are accepting responsibility for the security of delivery, and therefore the system, which is not possible. Card details received by must not be processed or forwarded on to another address. You should delete the , and contact the customer to advise them that we cannot accept details by and that they need to provide their details by another method. 20

21 Physical Storage of Card Data Card data should only be retained and stored if there is a business need to do so. If you are unsure if card details should be kept, check with your line manager. Examples of data you might need to store may include merchant receipts for payments taken before the switchover to Global Payments, as these will have the PAN printed on them, and so must be securely stored in a locked location with access to the key restricted, in accordance with PIC DSS requirements. After the switchover to Global Payments, the card details are no longer printed on the merchant receipts. Therefore, if the PAN and CVC are removed from the original details (e.g. postal forms, written card data) and securely destroyed by cross shredding, storage of the remaining details is out of scope for PCI DSS, as there is no risk of data theft. It is still good practice to store the documents securely. 21

22 Hard Copies Card data should be securely stored in a locked location, with access to the key recorded Card data should be stored for 6 years plus current financial year When the card data no longer needs to be stored, it should be securely destroyed e.g. by cross shredding 22

23 Electronic Storage of Card Data Card data must never be stored electronically If it is on our networks, there is the potential for unauthorised access. This includes: electronic images, such as efax; data stored in files on your computer or network; recorded telephone calls etc. If you collect CCTV, you must ensure that it cannot capture card data. If you have any card data stored electronically, please contact the Finance Office 23

24 What if I Suspect Someone has Gained Unauthorised Access to Card Data? If you believe that an unauthorised person has gained access to cardholder data (e.g. if there has been a break in to an area where cardholder data is stored, or you believe a terminal has been tampered with) you should inform your line manager and Finance Office or at once. If a terminal may have been affected, stop using that terminal and unplug it, but do not change anything. 24

25 PCI DSS Contacts Finance Office: Paul Simpson, David Deighton,