Policy for Protecting Customer Data



Similar documents
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Information Security Policy

PCI Data Security. Information Services & Cash Management. Contents

Information Technology

Payment Card Industry Compliance

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

PCI Data Security and Classification Standards Summary

Policies and Procedures

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Accepting Payment Cards and ecommerce Payments

Viterbo University Credit Card Processing & Data Security Procedures and Policy

Fraud Protection, You and Your Bank

Frequently Asked Questions

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Protecting the POS Answers to Your Frequently Asked Questions

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Credit Card Handling Security Standards

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

CREDIT CARD SECURITY POLICY PCI DSS 2.0

TERMINAL CONTROL MEASURES

CREDIT CARD PROCESSING POLICY AND PROCEDURES

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

PIN Pad Security Best Practices v2. PIN Pad Security Best Practices

HOW TO PROTECT YOUR BUSINESS AND YOUR CUSTOMERS FROM DATA FRAUD

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

PCI DSS Requirements - Security Controls and Processes

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

LSE PCI-DSS Cardholder Data Environments Information Security Policy

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

Payment Card Industry Data Security Standard PCI DSS

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Payment Card Industry Self-Assessment Questionnaire

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Credit Card Security

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

Security. Tiffany Trent-Abram VP, Global Product Management. November 6 th, One Connection - A World of Opportunities

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

Saint Louis University Merchant Card Processing Policy & Procedures

Dartmouth College Merchant Credit Card Policy for Processors

Miami University. Payment Card Data Security Policy

The Merchant. Skimming is No Laughing Matter. A hand held skimming device. These devices can easily be purchased online.

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

UCSD Credit Card Processing Policy & Procedure

Becoming PCI Compliant

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

How To Complete A Pci Ds Self Assessment Questionnaire

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

Identity Theft Prevention Presented by: Matt Malone Assero Security

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Why Is Compliance with PCI DSS Important?

Cyber Self Assessment

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Standards for Business Processes, Paper and Electronic Processing

Purpose: To comply with the Payment Card Industry Data Security Standards (PCI DSS)

PAI Secure Program Guide

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.

Table of Contents. 2 TouchSuite Welcome Kit

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Security Best Practices

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

University of Sunderland Business Assurance PCI Security Policy

PCI Compliance for Healthcare

SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES

Project Title slide Project: PCI. Are You At Risk?

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Online Banking Customer Awareness and Education Program

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

Information Security It s Everyone s Responsibility

National Cyber Security Month 2015: Daily Security Awareness Tips

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

CREDIT CARD PROCESSING & SECURITY POLICY

Franchise Data Compromise Trends and Cardholder. December, 2010

STOP Important Information Please Read

Identity Theft Protection

Guide to credit card security

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Transcription:

Policy for Protecting Customer Data Store Name Store Owner/Manager Protecting our customer and employee information is very important to our store image and on-going business. We believe all of our employees must actively participate in keeping our customer information private and secure. Customer and employee data - customer or employee name in association with cardholder data, driver s license number, check or bank account numbers, PIN numbers, or any other information that could be used fraudulently to harm customers. Cardholder data - customer name in association with the full credit card number, PIN number, and other credit card information used for authorization. 1. The store is responsible for having policies and procedures in place for the physical, operational, and electronic protection of customer and employee data. The policies and procedures will be reviewed when there are changes to the customer data being used or stored, and at least annually. 2. All policies must be incorporated into daily procedures and practices, as well as reviewed with employees at time of hire and at least annually. All relevant policies must be shared with vendors and other third parties that have access to customer and employee data. 3. The store manager is responsible for data security at the store, including providing on-going data security awareness training to employees and monitoring and sharing relevant trade information about data security, 4. All employees must use reasonable care and common sense to protect customer and employee data. Employees are required to agree, in writing, their understanding of these requirements and agree to follow store policies. 5. Access to customer and employee data, with an emphasis on cardholder data, must be restricted to those employees with a business need-to-know. Those employees allowed to access systems with customer and employee data must have a unique ID and password. 6. Employees are not allowed to add personal devices or software to store systems. All new software, hardware and/or other component changes to systems with customer and employee data must have management approval. Published 1/21/2009 Page 1 of 2

All third-party vendors must review software and hardware changes with management when making changes to applicable systems. 7. Customer data, particularly cardholder data must be encrypted when it is sent over the public internet, including in emails. When displayed all credit and debit card numbers must be masked to display the last four digits. Storage of customer and employee data should be kept to only what is necessary for business, legal, and/or regulatory purposes. 8. Cardholder magnetic stripe data, including full track data, card-validation code, and PIN must never be kept in store systems. 9. All systems with customer and employee data must be properly installed and maintained according to store written practices, vendor supplied guidelines, or other provided guidelines. Guidelines will include a requirement to change all vendor supplied default passwords. These systems must have adequate protection to minimize the risk of theft, tampering and/or accidental exposure of data. 10. All systems that contain customer information, particularly cardholder data, must be reviewed annually to insure procedures are in place to minimize the risk of fraud, theft and unintended exposure of data. Store managers must be aware of current threats and vulnerabilities to these systems. 11. Systems with customer and employee data that are susceptible to malicious software and other vulnerabilities must have up-to-date anti-virus software, application and operating systems updates, and security patches. 12. If public internet connections, the store must have adequate network protection in place to protect against external attacks, including the use of firewalls, intrusion protection and other security controls. 13. The store will test applicable IP based systems for security controls on a quarterly basis, including internet facing systems, internal systems, and wireless network devices. 14. All paper and systems that contain customer and employee data must be physically secured. Backup media that contains cardholder data must be stored in a secure location. All systems that contain customer and employee data must have management approval before moving components from their secure location. Customer and employee data on paper documents and electronic systems must be made unreadable before disposal. 15. All service providers/technicians must have prior management consent before accessing any systems with customer and employee data. All employees are required to verify service providers/technicians identity prior to accessing systems. 16. The store will have an incident response plan in place with contact information and escalation requirements in the event any customer or employee information is lost, stolen or accidentally exposed. Published 1/21/2009 Page 2 of 2

PCI Program Policy and Training Guidelines Ver. 1.2 SECURITY AWARENESS TRAINING Keep your data safe keep your customers data safe. What can you do to protect your store and your customers from credit card thieves? 1. Protect your customer s personal information. This may seem simple, but protecting your store from the risks and pitfalls that come from credit card fraud and customer identity theft is really about keeping your customer s information private. If your store is involved in the loss of credit card numbers, the store could see huge fines. If customer personal information is involved, there could be costly state requirements and legal costs. Protect your store by protecting your customer s personal information. 2. Don t share your access to store systems. Sharing your sign-on and password may seem like no big deal but the store s point-of-sale system is set up to only give you the access you need no more, no less. Sharing your sign-on would be like giving someone else access to your ATM card. Sure, they re your friend, but you don t know if they are going to pull out $20 or your car payment. 3. Confirm credit card numbers are not printing on customer or store receipts. Here s an easy one that makes a big difference to your store. Make sure full credit card numbers are not printing on receipts. Not only is this a federal requirement, but it means that credit card receipts can be thrown in the trash. Receipts should only show the last four digits of a credit card and should not include the expiration date. 4. Verify the identity of any technician that wants access to store systems. Stealing customer information has become a business. And in known cases, thieves are pretending to be service technicians asking to upgrade or replace POS systems, debit card entry pads, and even asking to access the gas pumps. If anyone wants access to your store s systems, call your store manager and ask the technician for identification and verification. 5. Don t put paper or computers with customer information in the trash. Customer and employee information that could be used for fraud or identity theft must never just be thrown in the trash. Documents with customer name, full credit card numbers or any other personal information must be shredded or destroyed so the information can not be illegally used. Computers with credit card information must not be thrown in the trash either. Talk with your store manager about how to get rid of journal tapes, employee information, and computer systems. 6. Look for tampering on pumps, ATMs and other systems that accept credit cards. One of the ways thieves are stealing customer credit card information is by planting extra devices on pumps, ATMs, and other systems that handle PIN numbers and credit card transactions. These devices can be installed inside of a pump, on the front of a pin pad, or even on a wire in the point-of-sale terminal. Know what your store systems should look like and look for tampering daily. If you suspect there is a problem, call your store manager. 7. Don t plug personal and unsafe devices into the store systems. Never add your personal devices ipod, laptop computer, wireless access or any other devices to your store s computer systems or network. Unsecured, unknown devices added to the store network may cause everything to stop working and it could make it very easy for thieves to steal credit card data. 8. Don t add software to store computers. Adding software to computers can cause huge problems. Some software, malicious software that steals customer and employee information, is especially crafted to be easy to install and may seem harmless. Stores have lost thousands of credit card numbers after having software installed on point-of-sale machines. Even something as simple as an internet toolbar can have bugs that make it easier to steal information. 9. Know who to contact if there are problems at the store. If you suspect there is a problem with credit card fraud, equipment tampering, or suspicious vendors contact your store manager. Your store should have an Incident Response Plan. Know where it is, review it with your store manager, and use it if you have a problem. I understand that I play a huge part in protecting our store s systems and customer information. I have read the steps I need to take every day to keep customer information secure. Employee Name Date Store Manager Initials Published 1/6/2009 Page 1 of 1

PCI Program Policy and Training Guidelines Ver. 1.2 Procedures for protecting customer data Store Name Store Owner/Manager To help you and your employees protect customer data, these easy to follow procedures should be incorporated into your daily business practices. Train employees to combat credit card fraud by verifying the following for in store transactions: Customer name on credit card matches customer name on receipt. Signature on the card signature panel matches the signature on the receipt. Verify credit card numbers are masked on all customer receipts (by law the last 4 digits may show without the expiration date.). If applicable, verify credit card numbers are being masked on all store reports. Including: Journal tapes Backup credit card batch file Other Keep a store log to document daily practices are occurring, track visits by technicians and other critical third-parties, note updates to point-of-sale and other important systems, and record any security situations that may impact customer data. Keep copies of service tickets/receipts to record changes, updates, installations and all services performed on point-of-sale, communication, and other devices that may have customer data. Records should include impact to current environment, resolution if there is a problem and initials of store manager. Verify paper documents are securely stored and properly disposed of: Receipts/documents with credit card numbers are locked in the manager s office with limited access by employees. Receipts/documents with customer information are not thrown in the trash when no longer needed. Verify all systems that accept credit cards are adequately secured against physical removal. No unknown devices connected No devices attached to USB ports (check both front and back of POS) Verify that all pump access doors to the credit card readers are locked and have not been tampered with (tamper proof tape on access doors daily will assist with this). Physically inspect all CRIND (Card Reader In Dispenser) devices daily to look for unknown (skimming) devices that may have been added. Verify that all security cameras are pointed at the appropriate locations and can not pick up customer information, including credit card data or PIN (Personal ID Number). When disposing of point of sale equipment, the hard drive needs to be taken out and destroyed. Published 1/21/2009 Page 1 of 1

Third-party access to store systems Store Name Store Owner/Manager Third-parties managing and maintaining our store systems have a duty to protect customer and employee information when it is in their care. The store will maintain a list of all service providers and their agreement to protect customer and employee data, including their PCI compliance status. Customer and employee data - customer or employee name in association with cardholder data, driver s license number, check or bank account numbers, PIN numbers, or any other information that could be used fraudulently to harm customers. Cardholder data - customer name in association with the full credit card number, PIN number, and other credit card information used for authorization. 1. Third-parties, including vendors, contractors and service providers, have the same responsibility to adhere to the security standards for protecting customer and employee information that the store follows. This includes, but is not limited to PCI-DSS requirements (Payment Card Industry Data Security Standards) for handling credit card data. 2. Access to customer and employee data and the systems that process, transmit and/or store that data will be limited to those third-parties that have written agreements to manage and/or maintain those systems. 3. Third-parties that manage and/or maintain store systems must consider and preserve the security and integrity of all store systems with customer and employee information when adding, changing, or removing hardware and software required for their system. 4. Third parties agree to take reasonable steps to protect customer and employee data, including credit card data, while the data is in their possession. This includes any data on systems being transported, managed, and maintained by the third party. When the data is no longer necessary for business purposes, the third party agrees to securely dispose of the data. Third Party Name Third Party Company Published 1/21/2009 Page 1 of 1

Data Loss Response Plan The Data Loss Response Plan outlines the steps to be taken in the event of loss or theft of customer data, including credit card data. Store Name and Location Store Phone Number Store Manager/Primary Contact Cell Phone Alternative Phone (home/other) (This person is the primary contact who will act as the spokesperson for the store. He/she should be available 24/7 to respond to any data loss and to help determine escalation procedures.) Loss of Customer and/or Employee Data: 1. Contact local authorities first if theft, bodily harm, or vandalism is involved. o If IP based systems are involved, contain and limit the exposure of customer and employee data by removing any compromised systems from having public internet access. 2. Contact your store manager/primary contact to discuss what data was lost, stolen and/or accidentally disclosed. 3. The store manager will be responsible for contacting store management (store owners/company management) to determine next steps. 4. If cardholder data is involved, store management must contact Sinclair Marketing Offices and be prepared to contact the processing bank for instructions on next steps. Visa Investigations and Incident Management Group will need to be involved, as well as Fraud Investigation Groups for other credit card companies. 5. Store management should familiarize themselves with state laws for customers regarding reporting the loss of customer information. 6. Store management should have a plan for communication to customers, media, and local officials if necessary. Sinclair Marketing Office, System Support (800) 524-4799 First Data / Buypass Help Desk (800) 726-2629 Visa Investigation and Incident Management (650) 432-2978 Detailed Report The store manager should be prepared to provide a detailed report of what happened, who was involved, what data was compromised, and what steps employees took to reduce the exposure. The store must keep a copy of the report with other PCI Program documentation. Lessons Learned The store manager should review the actions taken after a data compromise with all employees, update the response plan, polices and other procedures as needed. Annual Review The store must review the Data Loss Response Plan on an annual basis, and confirm that all employees are know what is involved in a data compromise and who they should contact. Data Plan Reviewed with Employees Published 1/6/2009 Page 1 of 1

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information