PCI Data Security. Information Services & Cash Management. Contents



Similar documents
Policy for Protecting Customer Data

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Privacy and Security For Managers

LSE PCI-DSS Cardholder Data Environments Information Security Policy

Purpose: To comply with the Payment Card Industry Data Security Standards (PCI DSS)

2014 Core Training 1

Viterbo University Credit Card Processing & Data Security Procedures and Policy

Payment Card Industry Compliance

Information Technology

Information Security Policy

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Credit Card Handling Security Standards

CREDIT CARD PROCESSING POLICY AND PROCEDURES

PHI- Protected Health Information

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Standards for Business Processes, Paper and Electronic Processing

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

TERMINAL CONTROL MEASURES

PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson

Appendix 1 Payment Card Industry Data Security Standards Program

Office of Finance and Treasury

McGill Merchant Manual

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration

PCI DSS Security Awareness Training for University of Tennessee Credit Card Merchants. UT System Administration Information Security Office

CREDIT CARD POLICY DRAFT

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Dartmouth College Merchant Credit Card Policy for Processors

Miami University. Payment Card Data Security Policy

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

PCI Security Awareness for ECU Payment Card Merchants

University of San Francisco

HIPAA and You The Basics

Policies and Procedures

Cal Poly PCI DSS Compliance Training and Information. Information Security 1

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

3. Internet Credit Card Processing System generates a daily batch release report 4. Reporting Deposits to the University Depository

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

PCI Data Security and Classification Standards Summary

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY. Processing Electronic Card Payments

HIPAA: Bigger and More Annoying

Credit Card Security

Huddersfield New College Further Education Corporation

HIPAA Privacy & Security Health Insurance Portability and Accountability Act

Saint Louis University Merchant Card Processing Policy & Procedures

HIPAA Security Training Manual

Target Audience: All Non-Management CHS Employees, Students, Volunteers, and Physicians

University Policy Accepting and Handling Payment Cards to Conduct University Business

CREDIT CARD SECURITY POLICY PCI DSS 2.0

HIPAA and Privacy Policy Training

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Payment Card Acceptance Administrative Policy

PCI Policies Appalachian State University

ANNUAL SECURITY RESPONSIBILITY REVIEW

Accepting Payment Cards and ecommerce Payments

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

Payment Card Industry Data Security Standard PCI DSS

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

HIPAA 101: Privacy and Security Basics

Information Security Training 2012

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

Credit and Debit Card Handling Policy Updated October 1, 2014

Welcome to the Duke Medicine Credit Card PCI Education session.

HIPAA Privacy & Security Training for Clinicians

Hang Seng HSBCnet Security. May 2016

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

Computing Services Information Security Office. Security 101

General Rules of Behavior for Users of DHS Systems and IT Resources that Access, Store, Receive, or Transmit Sensitive Information

8.03 Health Insurance Portability and Accountability Act (HIPAA)

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI) Affordable ~ Clean ~ Safe ~ Simple ~ Flexible

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

How To Complete A Pci Ds Self Assessment Questionnaire

Information Security

HIPAA and Health Information Privacy and Security

Advanced HIPAA Security Training Module

University of Virginia Credit Card Requirements

Information Security Manager Training

Guadalupe Regional Medical Center

Annual HIPAA Security & Information Security Competency

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY October

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

SELF-LEARNING MODULE (SLM) 2012 HIPAA Education Privacy Basics and Intermediate Modules

University of York Policy on the Management of Debit/ Credit Card Data

Appendix 1 - Credit Card Security Incident Response Plan

Privacy & Security Standards to Protect Patient Information

HIPAA Privacy & Security Rules

Secure Storage, Communication & Transportation of Personal Information Policy Disclaimer:

Identity Theft Prevention Program Compliance Model

Best safe and secure practices

Transcription:

PCI Data Security Information Services & Cash Management This self-directed learning module contains information you are expected to know to protect yourself, our patients, and our guests. Target Audience: All Teammates Contents Instructions... 2 Learning Objectives... 2 Module Content... 3 Job Aid... 6 Posttest... 10 Page 1 of 11

Instructions: The material in this module is an introduction to important general information and procedures to ensure data security, a requirement of the Payment Card Industry Data Security Standards (PCI-DSS). After completing this module, contact your supervisor to obtain additional information specific to your department. Read this module. If you have any questions about the material, ask your supervisor. Complete the online posttest at the end of this module. If a printed version of the test is taken, you must provide the results to your supervisor upon completion. The Job Aid on page 6 is relevant to individuals that are involved in the receipt and handling of cardholder data and may be customized to fit your department and then used as a quick reference guide. Learning Objectives: When you finish this module, you will be able to: Understand the importance of data security Understand your responsibilities as they relate to data security Identify key elements of the data security program Describe ways that you can prevent unauthorized disclosure of data Explain why storing or copying data onto personal computers or unsecure removable media is prohibited Describe the steps necessary to report unauthorized disclosure of data Identify the policies and procedures associated with the data security program Page 2 of 11

The Payment Card Industry Data Security Standards (PCI-DSS) A set of regulations created to protect cardholder data from loss or misuse. CHS is required to adhere to PCI-DSS in order to accept payment cards. Payment cards include credit and debit cards. Cardholder data also known as Confidential Data includes: Primary Account Number (PAN) Expiration Date Cardholder Name Password, e-mail, address, and other personal Confidential Data PCI-DSS applies to all formats: paper (receipts, handwritten forms, billing statements, etc.), electronic and verbal. PAN EXPIRATION DATE PCI-DSS Goals & Requirements The goals and objectives of PCI-DSS are: 1. Build and maintain a secure network 2. Protect confidential data 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Regularly monitor and test networks 6. Maintain an information security policy The effectiveness of the controls associated with the above goals relies on everyone adhering to policies and procedures in order to ensure a secure cardholder data environment. Page 3 of 11

Sensitive Authorization Data PCI-DSS prohibits storage of sensitive authorization data, which includes: Track Data & PV/PIN block on magnetic strip CVV2/CVC2/CID on front or back of card Magnetic strip Places Where Confidential Data May Exist Most of us are accustomed to using credit and/or debit cards when pumping gas, buying groceries or while at the mall. Here at CHS, payment cards are an accepted payment method in various locations, including but not limited to: Carolinas Healthcare System Medical Group, System Billing Office or Central Billing Office Admitting, Registration, or Cashier Gift Shop, Cafeteria or Coffee Shop Pharmacy Clinics and Urgent Care Foundation Health Club or Fitness Center Rehab Facility Any department or service selling/renting medical equipment and supplies Common Types of Data Breaches The most common types of data breaches include, but are not limited to: Technology attacks - Hacking Lost or stolen equipment Laptops, USB drives Stolen or copied paper records Inadvertent disclosure Malicious insiders Page 4 of 11

How PCI-DSS Impacts You Whether you are directly involved with the receipt and handling of card payments, you are required to ensure a secure environment that promotes data security: Do not share your passwords with anyone. The CHS Support Center or Information Services will NEVER ask you for your password. Never use text, email, or instant messaging to transmit Confidential Data. Never photocopy or scan credit card numbers that are written on paper or the actual cards themselves. (i.e. Scan to Email on Xerox machines, Click-on DMS, Hyland Onbase, etc.) Properly dispose of Confidential Data. Use the Asset Transfer and Disposal eform to engage Information Services in the proper disposal of electronic media, computer equipment, or credit card terminal equipment. Do not disable, uninstall or otherwise bypass security controls (e.g. antivirus, use someone else s user ID and password, connect to the Guest wireless network). Lock computer or log out when unattended and use lock-down kits or other appropriate anti-theft mechanisms to secure laptops or other portable devices. Prevent credit card terminals or credit card processing computers from physical access by unauthorized persons. Do not create spreadsheets or documents to store credit card numbers, or otherwise store any sensitive credit card information electronically on CHS equipment. Always be attentive to suspicious activity and report issues to the CHS Support Center at 704-446-6161 immediately if: o An unknown person wants to modify or install something on a credit card reader or Point-of-Sale (POS) unit. o You clicked on a suspicious link, pop-up window or opened a suspicious attachment. o Computer equipment, including credit processing equipment, is lost or stolen. o You have reason to believe someone may have your password. Report suspected or known breaches of confidential data to your Supervisor, Facility Privacy Director, CHS Corporate Privacy at 704-512- 5900 or the Customer Care Line at 704-355-8363. Page 5 of 11

Attestation of Compliance All teammates are required to attest their compliance to proper confidential data handling security standards. Additionally, CHS must complete an Attestation of Compliance document annually as a declaration of our compliance status with the Payment Card Industry Data Security Standard (PCI DSS). JOB AID 1 Steps to secure the CHS data environment 1 Safe Handling of Cardholder Data When receiving and handling a payment card directly from a customer: o Check the name on the card with a photo I.D. o Compare the signature with the one on the back of the card. o Process immediately. o Shield the card from view of others. When receiving cardholder data by Phone: o Ensure the accuracy of cardholder information by asking the caller to repeat the card number back to you. o Never say the card number back to the customer. This practice ensures that no one will overhear this sensitive information. When receiving cardholder data by Fax: o Cardholder data may not be received by Fax unless the fax machine is located in a highly secured area restricted to teammates that are authorized to process payment card transactions. Cardholder data must NEVER be sent, accepted or solicited via Email, Instant Messaging or Text. If a patient or customer sends you an Email, Instant Message or Text containing cardholder data, reply to the sender WITHOUT including the original message and: o Notify the sender of acceptable methods of payment. o Notify the sender that the original message with cardholder data was deleted. o Do not print, forward, or retain the message in any format. Page 6 of 11

o Delete the message & empty the Trash/Deleted Items/Recycle Bin. When receiving cardholder data by Web Payment: o CHS teammates should only use approved web payment solutions (e.g. TrustVault). Teammates are responsible for verifying all web payment applications with their Manager. o CHS teammates should not create webpages that request or collect cardholder data. Process payment card transactions immediately when cardholder data is received: o Card swiped/entered into a dial-up swipe terminal. o Card swiped or entered into a POS terminal. o With the exception of virtual terminal solutions (e.g. TrustVault), cardholder data should NEVER be entered into a computer. Cardholder data may not be electronically stored on any device in any format including local hard drives, personal network drives, CD s, USB drives or any other local computing device. No electronic cardholder data storage is allowed outside of the approved applications and servers maintained by CHS Information Services. Cardholder data may not be photocopied, scanned, or photographed. Equipment and physical facilities must be properly secured: o Use of door locks after business hours. o Security cameras and alarms. o Proper issuance & collection of badge/key access. o Regular inspection of equipment (e.g. lock down kits, card readers, etc.) to detect tampering or substitution (e.g. addition of card skimmers to card readers, serial number changes, broken or different colored casing). Report any issues to your manager or a security officer IMMEDIATELY! Departments that use computer equipment or POS terminals to process card payments must ensure that: o Teammates use difficult to guess passwords that are at least 8 characters in length and include a combination of letters, numbers and special characters. Page 7 of 11

o Teammates issued a POS access card must protect the card from loss, and never share the card with others. o In the event of a lost or stolen POS access card, the employee must inform his/her manager immediately. o Any changes, repairs or replacement of equipment (including card readers) must be arranged and coordinated through Cash Management and facilitated by authorized Information Services personnel only. ALWAYS VERIFY! Cardholder data may not be written down. If a department has appropriate business justification to write down cardholder data, they must do so using a Credit Card Payment Form and follow these safety procedures: o Maintain a secured storage location for these forms. o Process the transaction as soon as possible but no later than ONE business day from the date received. o Credit Card Payment Forms that cannot be processed immediately must be properly locked inside of a secure storage compartment Storage may be a drawer, overhead bin, closet, etc. Storage MAY NOT be a portable lockable device such as a briefcase, cashbox, etc. Storage must not be labeled or marked so as to identify its contents. When cardholder data is present, the storage location must be locked at all times. The payment must be processed within ONE business day of being received. Only teammates who have completed this training module should have access to the storage. Properly dispose of the Credit Card Payment Form (e.g. cross-cut shredder or locked shred bin for 3 rd party disposal). Page 8 of 11

In the event of a suspected breach or loss of payment card data, teammates are obligated to notify the CHS Support Center at 704-446- 6161 within 24 hours. Review the following CHS Policies: o IS.PHI 600.01 Communications Environment Acceptable Use Policy o IS.PHI.600.03 Information Services Security Policy o FIN.400.11 PCI Data Security Standard Policy Page 9 of 11

Posttest Name: Date: Circle the correct answer. 1. CHS is required to comply with PCI-DSS because: a. CHS is a large organization b. CHS accepts payment cards c. CHS is not required to comply with PCI-DSS d. PCI-DSS is part of HIPAA 2. PCI-DSS only applies to Information Services since they maintain all of the CHS electronic systems a. True b. False 3. PCI-DSS only applies to CHS teammates that handle card payment transactions: a. True b. False 4. My responsibilities to protect confidential data include: a. Keeping my password secret b. Never using text, email, or instant messaging to transmit confidential data c. Locking my computer or logging out when leaving it unattended d. All of the above 5. I can store cardholder data electronically as long as I: a. Properly dispose of it using an Asset Transfer and Disposal eform b. Encrypt the data and properly dispose of it using an Asset Transfer and Disposal eform c. Store it on my personal drive and password protect the file d. I am never allowed to store electronic cardholder data 6. I am responsible for reporting a suspected or known breach of confidential data. To report a suspected or known data breach I should: a. Contact my Supervisor b. Contact my Facility Privacy Director c. Contact the CHS Corporate Privacy Department d. Any of the above Page 10 of 11

7. PCI-DSS only applies to electronic confidential data: a. True b. False 8. If I accidentally click on a link from an unknown sender I should: a. Do nothing; my anti-virus software will protect my computer and confidential data b. Contact the CHS Support Center at 704-446-6161 c. Close my browser and restart my computer d. Follow the data breach reporting process 9. If an unknown person is tampering with a credit card device, I should: a. Do nothing and let them finish b. Report the incident to the CHS Support Center c. Call 911 immediately d. Either b or c 10. It is ok for me to replace credit card equipment without authorization and verification: a. True b. False 11. The following are signs that indicate a device has been tampered with: a. The device serial number has been changed b. The card reader is colored differently than normal c. A card skimmer has been added to the device d. All of the above 12. By clicking Yes below, I attest that I have read and understand the Information Services Security Policy, the CHS Communications Environment Acceptable Use Policy and the PCI Data Security Standard Policy: a. Yes b. No Page 11 of 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information