Welcome to the Duke Medicine Credit Card PCI Education session.

Welcome to the Duke Medicine Credit Card PCI Education session. During this session, we will explain the Duke Medicine Credit Card PCI Policy and Procedure that has been implemented to ensure we are in compliance with the Payment Card Industry Data Security Standards. 1

As we are all aware, there is a significant increase in Credit Card Fraud and Identity Theft globally. In 2006 a number of Credit Card companies joined to create the Payment Card Industry Security Standards Council (PCI-SSC). The PCI-SSC then created the PCI-Data Security Standard (PCI-DSS). Effective July 1, 2010, the PCI-SSC is mandating compliance and will enforce the Payment Card Industry Payment Application Data Security Standard. 2

As we are all aware, there is a significant increase in Credit Card Fraud and Identity Theft globally. In 2006 a number of Credit Card companies joined to create the Payment Card Industry Security Standards Council (PCI SSC). The PCI-SSC then created the PCI Data Security Standard (PCI DSS). Effective July 1, 2010, the PCI SSC is mandating compliance and will enforce the Payment Card Industry Payment Application Data Security Standard. 3

Our objectives during this session are to: * Define PCI DSS * Inform you of available PCI employee training resources and annual training requirements. * Communicate and set safeguards for credit card processing and * Learn how we can minimize internal and external fraud and identity theft of Credit Card holders. * We will also define what is means for you and your work area to be in compliance with the Data Security Standard. 4

5

PCI DSS is a set of comprehensive requirements for enhancing payment account data security. It implements measures to control access to credit card information, safeguards sensitive data for all credit cards and creates common industry security standards. This goes hand in hand with Federal regulations regarding Red Flag and the NC State Identity Theft Law 6

There are six goals of PCI DSS. They are to: * Build and maintain a secure network * Protect cardholder data * Maintain a vulnerability management program * Implement strong access control measures * Regularly monitor and test networks Maintain an information security policy 7

PCI DSS applies to all Duke Medicine Credit Card merchants, members and providers. All must comply with PCI DSS standards to ensure security of cardholder data. These standards apply to users who process and transmit cardholder data, both at the time of service and via phone, mail or the internet. 8

A cardholder is an individual or company to whom a card has been issued, authorizing purchases on credit or debit accounts. To minimize the possibility of internal and external fraud and to identity theft of Credit Cardholders, Duke Medicine s PCI DSS policy sets forth the safeguards to be employed, whenever a credit card is processed at Duke Medicine. We have installed new encrypted credit card key pads which allows the processing of manually entered transactions. These devices evolve every few years as the Security Standards change. 9

Have you viewed the PCI Training Video prior to attending this session? This video explains the adverse affects of being a victim of credit card theft from a merchant perspective. Has anyone been a personal victim of credit card theft? What did you have to do to resolve? How does this equate to a potential breach within Duke Medicine (non-retail merchant)? What is more important to Duke Medicine than the loss of revenue if a breach occurs loss of trust. What are other ways to that the release of information could lead to identity theft or credit card fraud? The fees mentioned in the video have gone up since this was filmed. 10

Forensic fees would be higher at Duke Medicine due to the multitude of merchant accounts. The merchant in the video spent $110,000 in a one year period. Multiply this by aprox 210 merchants. This totals $23,100,000 (23 million) Be prepared for newer credit card devices to be implemented as PCI standards evolve. 10

There are multiple credit card collection processing methods. Most are familiar with our processing via IDX for self-pay collections which includes copays as well as account balances/deposits. DASC, Duke Home Care & Hospice, Duke Raleigh, Pre-Visit Collections, Health Info Mgmt, Integrative Medicine, Diet & Fitness, Health & Fitness, Executive Health (just to mention a few) that utilize the virtual terminal (web page) for TrustCommerce. Citadel use - Health & Fitness and Integrative Medicine for recurring monthly payments QS1 is used by the Pharmacies (Outpatient Pharmacy, Children s Pharmacy, Cancer Center Pharmacy and Plaza Pharmacy). We use QS1 not only to comply with PCI but with IIAS (Inventory Information Approval System) for flexible spending cards (WageWorks) governed by Special Interest Group for IIAS Standards (SIGIS). This is a requirement by the IRS. IIAS assures that flexible spending dollars are only spent on approved medical 11

services and supplies. Point of Sale box is in use at the Belk Cancer Boutique and Duke Pediatric Dentistry and Duke Home Care & Hospice for their auxiliary sales. CyberSource is used by the Heathview Portal and Duke Oncology Network for registration for educational sessions. There are other areas within the Duke Medicine campus whose merchant accounts are maintained by University Treasury and Cash Management. Those areas attend PCI sessions with that group. ( University Store and Auxiliary Stores) Outside vendors are contractually required to comply with PCI standards and those are the cafes/cafeterias/food courts, etc. 11

These amounts are for the merchant accounts that are managed by the PRMO. Anything that is managed by University Treasury is not included. $1.2 million for the Health System - $300,000 for the PDC 200,000 transactions 12

Merchants are required to meet the PCI requirements, validate compliance through a Self Assessment Questionnaire (SAQ) and protect all confidential information. Charles and Sylvia (along with some guidance from the DHTS network team) complete most of the SAQ s for you. There are some areas that must complete their own due to the nature of the processing that is performed. If you do not complete a full SAQ, the business owner of the merchant account must complete the on-line form in the Learning Center to validate your location compliance. 13

Our objectives are to: Define PCI-DSS Educate anyone that is responsible for credit card transactions and accounting Set safeguards for credit card processing Minimize internal and external fraud and identity theft of Credit Card holders Define the expectations of our staff 14

The purpose of the Duke Medicine PCI DSS Policy is to minimize the possibility of internal and/or external fraud and identity theft, set safeguards for credit card processing, educate the DUHS, PRMO and PDC staff that are responsible for processing or accounting of credit card transactions, and set staff expectations for compliance. 15

In previous slides, we have identified the various systems within Duke Medicine. Daily reports must be run to assure credit card dollars are in balance 16

The Duke Medicine policy defines sensitive data as any data, including Personal Information (first name, initial & last name), in combination with identifying information that can be used to: Identify an individual or identify information about an individual, and if used without the permission of that individual, could lead to malicious damages, up to and including the theft of that individual s identity. The policy also establishes expectations of employees to adhere to the standards in order to protect sensitive personal cardholder data. This includes prohibiting employees from photocopying or manually recording cardholder data. 17

Examples of sensitive data include: Personal Information Name/Address Social Security Numbers Credit/Debit Card Numbers Employee Numbers Health Information Internet Addresses Ethnicity/Sexual Preferences Religious/Political Beliefs 18

When processing transactions and the credit card has been presented, employees must verify that the name on the card matches the name and signature on the back of the card. When there is no signature on the credit card, the individual must present another signed photo Identification. When there is no signature on the photo ID card, we do not accept the credit card. This also complies with Red Flag and NC Identity Theft. 19

Processing credit card transactions are now facilitated with an updated keypad device that includes a built-in card swipe. This new device works in conjunction with the latest version of TrustCommerce Vault. Data entered into the keypad and swiper is encrypted, enhancing Duke Medicine s data security initiatives. This also segments credit card transactions from the rest of the Duke network which reduces our scope for PCI. 20

The downtime process requires a credit card imprinter, which takes a manual imprint of the card onto paper form. The cardholder name and credit card number, which are sensitive personal data, are imprinted; therefore, safeguards must be implemented to prevent unauthorized access or use of data. Paperwork supporting manually processed credit card transactions should be immediately filed in the user s cash drawer. There should never be copies of the paper credit card receipts made. 21

When the IDX or Trust Commerce system is down, Duke Health Employees are required to verify that the name on the credit card matches the name and signature on the back of the card. When there is no signature, another signed photo ID is required. After verifying the cardholder information, employees must revert to the downtime process. 22

Merchant account numbers and telephone number information for voice authorization, must be maintained, ensuring all appropriate staff can access information. DO NOT CALL THE HELPDESK FOR MERCHANT NUMBERS, THEY DO NOT MAINTAIN NUMBERS. The cardholder must sign the credit card receipt and then be given one of the multipart copies for their record. 23

When IDX/Trust Commerce available, post transaction in Trust Commerce and then post to IDX using the manual credit card payment type. After the transaction has been entered into the processing system (IDX, TrustCommerce), the first 12 numbers of the credit card number and the expiration date should be redacted - The paper copies of the credit card slips should be sent, via Confidential Interoffice mail, to the PRMO Cash Management department. 24

25

A credit card incident is any situation in which a cardholder s information has been compromised or appears likely to have been compromised. This includes incidents involving manual or paper credit card documentation and/or where a hacker has penetrated a computer involved in credit card processing, even when there is no evidence that cardholder information was accessed. Any potential threat must be reported Waiting areas must be sure no active data ports are present. Incident at Duke Medicine with someone obtaining credit card numbers to sell to to other individuals. 26

Immediately upon detecting a compromise, the staff member is to notify the business manager, cash mgr or HCA. The business manager will contact the PRMO Helpdesk at 620-5000 with the location of the breach, manager name and contact information. The PRMO Helpdesk should contact the manager within 30 minutes, begin an Incident Response Form and notify the PRMO Security Officer. 27

28

DHTS ISO will be contacted if the attack presents a security issue to machines or networks beyond those of the department. 29

30

The ISO will contact the local office of the Secret Service, SBI, FBI and Duke University Health System s Senior Officers or PDC s senior officers as appropriate (i.e. DUHS Administration or PDC Administration) The PRMO Security Officer, PRMO Cash Management and Business Managers will coordinate final procedures in the incident recovery with oversight from the ISO. 31

32

The PRMO Cash Management will assume liaison with the merchant bank, as needed, to report any fraud and coordinate subsequent fraud control steps with the issuing card company. The PRMO Cash Management will instruct departments in any further incident reporting with banks and/or card companies. 33

34

The PRMO has formed it s own PCI Committee to ensure we are in compliance with PCI. Attendance will be required at an Annual Awareness Forum. The PCI Self Assessment Questionnaire (SAQ) must be completed and submitted annually to PRMO Cash Management. PCI Compliance Action Plans must be followed Collaboration with Internal audit will be required to assure compliance. 35

To be compliant with PCI: We should never store 3 or 4 digit security CV numbers and never include cardholder information in email. All paper with cardholder data should be secure and access to data limited on business to know basis only. All media (including paper) with cardholder data must be destroyed. Attend yearly training 36

Read above 37

If the PCI Requirements are not followed and results in the release of Personal Identity Information, the compromised business could face fines up to $500,000, if the data is lost or stolen and risk not being allowed to handle cardholder data. There could be substantial financial loss due to the costs of investigation, remediation and victim notification, charge back for fraudulent transaction and other fines and fees. Organizations could also expect damage to their reputation, a disruption in operations and denial of service to customers. Individuals could be held liable and there is always the possibility of business closure. 38

In summary, let s review the PCI-DSS requirements for protecting sensitive credit card data: Verification that the name on the credit card matches the name and signature on the credit card is required. When there is no signature on the card, another signed photo identification is required. Safeguards apply to anyone who processes credit card data. Access to credit card data must be restricted by business need to know. 39

Cardholder data printed on paper must be protected against unauthorized access and secure physical disposal or shredders are to be provided. To be compliant, when there is an incident, it must be reported to the Helpdesk. Anyone who processes credit card transactions must read the Policy and Procedure, sign a compliance agreement and attend a yearly PCI update training. 40

Are there any questions? 41

42