PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI) Affordable ~ Clean ~ Safe ~ Simple ~ Flexible

Similar documents
Payment Card Industry Compliance

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

Accounting and Administrative Manual Section 100: Accounting and Finance

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

Information Technology

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

CREDIT CARD PROCESSING & SECURITY POLICY

Appendix 1 Payment Card Industry Data Security Standards Program

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Viterbo University Credit Card Processing & Data Security Procedures and Policy

UW Platteville Credit Card Handling Policy

Miami University. Payment Card Data Security Policy

How To Control Credit Card And Debit Card Payments In Wisconsin

Payment Card Industry Data Security Standard PCI DSS

McGill Merchant Manual

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Policy for Protecting Customer Data

Credit Card Handling Security Standards

PCI Policies Appalachian State University

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

b. USNH requires that all campus organizations and departments collecting credit card receipts:

2.1.2 CARDHOLDER DATA SECURITY

Information Security Policy

PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson

PCI Compliance Information Packet for Volunteers - Credit Card Processing for Product Sales and Online Camp / Event Registration

University of York Policy on the Management of Debit/ Credit Card Data

Department Of Psychology Cash Handling Policy and Procedure FY2015 Dr. Suzanne Kieffer, Dir. Admin Academic Affairs

University Policy Accepting and Handling Payment Cards to Conduct University Business

TERMINAL CONTROL MEASURES

CREDIT CARD SECURITY POLICY PCI DSS 2.0

Failure to follow the following procedures may subject the state to significant losses, including:

Purpose: To comply with the Payment Card Industry Data Security Standards (PCI DSS)

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration

PCI Data Security. Information Services & Cash Management. Contents

DATA SECURITY. Payment Card Industry (PCI) Compliance Steps for Organizations May 26, Merit Member Conference

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Accepting Payment Cards and ecommerce Payments

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

You will already have read and understood the following documentation, however do go back to any of these if you are unsure of what they cover:

BRAND-NAME is What COUNTS!!!

BUSINESS POLICY. TO: All Members of the University Community 2012:12. CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05)

CREDIT CARD PROCESSING POLICY AND PROCEDURES

Payment Card Industry Data Security Standards Compliance

Payment Card Industry - Achieving PCI Compliance Steps Steps

Clark University's PCI Compliance Policy

SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures

POLICY SECTION 509: Electronic Financial Transaction Procedures

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

Merchant guide to PCI DSS

PCI Data Security and Classification Standards Summary

Credit Card Processing and Security Policy

University of Virginia Credit Card Requirements

Finance Office. Card Handling Policy

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

University of Liverpool

Cal Poly PCI DSS Compliance Training and Information. Information Security 1

ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS

Fraud - Preparing Data Card Transactions

Credit and Debit Card Handling Policy Updated October 1, 2014

Payment Card Industry Data Security Standards

Cash & Banking Procedures

3. Internet Credit Card Processing System generates a daily batch release report 4. Reporting Deposits to the University Depository

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

How To Complete A Pci Ds Self Assessment Questionnaire

PCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY October

University Policy Accepting Credit Cards to Conduct University Business

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

New York University University Policies

Josiah Wilkinson Internal Security Assessor. Nationwide

Payment Card Acceptance Administrative Policy

PAI Secure Program Guide

The following are responsible for the accuracy of the information contained in this document:

CENTRAL WASHINGTON UNIVERSITY PAYMENT CARD SECURITY PROCEDURES

The Design Society. Information Security Policy

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

AISA Sydney 15 th April 2009

Protecting the POS Answers to Your Frequently Asked Questions

Standards for Business Processes, Paper and Electronic Processing

CREDIT CARD POLICY DRAFT

PCI Security Awareness for ECU Payment Card Merchants

Policies and Procedures

Sage ERP MAS I White Paper. Payment Processing Trends, Tips, and Tricks: What You Need to Know

Symposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda

The State of Security and Compliance for E- Commerce and Retail

WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.

Transcription:

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI) Affordable ~ Clean ~ Safe ~ Simple ~ Flexible

2 PCI Compliance What does PCI stand for? Payment Card Industry Data Security Standard Data Security Standards require us to protect guest credit card information Who is required to meet PCI security standard? All entities that accept credit or debit card payment, collect, process or store credit card transaction information

3 Value Place Franchise Services (VPFS) Policy Brand Standard requires all S-Ps, PMCs and Value Place properties to be operated in accordance and compliance with PCI merchant operating standards Policy Purpose To define guidelines for accepting and processing credit cards and storing personal cardholder information To ensure cardholder information supplied to Value Place is secure and protected

4 What is the scope of this Standard? Any Value Place employee that processes, transmits, handles or could have access to cardholder information Cardholder information may be in a physical or an electronic format All employees that have access to NiteVision All employees that have access to the property s safe All employees who have access to guest studios

5 What s involved in complying with PCI? Property Management Company or S-P will select a Qualified Independent Scan Vendor Vendor will provide quarterly security scans to PMC/S-P Initial and annual online employee training is provided by the vendor Upon online training completion and testing, employee will receive electronic certificate. This should be printed off and filed.

6 All transaction processes must meet the following standards: Electronic credit card numbers should not be transmitted or stored on a personal computer or email account Credit card numbers should NOT be accepted via email and you must not email credit card information Physical cardholder data must be locked in a secure area

7 All transaction processes must meet the following standards: Access must be limited to employees that require the use of this data Access must be restricted on a need to know basis Store only essential information Do not store Card Validation Code (Security Digits, V Code, or CID) Do not store user PIN or full data from the card s magnetic stripe

8 All transaction processes must meet the following standards: Credit card information, if it does NOT need to be retained, must be destroyed Do not destroy 3 rd party forms until the payment has been processed completely Information must be destroyed by shredding (crosscut) immediately AFTER processing, or immediately AFTER this information no longer needs to be retained

9 All transaction processes must meet the following standards: Credit card receipts may only show the last four digits of the credit card number. Card Number xxxxxxxxxxxx8868 If receipts show more than the last four digits, the receipts must be shredded or retained in the locked safe Any employee with access to NiteVision, credit card information and/or access to the safe MUST comply with the Payment Card Industry Data Security Standard

10 Confidentiality & Security of Account Information All 3 rd Party Authorizations must be stored in a secure place and locked at all times Old and current registration cards cannot have 3 rd Party Authorizations attached Implement a retention policy for all 3 rd Party Authorization forms Consider a 90 day retention policy or when a guest checks out destroy the 3 rd Party Authorization Old files could help support credit card charge backs

11 Locking Safe Requirements ALL employees that have access to the locking safe MUST be PCI certified NO EXCEPTIONS

12 Security Best Practice 3 rd Party Authorization Faxed Applications Log all 3 rd Party Applications that have been faxed to the property This provides a good audit trail if needed in the future Never throw fax logs away Fax log consists of: o Date and time fax was received o Name of employee that retrieved and secured form o Name of guest being authorized

13 Security Best Practice Example of Fax Log

14 Security Best Practice Audit Boxes Store previous month s audit boxes in a secured place 3 rd or 4 th floor storage rooms Correctly label each box Access to 3th and 4 th floor storage rooms VP employees only Tip for storing: o Store in empty paper boxes o Paperwork stacks uniformly o Seal boxes with clear packing tape o Person packing/sealing box must initial & date directly over the tape

15 Keep Credit Card Information SAFE NEVER Write down credit card information and leave it unattended Throw away papers, emails, faxes etc. with credit card information listed without shredding Leave the office unattended with a non-compliant employee or visitor Remove anything from the office with credit card numbers showing or available i.e. computers, storage devices, storage files, etc.

16 Controlled Access to the Property s Office ALWAYS Keep office door closed and secured. Not complying could result in a KCD on your next QAR Keep safe closed and locked NiteVision access only by: o Employees that are PCI compliance trained o PMC (must be PCI compliance trained) Same rules apply to anybody accessing networking ports in the property s office

17 Place Required Labels on CPU Use label maker and print out labels Place on computer (CPU) that houses NiteVision software Labels Include the following information: Owner Name: Equipment Purpose: Point of Sale System For help with this machine: Contact

18 Property Visitor(s) All visitors allowed into the Property s Office must be approved by the Property Manager All approved visitors must have a visitor nametag in sight or a Value Place employee name tag Inside Office Area: visitors must be escorted by the Property Manager Outside Office Area: visitor must be escorted by a VP team member A log identifying property visitors must be kept

19 Example of Visitors Log

20 PCI Compliance Penalties for Non-Compliance Fines could be imposed by the affected credit card company Minimum fines from VISA for violation of the Payment Card Industry Data Security Standard begin at $50,000

21 PCI Compliance PCI Compliance Protects the Guest and You If you think a rule was broken? Tell somebody immediately Accidents happen, no one gets in trouble for working on fixing problems and protecting our guests Don t be afraid to ask for help and understanding from your Supervisor PCI Compliance is a TEAM effort that protects our guests

22 PCI Compliance What if there is a security breach, an office break-in, etc? Example: 3rd party forms stolen or removed from office. Contact PMC or Supervisor immediately! Example: Office gets broken into and NiteVision computer is stolen. Call 911, Contact PMC or Supervisor immediately! Example: Safe broken into and credit card numbers have been stolen. Call 911, Contact PMC or Supervisor immediately!

23 QA Compliance Be Prepared Cross cut paper shredder Training certificate filed for all employees o New Employees must be PCI trained/certificate provided within the first week of employment or prior to NiteVision and/or guest room access o Existing Employees trained annually after initial certification Independent Scan Vendor s IP Scan with proof of pass/fail, date scanned o Quarterly remote vulnerability scans required CPU must be labeled with Owner, Contact Information and Purpose Visitors Log o A log identifying property visitors (vendors, service technicians, etc.) must be kept on file at the Front Desk. All visitors must be identified with a visitor nametag and sign in and out.

24 QA Compliance Be Prepared Example of training certificate certifying employee has received PCI Compliance training

25 QA Compliance Be Prepared Example of external IP scan

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information