How To Complete A Pci Ds Self Assessment Questionnaire



Similar documents
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry Data Security Standards

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

TERMINAL CONTROL MEASURES

POLICY SECTION 509: Electronic Financial Transaction Procedures

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY October

ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS

New York University University Policies

Payment Card Industry (PCI) Data Security Standard

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Payment Card Industry Compliance

CREDIT CARD SECURITY POLICY PCI DSS 2.0

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Information Technology

BUSINESS POLICY. TO: All Members of the University Community 2012:12. CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05)

Payment Card Industry (PCI) Data Security Standard

Appendix 1 Payment Card Industry Data Security Standards Program

Attestation of Compliance for Onsite Assessments Service Providers

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Reducing PCI DSS Scope with the TransArmor First Data TransArmor Solution

Attestation of Compliance for Onsite Assessments Service Providers

Credit Card Processing and Security Policy

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance

Attestation of Compliance for Onsite Assessments Service Providers

PCI Data Security and Classification Standards Summary

University Policy Accepting and Handling Payment Cards to Conduct University Business

Credit Card Handling Security Standards

Standards for Business Processes, Paper and Electronic Processing

Attestation of Compliance for Onsite Assessments Service Providers

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

PCI Policies Appalachian State University

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

E-Market Policy Accepting Online Payment for Conducting University Business

Payment Card Industry (PCI) Data Security Standard

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Policies and Procedures

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

Payment Card Industry (PCI) Data Security Standard

University of Maine System ADMINISTRATIVE PRACTICE LETTER

Viterbo University Credit Card Processing & Data Security Procedures and Policy

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Payment Card Industry (PCI) Data Security Standard

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

Payment Application Data Security Standard

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE WORKBOOK. PCI SAQ TYPE B Level 4. Virtual Terminals

Payment Card Industry (PCI) Data Security Standard

Attestation of Compliance, SAQ A

How To Understand The Law Of Credit Card Usage

Accepting Payment Cards and ecommerce Payments

UNIVERSITY CONTROLLER S OFFICE

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Payment Card Industry (PCI) Data Security Standard

CAL POLY POMONA FOUNDATION. Policy for Accepting Payment (Credit) Card and Ecommerce Payments

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

Vanderbilt University

POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS

Purpose: To comply with the Payment Card Industry Data Security Standards (PCI DSS)

3. Internet Credit Card Processing System generates a daily batch release report 4. Reporting Deposits to the University Depository

PCI COMPLIANCE GUIDE For Merchants and Service Members

White Paper On. PCI DSS Compliance And Voice Recording Implications

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Payment Card Industry (PCI) Data Security Standard

CREDIT CARD PROCESSING & SECURITY POLICY

Dartmouth College Merchant Credit Card Policy for Processors

University of Sunderland Business Assurance PCI Security Policy

Standard: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: March Information Supplement: Protecting Telephone-based Payment Card Data

SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES

Saint Louis University Merchant Card Processing Policy & Procedures

Becoming PCI Compliant

McGill Merchant Manual

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

The University of Michigan Treasurer s Office Card Services. Merchant Services Policy Document

Finance Office. Card Handling Policy

Policy Title: Payment Cards Policy Effective Date: 5/5/2010. Policy Number: FA-PO-1214 Date of Last Revision: 11/5/2014

Fraud - Preparing Data Card Transactions

Accounting and Administrative Manual Section 100: Accounting and Finance

Office of Finance and Treasury

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

The Design Society. Information Security Policy

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Acceptance to Minimize Fraud

Visa Asia Pacific Account Information Security (AIS) Program Payment Application Best Practices (PABP)

Payment Card Industry Data Security Standard Self-Assessment Questionnaire B-IP Guide

Transcription:

Department PCI Self-Assessment Questionnaire Version 1.1 2009

Attestation of Compliance Instructions for Submission This Department PCI Self-Assessment Questionnaire has been developed as an assessment tool intended to assist departments in self-evaluating their with Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a worldwide security standard that was developed by credit card companies (Visa, Master Card, etc) to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats. The standards apply to all organizations that store, process or transmit cardholder data. Since credit cards are used for payments in the University, Hofstra must be in with these industry standards. University departments that process credit card payments must complete this self assessment questionnaire and return to Mr. Sean Cover (ext: 3-6348), Assistant Treasurer, by July 6, 2009. Departments that are in with PCI standards should complete this questionnaire and include local management signoff. If a not in, please return the completed form unsigned and the Hofstra University PCI Compliance Committee will assist the department in complying with PCI standards. Department Information Dept Name: Contact Name: Telephone: Title: Date: Vendor Does your department use a third-party vendor for processing credit card payments? TouchNet Yes No Other vendor: Yes No Please provide vendor name: Part 1. Processing Information Please indicate how your department accepts / processes cardholder information (select all that apply). (Select One) Payment Process Type YES NO If yes, please indicate number of units (e.g., 4 card swipe terminals, 2 fax machines, etc) 1.1 Using a credit card swipe terminal 1.2 Via telephone (with information written on paper) 1.3 Via fax 1.4 On paper (Via mail or in person) 1.5 Via email PCI DSS, Department Compliance Page 2

(Select One) Payment Process Type YES NO If yes, please indicate number of units (e.g., 4 card swipe terminals, 2 fax machines, etc) 1.6 Using software on a PC 1.7 Via a web site 1.8 Paper forms are brought from another office Part 2. Protecting Cardholder Data Please confirm that your appropriately protecting cardholder data in with PCI standards. Confirm Compliance Statement YES NO Please provide details if not in 2.1 The department does not store the full contents from the magnetic stripe taken from the back of a credit card or anywhere elsewhere. Note: In the normal course of business, the following data elements from the magnetic stripe may need to be retained: Accountholder s name Primary account number (PAN) Expiration date Service code. To minimize risk, store only those data elements needed for business. 2.2 The department does not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions. Yes the in and does not store this information Yes the in and does not store this information No the not in No the not in 2.3 The department does not store the personal identification number (PIN) or the encrypted PIN block. Note: Hofstra University does not allow payments in the form of Debit Cards with an associated PIN block. Yes the in and does not store this information No the not in PCI DSS, Department Compliance Page 3

Confirm Compliance Statement YES NO Please provide details if not in 2.4 The primary account number (PAN) is masked when displayed. Specifically, only the first six and last four digits are the maximum number of digits that are displayed. Note: This requirement does not apply to employees and other parties with a specific need to see the full PAN; nor does the requirement supersede stricter requirements in place for displays of cardholder data (for example, for point-of-sale [POS] receipts). Yes the in Compliance No the not in Part 3. Restricting Access to Cardholder Data Please confirm that your appropriately restricting access to cardholder data in with PCI standards. Confirm Compliance Question YES NO Please provide details if not in (e.g., N/A - not applicable) 3.1 Is access to computing resources and cardholder information limited to only those individuals whose jobs require such access? 3.2 Are all paper and electronic media that contain cardholder data physically secure? (Such media includes computers, electronic media, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes.) 3.3 Is strict control maintained over the internal or external distribution of any kind of media that contains cardholder data? 3.4 Is media managed and controlled by University staff classified so it can be identified as confidential? For example, ensure folders/envelopes that contain cardholder data are marked confidential before they are sent to other departments to facilitate appropriately handling by staff members. 3.5 If media is sent outside an area (e.g., off campus), is the media sent by secured courier or other delivery method that can be accurately tracked? 3.6 Are processes and procedures in place to ensure management approval is obtained prior to moving any and all media from a secured area (especially when media is distributed to individuals)? 3.7 Is strict control maintained over the storage and accessibility of media that contains cardholder data? PCI DSS, Department Compliance Page 4

Confirm Compliance Question YES NO Please provide details if not in (e.g., N/A - not applicable) 3.8 Is media containing cardholder data destroyed when it is no longer needed for business or legal reasons? 3.9 Are hardcopy materials cross-cut shredded, incinerated, or pulped? Part 4. Security Policy Please confirm that your aware of the security policies related to credit card security. Confirm Compliance Statement YES NO Please provide details if not in (e.g., N/A - not applicable) 4.1 Please confirm that your aware that the University has a security policy that is established, published, maintained and disseminated. 4.2 Please confirm that your aware of the policies, procedures, and practices in place to preclude the sending of unencrypted cardholder data by electronic mail (e.g., instant messaging, chat, email, etc). 4.3 Please confirm that your aware that security policy is reviewed on an annual basis and updates are made when environments change. 4.4 Please confirm that your aware of usage policies that are developed to define proper use of computers for all employees and contractors. 4.5 Please confirm that your aware of security incident response and escalation procedures to ensure timely and effective handling of all situations. 4.6 Please confirm that your aware that all employees must understand the importance of properly protecting cardholder data (i.e., security awareness). PCI DSS, Department Compliance Page 5

Part 5. Business Operations Please answer the following questions regarding your department s credit card operations. (Select One) Additional Comments Questions YES NO Please provide details (e.g., N/A - not applicable) 5.1 Are internal records well organized, and can past transactions be readily identified and source documents effectively retrieved? 5.2 Does the unit have a training program for new staff, or staff accepting new payment processing responsibilities? 5.3 Does the unit have a secure fax machine available to which transmissions with cardholder information can be directed? (Not a fax server) 5.4 Does the unit understand that it is prohibited to store cardholder data in any electronic form whatsoever without first obtaining the approval of the Office of Financial Affairs? 5.5 Does the department understand that they must respond to and report any and all incidents to the Office of Financial Affairs that might entail cardholder data, whether that data is on paper or in electronic form? 5.6 Are refund transactions properly controlled and approved by senior management before funds are returned to the payee (dual controls on disbursements)? 5.7 Are refund transactions properly documented and accounted for? 5.8 Are refunds on credit cards credited only to the original card which was used for the purchase of goods or services? 5.9 Does the unit respond timely to chargeback / disputed items? Are faxed chargeback notices promptly processed or forwarded to the unit? PCI DSS, Department Compliance Page 6

Important Note All individuals that process credit card information should read the PCI Data Security Standard (DSS), which are industry requirements for the safe handling of sensitive information. The standard provides a framework for developing an effective data security process - including preventing, detecting and reacting to security incidents. The updated version of the standard (DSS v1.2 replaced v1.1 on October 1, 2008) is available on the PCI Security Standards Council web site (www.pcisecuritystandards.org). Confirmation of Compliant Status After the questionnaire has been completed, please confirm status (select all that apply). Yes The Department PCI DSS Self-Assessment was completed according to the instructions therein. Yes Yes All information within the above-referenced questionnaire and in this attestation fairly represents the results of my assessment. I recognize that the department must maintain full PCI DSS at all times Yes No evidence of magnetic stripe (i.e., track) data 1, CAV2, CVC2, CID, or CVV2 data 2, or PIN data 3 storage after transaction authorization was found on ANY systems reviewed during this assessment. NO Department is not in The Department is not in with PCI Standards. We will require assistance from the Hofstra PCI Compliance Committee. 1 2 3 Data encoded in the magnetic stripe used for authorization during a card-present transaction. Entities may not retain full magnetic-stripe data after transaction authorization. The only elements of track data that may be retained are account number, expiration date, and name. The three- or four-digit value printed on or to the right of the signature panel or on the face of a payment card used to verify cardnot-present transactions. Personal Identification Number entered by cardholder during a card-present transaction, and/or encrypted PIN block present within the transaction message. PCI DSS, Department Compliance Page 7

Confirmation Signatures After all parts of this questionnaire are completed - please save and print this document. Once printed If the in with all parts, please sign below If the not in, please return the completed form unsigned and the Hofstra PCI Compliance Committee will help your department comply with PCI standards. Signature of Area Supervisor: Print Name: Date: Signature of Vice President: Print Name: Date: PCI DSS, Department Compliance Page 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information