TERMINAL CONTROL MEASURES



Similar documents
CREDIT CARD SECURITY POLICY PCI DSS 2.0

Payment Card Industry Data Security Standards

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY October

How To Complete A Pci Ds Self Assessment Questionnaire

Appendix 1 Payment Card Industry Data Security Standards Program

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

University Policy Accepting and Handling Payment Cards to Conduct University Business

PCI Data Security and Classification Standards Summary

Standards for Business Processes, Paper and Electronic Processing

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

New York University University Policies

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Credit Card Handling Security Standards

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

PCI Policies Appalachian State University

Dartmouth College Merchant Credit Card Policy for Processors

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Information Technology

b. USNH requires that all campus organizations and departments collecting credit card receipts:

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Credit and Debit Card Handling Policy Updated October 1, 2014

Payment Card Industry Compliance

CREDIT CARD PROCESSING POLICY AND PROCEDURES

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

Merchant Card Processing Best Practices

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Saint Louis University Merchant Card Processing Policy & Procedures

Accepting Payment Cards and ecommerce Payments

3. Internet Credit Card Processing System generates a daily batch release report 4. Reporting Deposits to the University Depository

Purpose: To comply with the Payment Card Industry Data Security Standards (PCI DSS)

Credit Card Security

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Becoming PCI Compliant

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures

Payment Card Acceptance Administrative Policy

POLICY SECTION 509: Electronic Financial Transaction Procedures

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES

University of Sunderland Business Assurance PCI Security Policy

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

The Design Society. Information Security Policy

Reducing PCI DSS Scope with the TransArmor First Data TransArmor Solution

University of Maine System ADMINISTRATIVE PRACTICE LETTER

CREDIT CARD PROCESSING & SECURITY POLICY

Viterbo University Credit Card Processing & Data Security Procedures and Policy

Policies and Procedures

POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS

Clark University's PCI Compliance Policy

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

CAL POLY POMONA FOUNDATION. Policy for Accepting Payment (Credit) Card and Ecommerce Payments

Policies and Procedures. Merchant Card Services Office of Treasury Operations

ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

BUSINESS POLICY. TO: All Members of the University Community 2012:12. CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05)

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

UCSD Credit Card Processing Policy & Procedure

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry Data Security Standard PCI DSS

Credit Card Processing and Security Policy

LSE PCI-DSS Cardholder Data Environments Information Security Policy

policy D Reaffirmation of existing policy

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

References: County Policy Manual- Credit Card Payments; Vendor Remote Access Request Form

SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES

Fraud - Preparing Data Card Transactions

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration

Accounting and Administrative Manual Section 100: Accounting and Finance

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

Information Security Policy

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE WORKBOOK. PCI SAQ TYPE B Level 4. Virtual Terminals

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Huddersfield New College Further Education Corporation

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

UW Platteville Credit Card Handling Policy

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY. Processing Electronic Card Payments

University of Virginia Credit Card Requirements

McGill Merchant Manual

688 Sherbrooke Street West, Room 730 James Administration Building, Room 524

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Why Is Compliance with PCI DSS Important?

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.

UNLV Payment Card Merchant Policy Credit Card Handling Responsibilities and Procedures

Vanderbilt University

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

Project Title slide Project: PCI. Are You At Risk?

. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume.

Transcription:

UCR Cashiering & Payment Card Services TERMINAL CONTROL MEASURES Instructions: Upon completion, please sign and return to cashandmerchant@ucr.edu when requesting a stand-alone dial up terminal. The University of California Office of the President mandates that all University of California campuses comply with the Payment Card Industry Security Council s Payment Card Industry Data Security Standard (PCI DSS). (The Security Council has representatives from the five major card brands: Visa, MC, Amex, Discover & JCB.) A security breach and subsequent compromise of payment card data has far reaching consequences for affected organizations, including: Regulatory notification requirements Loss of reputation Loss of customers Potential financial liabilities (for example, regulatory and other large fines and fees) Litigation ***In this document Media refers to all paper and electronic media containing cardholder data (credit card number, expiration date, card verification codes. *** Accepting payment cards is a departmental privilege. Departments processing payment cards must abide to the following standards regarding the acceptance and storage of cardholder data. All personnel in the payment card processing environment must read and understand the requirements of the Terminal Control Measures. All UCR merchants/departments must abide by the following guidelines: Departments must not store cardholder data on computers (spreadsheets, etc.) and credit card information (credit card number, expiration date, card verification codes, etc.) must not be transmitted via email. If payments are accepted in-person at a remote location, terminals must be monitored and tracked at all times. Strict control must be maintained over the internal or external distribution of any kind of media. Media must be classified so that the sensitivity can be determined. Media sent or transported must be secured by a courier and accurately tracked. Logs must be maintained to track all media that is moved from a secured area. Management s approval must be obtained prior to moving media, especially when media is distributed to individuals.

Each department must designate an individual who holds the primary authority and responsibility for payment card processing. Pay the costs associated with payment card processing (bank and interchange fees, equipment fees, if applicable, and other fees as deemed appropriate). Comply with all PCI DSS guidelines, UCOP s Business & Finance Bulletin 49 (BUS-49), Policy for Cash and Cash Equivalents Received, and UCR s policies and procedures for payment card acceptance and security (200-17). Validate PCI compliance annually, which includes the completion of the appropriate Self- Assessment Questionnaire (SAQ) and associated processes, if applicable, as required by the University s acquiring bank and credit card associations. Require all those involved with merchant processes, either directly or as a supervisor, to participate in Security Awareness Education (SAE) training annually and upon hire. Notify the Campus Credit Card Coordinator (Director of Student Business Services/Cashiers) when a program ends or when changes take place, if applicable. Return equipment at the conclusion of a program, if applicable. For inventory purposes. Respond to chargeback notifications and credit card company inquiries in a timely manner (within 15 days). Ensure that cardholder data is not transmitted or obtained via email or stored electronically in any database, application or system. Maintain the physical protection of departmental credit card receipts and the secure destruction of payment card receipts and cardholder data once a program has ended and all payments have been reconciled (no longer than twenty four months maximum, and no less than 12 months minimum). Provide full cooperation with the University s Campus Credit Card Coordinator and/or authorized third-party assessors whenever necessary. Authorize and complete deposit settlement daily. (Strongly recommend setting up autosettle) One DAF per day per Merchant ID must be created daily for each day there is credit card activity. Physical Access Control Credit card terminals must be kept in a secure location with limited physical access. Terminals need to be inspected daily for tampering and a log maintained documenting the review.

Cardholder information (receipts, reports, supporting documentation, etc.) must be secured and limited to only those individuals whose job requires such access. Strict control must be maintained over any media containing cardholder data. Physically secure paper media containing sensitive cardholder data at all times (e.g. locked down) and safeguard it if being transported. A secure location would minimally be defined as one that is not accessible to the public, particularly if authorized personnel are not always available to monitor security. Destroy media containing cardholder data when no longer needed in accordance with PCI DSS guidelines. Secure locations must have physical access controls (key cards, door locks, etc.) that prevent unauthorized entry, particularly during periods outside of normal work hours, or when authorized personnel are not present to monitor security. Develop procedures to help all personnel easily distinguish between employees and visitors. Personnel Access Control Passwords must be added for refunds/voids (used by someone other than who is processing charges) Restrict access to cardholder data by business need-to-know basis. Limit access to system components and cardholder data to only those individuals whose job requires such access. Restrict access rights to privileged user IDs to the least privileges necessary to perform job responsibilities. Assign privileges based on individual personnel s job classification and function. Establish an access control system for systems components with multiple users that restricts access based on a user s need to know, and is set to deny all unless specifically allowed. Storage of Cardholder Data Keep cardholder information storage to a minimum. Storage of sensitive cardholder data on any local device or system is prohibited.

Do not store the Card Verification Value (three-digit or four-digit value printed on the front or back of a payment card (e.g., CVV2 and CVC2 data). Ensure secure storage and distribution of university keys. Periodically change keys and destroy old keys. An inventory must be maintained of all systems, electronic, and paper media containing sensitive cardholder data. Transmission and Distribution of Cardholder Data All transmission and distribution of sensitive cardholder data must use a secure method to avoid unauthorized access. Never send or accept cardholder or other sensitive information via unencrypted e-mail, Instant Messaging or any other insecure method (e.g. File Transfer Protocol (FTP), Hypertext Transport Protocol etc.). Mask the credit card s Primary Account Number (PAN) when displayed. Protecting Cardholder Data When sensitive authentication data is received and deleted, there must be a process in place to securely delete the data and to assure the data is unrecoverable. All systems must adhere to the PCI DSS requirements regarding non-storage of sensitive authentication data after authorization. Under no circumstance, should the full contents of any track from the magnetic stripe be stored. In the normal course of business, the following data elements from the magnetic stripe may need to be retained. To minimize risk, store only these data elements as needed for business. o The cardholder s name o Primary account number (PAN) o Expiration Date Under no circumstance should the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) be stored. Under no circumstance should the personal identification number (PIN) or the encrypted PIN block be stored. Maintain an Information Security Policy All merchants should maintain a policy that addresses information security for all personnel. Personnel refers to full time and part time employees, temporary employees, contractors and consultants have access to the cardholder data environment.

A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it. The security policy should be reviewed at least once a year and updated as needed to reflect any changes to business objectives or the risk environment. Disposal and Re-Use of Hardware, Electronic and Paper Media Hardcopy media must be destroyed when it is no longer needed for business or legal reasons. It is recommended that it be held in case a refund request or chargeback dispute comes through but no longer than six to twelve months from the date of the transaction. Destruction of hardcopy media must be cross-cut shredded, incinerated or pulped so that cardholder data cannot be reconstructed. If this is not possible, credit card numbers and personal information must be blacked-out before destroying. Containers that store cardholder data to be destroyed must be secured to prevent access to the contents. Example: a to-be-shredded container must have a lock preventing access to its contents. Shred, incinerate, pulp or black-out paper media containing cardholder data so that it cannot be reconstructed. Incident Reporting In the event of a security breach in which a person s Personal Information is reasonably believed to have been stolen by an unauthorized person, the breach must be reported immediately to a supervisor and: The Campus Credit Card Coordinator cashandmerchant@ucr.edu (951) 827-3991 In the event of a compromise involving credit card information, encrypted or unencrypted, it is critical to immediately report the breach to a supervisor and: The Campus Credit Card Coordinator cashandmerchant@ucr.edu (951) 827-3991 References: PCI DSS - https://www.pcisecuritystandards.org/security_standards/index.php BUS-49 - http://policy.ucop.edu/doc/3420337/bfb-bus-49

I have thoroughly read the Terminal Control Measures and understand that I must follow PCI DSS and BUS-49 requirements in the handling of credit card data. My department accepts full responsibility should a breach occur due to employee negligence or fraud in the mishandling of cardholder information. Campus Credit Card Coordinator reserves the right to suspend or terminate service at any time if sufficient security measures are not employed by my department. By signing below, I understand my role and responsibilities as a merchant. Signature: Department Representative Date: Department Name/Title and Ext:

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information