This document provides training on proper handling of credit card information according to PCI compliance standards. It begins with an overview of why security is important when processing credit cards due to the sensitive customer information involved. It then outlines 10 rules for securing credit card data, such as not processing cash refunds, matching signatures, and securely storing documents with cardholder data. The document educates on parts of the credit card like the PAN and CVV2 numbers to help verify identities during transactions.

4. While processing credit cards
you will be exposed to a lot of
sensitive information.
This training will show you how
to handle credit card
information in a safe and
secure manner.

5. Albert Gonzalez, 28
With accomplices, he was involved in data
breaches of most of the major data breaches:
Heartland, Hannaford Bros., 7-Eleven, T.J.
Maxx, Marshalls, BJ’s Wholesale Club,
OfficeMax, Barnes & Noble, Sports Authority,
Dave & Busters, Boston Market, Forever 21,
DSW and others.
Customers trust that we will
keep their account
information safe from crooks
like these.

6. Source:

7. Number of incidents per year.
Source:

9. Source:

10. Source:

11. Source:

12. Source:

14. Source:

16. Source:

17. 1. Securing the IT environment
2. Managing and retaining data
3. Managing IT risk and compliance
4. Ensuring privacy
6. Managing System Implementations
7. Preventing and responding to computer fraud
10. Managing vendors and service providers
http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/TopTechnologyInitiatives/Pages/2013TTI.aspx
Orange text are all
PCI related

18. https://www.youtube.com/watch?v=1boEXDVkKjU

20. Data Element Storage
Permitted
Protection
Required
PCI DSS 3.4
Cardholder
Data
Primary Account
Number (PAN)
Yes Yes Yes
Cardholder Name Yes Yes No
Service Code Yes Yes No
Expiration Date Yes Yes No
Sensitive
Authentication
Data
Full Magnetic
Stripe Data
No N/A N/A
CVC2 / CVV2 / CID
/ CAV2
No N/A N/A
PIN / PIN Block No N/A N/A

21. • Acquirer (Merchant Bank)
 Bankcard association member that initiates
and maintains relationships with merchants
that accept payment cards
• Hosting Provider
 Offer various services to merchants and
other service providers.
Card Brand
Acquirer
Hosting
Provider
Merchant
Cardholder

22.  Maintain standards for PCI
to provide quarterly scans
Card
Brands
PCI SSC
QSA
ASV

24.  Own and manage PCI DSS, including maintenance, revisions,
interpretation and distribution
 Define common audit requirements to validate compliance
 Manage certification process for security assessors and network
scanning vendors
 Establish minimum qualification requirements
 Maintain and publish a list of certified assessors and vendors

29. Incident Evaluation
Safe
Harbor
$$$$$$

32. Merchants may be subject to fines by the card associations if deemed
non-compliant. For your convenience fine schedules for Visa and
MasterCard are outlined below. (Banks no longer publish fines)
http://www.firstnationalmerchants.com/ms/html/en/pci_compliance/pci_data_secur_stand.html

35. Category Criteria Requirements Compliance date
Level 1
•Any merchant that has suffered a hack or an attack that resulted in
an account data compromise
•Any merchant having more than six million total combined
MasterCard and Maestro transactions annually
•Any merchant meeting the Level 1 criteria of Visa
•Any merchant that MasterCard, in its sole discretion, determines
should meet the Level 1 merchant requirements to minimize risk to
the system
•Annual Onsite Assessment1
•Quarterly Network Scan conducted by an ASV2 30 June 20123
Level 2
•Any merchant with more than one million but less than or equal to
six million total combined MasterCard and Maestro transactions
annually
•Any merchant meeting the Level 2 criteria of Visa
•Annual Self-Assessment4
•Onsite Assessment at Merchant Discretion4
•Quarterly Network Scan conducted by an ASV2
30 June 20124
Level 3
•Any merchant with more than 20,000 combined MasterCard and
Maestro e-commerce transactions annually but less than or equal to
one million total combined MasterCard and Maestro e-commerce
transactions annually
•Any merchant meeting the Level 3 criteria of Visa
•Annual Self-Assessment
•Quarterly Network Scan conducted by an ASV2 30 June 2005
Level 4 •All other merchants5 •Annual Self-Assessment
•Quarterly Network Scan conducted by an ASV2 Consult Acquirer

39. Assess
ReportRemediate

50. https://www.youtube.com/watch?v=PoQwUT31Lgg

60. • Clearly primary account number (16 digit PAN)
• Valid thru date
• Holographic security emblem
• Card logo (Visa)
• Cardholder's name
(Click on the credit card to check your answers)
Look at the above card. Can you find
each of the parts listed below?
Front side of card
First, lets look at the
front side of a typical
credit card.
Valid thru date
Holographic
emblem
Card logo
PAN

61. Now, look at the back
side of a credit card.
• Signature panel
• A 3 digit security code also called the
CVV2 number
• Magnetic stripe
(Click on the credit card to check your
answers)
Can you find each of the parts listed
below on the above card?
Back side of card
CVV2
Signature
Panel
Magnetic Strip

63. Have you ever
wondered what
is encoded in the
magnetic strip? • Cardholder name and address
• Account number
• Expiration date
• Special security information to detect
fraudulent cards
Once the card is swiped, this
information is electronically
relayed to the card issuer, who
then uses it to authorize the sale.
The magnetic strip contains:

67. Now that you know the
anatomy for Discover,
MasterCard, and Visa
cards, lets explore
American Express
card.
CID Code
The American Express card has the same safety
features as Discover, MasterCard and Visa, but a
little different structure.
The American Express's equivalent to the 3 digit
CVV2 security code is a 4 digit CID security code
which appears on the face of the card.
American Express Card

68. The Security number
ensures the caller actually
has a credit card in hand
when making the
purchase.
CVV2/CID number
When a customer physically hands you their card
and you swipe it in a credit card terminal, you will
not need to use the security number. This is
because when swiped through the card reader, the
terminal reads and transmits data from the
magnetic stripe which includes the CVV2/CID
security code.
CAV2/CVC2/CVV2/CID

80. Check out these 10
rules for credit card
security.
Credit Card Security Rules
1. Do not process transaction for other businesses or entities.
2. Don’t process cash refunds.
3. Keep the card in the customer’s line of sight.
4. Match signatures on the signed receipt to the back of the card and
the last four digits of the PAN (card number).
5. Accept only the major credit cards, or those identified by your
department. Honor customer’s choice.
6. Obtain the security code on the back of the card for all telephone
sales.
7. Write cardholder information only on designated forms.
8. Store all documents containing card holder data in a secure locked
area.
9. Never send or receive card data through e-messaging
10.Never share cardholder information outside your work environment.
Some of these rules may not
apply to your department. Each
department has a different
business process, so remember
to double check with your
supervisor if you have any
questions.

81. Sorry I cannot
process a credit card
and give you cash.

83. Refunds must be
placed on card used
for the initial
purchase.
What if someone does not have their
original card?
If a customer doesn’t have their original
card, inform them a check will be issued
for the refund amount.
Internet Transactions
It's much simpler for internet transactions
since the cardholder’s information and
card number are linked to the sale. A
refund will be automatically issued based
on the original transaction and card used.
Never enter the customer’s card information over
the phone to issue a refund for an internet
transaction.

84. Rule 3 applies to any
sales situation where
a customer hands
you a credit card.
Keep the card in the customer's line of sight at all times.
Do this:
• Place the card on the counter as you log
into the POS terminal.
• Hold the card up in front of you or
keeps it on the counter if you needs
both hands.
NOT this:
• Place the card below the counter
• Walk away from your station with the
customer's card
• Place the card in the drawer
• Place the card behind an object that
blocks the customer's view

85. Rule 4 requires you
to make sure the
signatures match.
Check the following items:
• A signature appears on the card.
• The signatures on the card and receipt look similar.
• The signature area on the card is intact and not voided.
• Color markings appear on the signature stripe.
If the signatures do not match or you have
a concern about the authenticity of the card,
call your supervisor.
Match signatures on the signed receipt to
the back of the card.

86. For magnetic-stripe card transactions, match
the name and last four digits of the account
number on
the card to those printed on the receipt.

90. Can I see your
ID please?

92. Accept only the
credit cards your
organization has
approved.
Make sure the logos above appear
on the card. Your department may
even limit which of these 4 cards
they accept, so make sure you find
out.

93. This is your last line of
defense for preventing
the fraudulent use of a
card via internet or
phone.
Obtain the security code on the back of
the card for all telephone sales.
• When you (the merchant) ask for this number, you are validating the
card is in the physical possession of the cardholder (purchaser).
• If the security number does not match the issuing bank's file, the
transaction will be declined and you will receive a message saying the
security code does not match.
The CCAV2/CVC2/CVV2/CID number should never be written down on any paper document. It can only be entered through a
terminal.

94. We protect your
information!

95. This rule pertains mostly
to telephone sales but
should be kept in mind
for all credit card
transaction.
Write cardholder data only on designated forms.
• Follow your department’s policy for
MOTO (Mail/Telephone order)
transactions.
• If MOTOs are allowed in your
department, always record the
customer's name, phone number, and
credit card number on the designated
form.
• Once the order has been placed or
recorded, all paper documents are
securely stored and destroyed when no
longer needed.

96. This rule applies when cardholder
data is received by mail, fax, or phone.
(Any physical copies of PAN)
Store all documents containing card holder data in a secure
locked area.
Place all order forms in a designated
restricted area under lock and key. These
documents will remain here until they are
later destroyed by designated staff.
To secure cash and credit card receipts:
• Organize credit card receipts into a
stack.
• Place the receipts inside the cash bag.
• Deliver the bag to the safe or cash
room.

98. Perform a search for CHD every 6 months

99. http://www.youtube.com/watch?v=iC38D5am7go

100. Under no
circumstances should
cardholder information
be sent via any
electronic format.
Never send card data through e-messaging
This includes all electronic
communication such as
emails, attachments to
emails, text messaging and
chat rooms.

101. Never discuss a
customer's personal
card information
outside of work.
Never share cardholder information
outside your work environment.
You can discuss at a high
level about your work with
credit cards, but never
mention specifics.
Customers are trusting you
with their sensitive account
information! Treat their
information as if it were your
own. Including SSN and
other information.

105. To prevent
skimming, you
should be on the
lookout for:

107. https://www.youtube.com/watch?v=njET6_q1hWw