SlideShare a Scribd company logo

PCI DSS Training compliance training for companies

G
gealehegn

pci complisnce training

Education
1 of 19
Download to read offline
11/16/2017 1 Ball State University Ball State University PCI Data Security Awareness Training Ball State University Agenda  What is PCI-DSS  PCI-DSS Standards  Training  Definitions  Compliance  6 Goals  12 Security Requirements  Card Identification  Basic Rules to Follow  Myths
11/16/2017 2 Ball State University What is PCI-DSS? The Payment Card Industry Data Security Standards (PCI-DSS) are regulations that were created to ensure safe handling of sensitive information and to protect cardholder data. Ball State University The PCI Council was established in 2006 by Visa, MasterCard, Discover, and American Express
11/16/2017 3 Ball State University  To protect the credit card brands’ reputation as a secure method of payment  To protect customer cardholder data  To establish consistency for any entity accepting credit and debit cards Why Have Standards Ball State University While processing credit cards you will be exposed to a lot of sensitive information that is protected by law. This training will show you how to handle credit card information in a safe and secure manner. Importance of Training
11/16/2017 4 Ball State University Training  Training is required for all campus personnel who have access to credit card information  As a processor of credit card transactions; or  Reviewers of reports that contain credit card data  Training is required upon employment and annually Ball State University PCI-DSS Definitions Cardholder Customer to whom a card is issued or individual authorized to use the card Cardholder Data Full magnetic stripe or the Primary Account Number (PAN) plus any of the following • Primary Account Number • Cardholder Name • Expiration Date • Service Code Cardholder Validation Value or Code Data element on a card’s magnetic stripe that uses secure cryptographic process to protect data integrity on the stripe, and reveals any alteration or counterfeiting. Compromise Intrusion into computer system where unauthorized disclosure, modification, or destruction of cardholder data is suspected. Encryption Process of converting information into an unintelligible form except to holders of a specific key. Use of encryption protects information between the encryption process and the decryption process against unauthorized disclosure.
11/16/2017 5 Ball State University PCI-DSS Definitions Firewall Hardware, software, or both that protect resources of one network from intruders from other networks. Information Security Protection of information to insure confidentiality, integrity and availability Magnetic Stripe Data encoded in the magnetic stripe is used for authorization during transactions when the card is presented. Merchant Any person/business that accepts payments by debit or credit cards Issuer Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g. MasterCard & Visa) or Payment Brand issuing a payment card directly (e.g. Amex, Discover, JCB) Ball State University PCI-DSS Definitions POS Point of Sale. Hardware and/or software is used to process payment card transactions at merchant locations Service Code Three or four digit number on the magnetic stripe that specifies acceptance requirements and limitations for a magnetic stripe read transaction Vulnerability Scan Scans used to identify vulnerabilities in operating systems, services and devices that could be used by hackers to target the university’s private network PAN Primary Account Number is the payment card number (credit or debit) that identifies the issuer and the particular cardholder account. Also referred to as the Account Number
11/16/2017 6 Ball State University Who Must Comply with PCI? Any organization that accepts, processes, or transmits cardholder data. This includes Ball State University Ball State University Compliance with PCI-DSS  Since Ball State accepts payment cards, the university is subject to PCI‐DSS standards  Adhering to the standards is not optional  There are significant financial costs to non‐compliance  It only takes one incident of data compromise to put the university at risk  Non‐compliance is not worth the risk
11/16/2017 7 Ball State University  Fines of $500,000 per data security incident  Fines of $50,000 per day for non‐compliance with published standards  Liability for all fraud losses incurred from compromised account numbers  Liability for the cost of re‐issuing cards associated with the compromise  Suspension of merchant accounts Failure to comply with PCI‐DSS can result in stiff contractual penalties or sanctions from members of the payment card industry including: Compliance with PCI-DSS Ball State University Campus PCI-DSS Merchants  All Ball State merchants must be PCI‐DSS compliant and are responsible for ensuring their compliance  It applies to all payments channels, including in person, mail, telephone order and e–commerce
11/16/2017 8 Ball State University PCI-DSS Goals The 6 Goals of PCI‐DSS  Build and Maintain a Secure Network  Protect Cardholder Data  Maintain a Vulnerability Management Program  Implement Strong Access Control Measures  Regularly Monitor and Test Networks  Maintain an Information Security Policy Ball State University PCI-DSS 12 Security Requirements  Build and Maintain a Secure Network  Requirement 1: Install and maintain a firewall configuration to protect cardholder data  Requirement 2: Do not use vendor‐supplied defaults for system passwords and other security parameters  Protect Cardholder Data  Requirement 3: Protect stored cardholder data  Requirement 4: Encrypt transmission of cardholder data across open, public networks  Maintain a Vulnerability Management Program  Requirement 5: Use and regularly update anti‐virus software  Requirement 6: Develop and maintain secure systems and applications
11/16/2017 9 Ball State University 12 Security Requirements  Strong Access Control Measures  Requirement 7: Restrict access to cardholder data by business need‐to‐know  Requirement 8: Assign a unique ID to each person with computer access  Requirement 9: Restrict physical access to cardholder data  Regularly Monitor and Test Networks  Requirement 10: Track and monitor all access to network resources and cardholder data  Requirement 11: Regularly test security systems and processes  Maintain an Information Security Policy  Requirement 12: Maintain a policy that addresses information security Ball State University Credit Card Processing Example Card Present Transaction: Every request receives a response that directs the acquirer or the merchant on how to proceed with the transaction (Approve or Deny)  Seven Steps Cardholder provides credit card account to merchant Merchant’s bank asks credit card to determine cardholder’s bank Credit card authorization system checks card security features and sends to cardholder’s bank for approval Cardholder’s bank approves purchase Credit card bank sends approval to merchant’s bank Merchant's bank sends approval to merchant Cardholder completes purchase and receives receipt 1 2 3 5 4 6 7
11/16/2017 10 Ball State University Card Identification Features VISA Holographic emblem Card expiration month and year. Do not accept a card after the expiration date. Only the person whose name is embossed on a VISA is entitled to use it. VISA card logo All VISA account numbers start with a 4, MasterCard starts with a 5 and Discover starts with a 6. Embossing should be clear and uniform in size and spacing. The number on the front and back of the card, plus the one printed on the sales receipt should all match. 3 digit security code also called the CVV2 number. Magnetic stripe containing identification, PAN and special security information. The signature on the back of the card should match the customer’s signature on the receipt. The signature panel is tamper‐evident. Ball State University American Express Card Identification Features Pre‐printed (non‐embossed) Card Identification Number (CID) should always appear above the account number. Card expiration month and year. Do not accept a card after the expiration date. Only the person whose name is embossed on an American Express Card is entitled to use it. The letters “AMEX” and a phosphorescence in the Centurion portrait are visible under an ultraviolet light. All American Express account numbers start with a 3. Embossing should be clear and uniform in size and spacing. The number on the front and back of the card, plus the one printed on the sales receipt should all match. With this statement on the card, American Express reserves the right to “pick up” the card at any time. Some cards have a hologram of the American Express image embedded into the magnetic stripe. The signature on the back of the card should match the customer’s signature on the receipt. The signature panel is tamper‐evident.
11/16/2017 11 Ball State University Importance of CVV2/CID American Express CID 4 digit number Visa, MasterCard and Discover 3 digit CVV2/CID number  The CVV2/CID number ensures the caller actually has a credit card in hand when making a purchase.  When a customer physically hands you their card and you swipe it in a credit card terminal, you will not need to use the CVV2/CID number.  Do you know why?  The terminal reads and transmits data from the magnetic strip which includes the CVV2/CID security code. Ball State University Processing Computers • Computers used for processing payments should only be used for processing payments • Should never be used for non‐work related processing such as e‐mail should not be stored or executed on payment processing computers • Only authorized activity should be executed • Absolutely no personal or authentication data can be stored on the computer
11/16/2017 12 Ball State University Point of Sale Registers • Identify any third‐party claiming to be maintenance or a repair person for payment card devices before granting them access to the device • Review their credentials and work order • Call the business they are representing • Before installing or replacing a received payment card device (or allowing a third‐party to do so) receive acceptance verification from your supervisor • Pay close attention to any suspicious behavior around a payment card device. • For example plugging something into the wall around or in the same room as the payment card device. • Opening the device • If you detect this report it immediately to your supervisor Ball State University Ball State Procedures • Contact the Controller’s Office when considering any changes to your credit card system • PCI Questionnaire and Scans • Daily Batch Settlements (covering and cross training in case of absences) • Daily Transmittals and Reconciliations • Retention policy • Incident response • Background checks
11/16/2017 13 Ball State University Basic Credit Card Security Rules  Keep the card in the customer’s line of sight at all times.  Match signatures on the signed receipt to the back of the card.  Accept only the 4 major credit cards, or those identified by your department.  Write cardholder information only on designated forms.  Obtain the security code on the back of the card for all telephone sales.  Store all documents containing cardholder data in a secure locked area.  Process refunds to the card used for the original purchase.  Never share cardholder information outside your work environment.  Never send or receive card data through e‐messaging. (ie. Email, e‐mail attachments, texting or chat rooms.) Note: Some of the rules may not apply to your department since each department may have different business processes. Always check with supervisor when you are not sure. Ball State University Keep the Card in the Customer’s Line of Sight at All Times DO’s  Place the card on the counter as you log into the POS terminal.  Hold the card up in front of you or keep it on the counter if you need to use both hands. DO NOT’s  Place the card below the counter  Walk away with the customer’s card or leave it sitting on the counter  Place the card in a drawer  Lastly, do not place the card behind anything that would block the customer’s view of seeing their card Basic Credit Card Security Rules
11/16/2017 14 Ball State University Match signatures on the signed receipt to the back of the card  Verify a signature appears on the card  Verify the signatures on the card and the receipt look a like.  Verify the signature area on the card is intact and not voided.  Verify the color markings on the signature stripe are there.  If you have any concerns or the signatures do not match contact your supervisor. Basic Credit Card Security Rules Ball State University Obtain the Security Code on the Back of the Card for all Telephone Sales Basic Credit Card Security Rules  When you ask for the security code you are validating the card is in the physical possession of the cardholder.  If the CVV2/CID number does not match the issuing bank’s file, the transaction will be declined.  The CVV2/CID number should never be written down on a paper document.  The CVV2/CID number can only be entered through a terminal.
11/16/2017 15 Ball State University Write Cardholder Data Only on Designated Forms Basic Credit Card Security Rules  If Mail/Phone order transactions are permitted in your department. Then record:  Customer’s name  Phone number  Credit card number  Once the order has been placed or recorded all paper documents should be securely shredded in cross shedder or securely stored if the department’s Mail/Phone procedure permits Ball State University Store All Documents Containing Card Holder Data in a Secure Locked Area Credit Card Security Rules  To secure cash and credit card receipts:  Organize credit card receipts into a stack  Place the receipts inside a cash bag  Deliver the bag to the safe or cash room  Order forms should only remain in a restricted area under lock and key until the forms can be destroyed by a designated individual.
11/16/2017 16 Ball State University Process Refunds to the Card Used for the Original Transaction Credit Card Security Rules  If the original order was an internet transaction the cardholder’s information and card number will be linked to the order. A refund will be automatically issued based on the information recorded.  Do NOT enter a customer’s card information over the phone to issue a refund for an internet transaction.  If a customer does not have their original card when requesting a refund inform them a check will be issued for the refund amount. Ball State University Do Not Discuss Cardholder Information Outside of Your Work Area Credit Card Security Rules  Do not discuss a customer and their credit card anywhere outside of the designated work area  This includes the break room, hallway or at lunch  Do not discuss or send any card data through e‐messaging  This includes e‐mails, e‐mail attachments, texting, chat rooms or any social media
11/16/2017 17 Ball State University PCI DSS Myths? Myth 1 – One vendor and product will make us compliant  No single vendor or product fully addresses all 12 requirements of PCI‐DSS Myth 2 – Outsourcing card processing makes us compliant  Outsourcing simplifies but does not provide automatic compliance  We must ensure providers comply with PCI standards  Request a certificate of compliance annually from providers Myth 3 – PCI compliance is an IT project  The IT staff implements technical and operational aspects  PCI compliance is an ongoing process of assessment, remediation, reporting Ball State University PCI DSS Myths? Myth 4 – PCI will make us secure  Successful completion of a scan or assessment is ONLY a snapshot in time  Security exploits are NON‐STOP and get stronger every day  PCI compliance efforts are a continuous process of assessment and remediation to ensure safety of cardholder data Myth 5 – PCI is unreasonable; it requires too much  Most aspects of PCI‐DSS are a common best practice for security Myth 6 – PCI requires us to hire a Qualified Security Assessor  PCI‐DSS provides the option of doing an internal assessment with an officer sign‐off if acquirer and/or merchant bank agree
11/16/2017 18 Ball State University PCI DSS Myths? Myth 7 – We don’t take enough credit cards to be compliant  PCI compliance is required for any business that accepts payment cards – even if the quantity of transactions is just one Myth 8 – We completed a SAQ so we’re compliant  Technically, this is true for merchants who are not required to do on‐site assessments for PCI‐DSS compliance. True security of cardholder data requires non‐stop assessment and remediation to ensure the likelihood of a breach is kept as low as possible. Myth 9 – PCI makes us store cardholder data  Both PCI‐DSS and the payment card brands strongly discourage storage of cardholder data by merchants and processors Ball State University PCI DSS Myths? Lastly…. Myth 10 – PCI is too hard  Understanding PCI‐DSS can seem daunting, especially for merchants without security or a large IT department  However, PCI‐DSS mostly calls for good, basic security
11/16/2017 19 Ball State University You’re all done! Great Job!

Recommended

PCI Compliance Seminar
PCI Compliance SeminarPCI Compliance Seminar
PCI Compliance Seminardlinehan2
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1leon bonilla
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guideMohammad Makchudul Alam (Arif)
 
Payment Card Cashiering for Local Governments 2016
Payment Card Cashiering for Local Governments 2016Payment Card Cashiering for Local Governments 2016
Payment Card Cashiering for Local Governments 2016Donald E. Hester
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National CertificationMark Pollard
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfssuserbcc088
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 

Recommended

PCI Compliance Seminar
PCI Compliance SeminarPCI Compliance Seminar
PCI Compliance Seminardlinehan2
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1leon bonilla
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guideMohammad Makchudul Alam (Arif)
 
Payment Card Cashiering for Local Governments 2016
Payment Card Cashiering for Local Governments 2016Payment Card Cashiering for Local Governments 2016
Payment Card Cashiering for Local Governments 2016Donald E. Hester
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National CertificationMark Pollard
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfssuserbcc088
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard- Mark - Fullbright
 
MTBiz May-June 2019
MTBiz May-June 2019 MTBiz May-June 2019
MTBiz May-June 2019 Mutual Trust Bank Ltd.
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCIKelly Lam
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS SlidecastRobertXia
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wpEdward Lam
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standardsallychiu
 
Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Donald E. Hester
 
Introduction to PCI APR 2010
Introduction to PCI APR 2010Introduction to PCI APR 2010
Introduction to PCI APR 2010Donald E. Hester
 
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docx
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docxAssignment 1Assignment 1 Bottling Company Case StudyDue Week.docx
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docxtrippettjettie
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
 
Chameleon PCI Presentation
Chameleon PCI PresentationChameleon PCI Presentation
Chameleon PCI Presentationchristoboshoff
 
PCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program OverviewPCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program Overview- Mark - Fullbright
 
PCI,Smart Card,ATM and E-commerce
PCI,Smart Card,ATM and E-commercePCI,Smart Card,ATM and E-commerce
PCI,Smart Card,ATM and E-commerceAmira Serag
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.CA Priyadarshan Behera
 
PCI Compliance 101
PCI Compliance 101PCI Compliance 101
PCI Compliance 101pgalletta
 
Senate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheySenate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheyPeter Tran
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1Amanda Squires@Pod1
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1wardell henley
 
MIC_3e_Ch3Add more information to your upload.ppt
MIC_3e_Ch3Add more information to your upload.pptMIC_3e_Ch3Add more information to your upload.ppt
MIC_3e_Ch3Add more information to your upload.pptgealehegn
 
How to Create an Effective PowerPoint.ppt
How to Create an Effective PowerPoint.pptHow to Create an Effective PowerPoint.ppt
How to Create an Effective PowerPoint.pptgealehegn
 

More Related Content

Similar to PCI DSS Training compliance training for companies

eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard- Mark - Fullbright
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCIKelly Lam
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS SlidecastRobertXia
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wpEdward Lam
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standardsallychiu
 
Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Donald E. Hester
 
Introduction to PCI APR 2010
Introduction to PCI APR 2010Introduction to PCI APR 2010
Introduction to PCI APR 2010Donald E. Hester
 
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docx
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docxAssignment 1Assignment 1 Bottling Company Case StudyDue Week.docx
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docxtrippettjettie
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
 
Chameleon PCI Presentation
Chameleon PCI PresentationChameleon PCI Presentation
Chameleon PCI Presentationchristoboshoff
 
PCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program OverviewPCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program Overview- Mark - Fullbright
 
PCI,Smart Card,ATM and E-commerce
PCI,Smart Card,ATM and E-commercePCI,Smart Card,ATM and E-commerce
PCI,Smart Card,ATM and E-commerceAmira Serag
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
PCI Compliance 101
PCI Compliance 101PCI Compliance 101
PCI Compliance 101pgalletta
 
Senate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheySenate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheyPeter Tran
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1wardell henley
 

Similar to PCI DSS Training compliance training for companies (20)

eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 
MTBiz May-June 2019
MTBiz May-June 2019 MTBiz May-June 2019
MTBiz May-June 2019
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCI
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS Slidecast
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wp
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standard
 
Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010
 
Introduction to PCI APR 2010
Introduction to PCI APR 2010Introduction to PCI APR 2010
Introduction to PCI APR 2010
 
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docx
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docxAssignment 1Assignment 1 Bottling Company Case StudyDue Week.docx
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docx
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...
 
Chameleon PCI Presentation
Chameleon PCI PresentationChameleon PCI Presentation
Chameleon PCI Presentation
 
PCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program OverviewPCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program Overview
 
PCI,Smart Card,ATM and E-commerce
PCI,Smart Card,ATM and E-commercePCI,Smart Card,ATM and E-commerce
PCI,Smart Card,ATM and E-commerce
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.
 
PCI Compliance 101
PCI Compliance 101PCI Compliance 101
PCI Compliance 101
 
Senate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheySenate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_Richey
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1
 

More from gealehegn

MIC_3e_Ch3Add more information to your upload.ppt
MIC_3e_Ch3Add more information to your upload.pptMIC_3e_Ch3Add more information to your upload.ppt
MIC_3e_Ch3Add more information to your upload.pptgealehegn
 
How to Create an Effective PowerPoint.ppt
How to Create an Effective PowerPoint.pptHow to Create an Effective PowerPoint.ppt
How to Create an Effective PowerPoint.pptgealehegn
 
hel29999999999999999999999999999999999999999999.ppt
hel29999999999999999999999999999999999999999999.ppthel29999999999999999999999999999999999999999999.ppt
hel29999999999999999999999999999999999999999999.pptgealehegn
 
csce201 - software - sec Basic Security.ppt
csce201 - software - sec Basic Security.pptcsce201 - software - sec Basic Security.ppt
csce201 - software - sec Basic Security.pptgealehegn
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
 
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
ch03Threat Modeling - Locking the Door to Vulnerabilities.pptch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
ch03Threat Modeling - Locking the Door to Vulnerabilities.pptgealehegn
 
PCI_Security_Awareness12345678904321.ppt
PCI_Security_Awareness12345678904321.pptPCI_Security_Awareness12345678904321.ppt
PCI_Security_Awareness12345678904321.pptgealehegn
 
Taiwan_2wehuikl;lkjjk;ivfazzfffggggh.ppt
Taiwan_2wehuikl;lkjjk;ivfazzfffggggh.pptTaiwan_2wehuikl;lkjjk;ivfazzfffggggh.ppt
Taiwan_2wehuikl;lkjjk;ivfazzfffggggh.pptgealehegn
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptgealehegn
 
SecurityDevelopmentLifecycle 202512.pptx
SecurityDevelopmentLifecycle 202512.pptxSecurityDevelopmentLifecycle 202512.pptx
SecurityDevelopmentLifecycle 202512.pptxgealehegn
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 

More from gealehegn (11)

MIC_3e_Ch3Add more information to your upload.ppt
MIC_3e_Ch3Add more information to your upload.pptMIC_3e_Ch3Add more information to your upload.ppt
MIC_3e_Ch3Add more information to your upload.ppt
 
How to Create an Effective PowerPoint.ppt
How to Create an Effective PowerPoint.pptHow to Create an Effective PowerPoint.ppt
How to Create an Effective PowerPoint.ppt
 
hel29999999999999999999999999999999999999999999.ppt
hel29999999999999999999999999999999999999999999.ppthel29999999999999999999999999999999999999999999.ppt
hel29999999999999999999999999999999999999999999.ppt
 
csce201 - software - sec Basic Security.ppt
csce201 - software - sec Basic Security.pptcsce201 - software - sec Basic Security.ppt
csce201 - software - sec Basic Security.ppt
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
 
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
ch03Threat Modeling - Locking the Door to Vulnerabilities.pptch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
 
PCI_Security_Awareness12345678904321.ppt
PCI_Security_Awareness12345678904321.pptPCI_Security_Awareness12345678904321.ppt
PCI_Security_Awareness12345678904321.ppt
 
Taiwan_2wehuikl;lkjjk;ivfazzfffggggh.ppt
Taiwan_2wehuikl;lkjjk;ivfazzfffggggh.pptTaiwan_2wehuikl;lkjjk;ivfazzfffggggh.ppt
Taiwan_2wehuikl;lkjjk;ivfazzfffggggh.ppt
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
 
SecurityDevelopmentLifecycle 202512.pptx
SecurityDevelopmentLifecycle 202512.pptxSecurityDevelopmentLifecycle 202512.pptx
SecurityDevelopmentLifecycle 202512.pptx
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 

Recently uploaded

Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentInMediaRes1
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxsocialsciencegdgrohi
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfUjwalaBharambe
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfadityarao40181
 

Recently uploaded (20)

Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media Component
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdf
 

PCI DSS Training compliance training for companies

  • 1. 11/16/2017 1 Ball State University Ball State University PCI Data Security Awareness Training Ball State University Agenda  What is PCI-DSS  PCI-DSS Standards  Training  Definitions  Compliance  6 Goals  12 Security Requirements  Card Identification  Basic Rules to Follow  Myths
  • 2. 11/16/2017 2 Ball State University What is PCI-DSS? The Payment Card Industry Data Security Standards (PCI-DSS) are regulations that were created to ensure safe handling of sensitive information and to protect cardholder data. Ball State University The PCI Council was established in 2006 by Visa, MasterCard, Discover, and American Express
  • 3. 11/16/2017 3 Ball State University  To protect the credit card brands’ reputation as a secure method of payment  To protect customer cardholder data  To establish consistency for any entity accepting credit and debit cards Why Have Standards Ball State University While processing credit cards you will be exposed to a lot of sensitive information that is protected by law. This training will show you how to handle credit card information in a safe and secure manner. Importance of Training
  • 4. 11/16/2017 4 Ball State University Training  Training is required for all campus personnel who have access to credit card information  As a processor of credit card transactions; or  Reviewers of reports that contain credit card data  Training is required upon employment and annually Ball State University PCI-DSS Definitions Cardholder Customer to whom a card is issued or individual authorized to use the card Cardholder Data Full magnetic stripe or the Primary Account Number (PAN) plus any of the following • Primary Account Number • Cardholder Name • Expiration Date • Service Code Cardholder Validation Value or Code Data element on a card’s magnetic stripe that uses secure cryptographic process to protect data integrity on the stripe, and reveals any alteration or counterfeiting. Compromise Intrusion into computer system where unauthorized disclosure, modification, or destruction of cardholder data is suspected. Encryption Process of converting information into an unintelligible form except to holders of a specific key. Use of encryption protects information between the encryption process and the decryption process against unauthorized disclosure.
  • 5. 11/16/2017 5 Ball State University PCI-DSS Definitions Firewall Hardware, software, or both that protect resources of one network from intruders from other networks. Information Security Protection of information to insure confidentiality, integrity and availability Magnetic Stripe Data encoded in the magnetic stripe is used for authorization during transactions when the card is presented. Merchant Any person/business that accepts payments by debit or credit cards Issuer Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g. MasterCard & Visa) or Payment Brand issuing a payment card directly (e.g. Amex, Discover, JCB) Ball State University PCI-DSS Definitions POS Point of Sale. Hardware and/or software is used to process payment card transactions at merchant locations Service Code Three or four digit number on the magnetic stripe that specifies acceptance requirements and limitations for a magnetic stripe read transaction Vulnerability Scan Scans used to identify vulnerabilities in operating systems, services and devices that could be used by hackers to target the university’s private network PAN Primary Account Number is the payment card number (credit or debit) that identifies the issuer and the particular cardholder account. Also referred to as the Account Number
  • 6. 11/16/2017 6 Ball State University Who Must Comply with PCI? Any organization that accepts, processes, or transmits cardholder data. This includes Ball State University Ball State University Compliance with PCI-DSS  Since Ball State accepts payment cards, the university is subject to PCI‐DSS standards  Adhering to the standards is not optional  There are significant financial costs to non‐compliance  It only takes one incident of data compromise to put the university at risk  Non‐compliance is not worth the risk
  • 7. 11/16/2017 7 Ball State University  Fines of $500,000 per data security incident  Fines of $50,000 per day for non‐compliance with published standards  Liability for all fraud losses incurred from compromised account numbers  Liability for the cost of re‐issuing cards associated with the compromise  Suspension of merchant accounts Failure to comply with PCI‐DSS can result in stiff contractual penalties or sanctions from members of the payment card industry including: Compliance with PCI-DSS Ball State University Campus PCI-DSS Merchants  All Ball State merchants must be PCI‐DSS compliant and are responsible for ensuring their compliance  It applies to all payments channels, including in person, mail, telephone order and e–commerce
  • 8. 11/16/2017 8 Ball State University PCI-DSS Goals The 6 Goals of PCI‐DSS  Build and Maintain a Secure Network  Protect Cardholder Data  Maintain a Vulnerability Management Program  Implement Strong Access Control Measures  Regularly Monitor and Test Networks  Maintain an Information Security Policy Ball State University PCI-DSS 12 Security Requirements  Build and Maintain a Secure Network  Requirement 1: Install and maintain a firewall configuration to protect cardholder data  Requirement 2: Do not use vendor‐supplied defaults for system passwords and other security parameters  Protect Cardholder Data  Requirement 3: Protect stored cardholder data  Requirement 4: Encrypt transmission of cardholder data across open, public networks  Maintain a Vulnerability Management Program  Requirement 5: Use and regularly update anti‐virus software  Requirement 6: Develop and maintain secure systems and applications
  • 9. 11/16/2017 9 Ball State University 12 Security Requirements  Strong Access Control Measures  Requirement 7: Restrict access to cardholder data by business need‐to‐know  Requirement 8: Assign a unique ID to each person with computer access  Requirement 9: Restrict physical access to cardholder data  Regularly Monitor and Test Networks  Requirement 10: Track and monitor all access to network resources and cardholder data  Requirement 11: Regularly test security systems and processes  Maintain an Information Security Policy  Requirement 12: Maintain a policy that addresses information security Ball State University Credit Card Processing Example Card Present Transaction: Every request receives a response that directs the acquirer or the merchant on how to proceed with the transaction (Approve or Deny)  Seven Steps Cardholder provides credit card account to merchant Merchant’s bank asks credit card to determine cardholder’s bank Credit card authorization system checks card security features and sends to cardholder’s bank for approval Cardholder’s bank approves purchase Credit card bank sends approval to merchant’s bank Merchant's bank sends approval to merchant Cardholder completes purchase and receives receipt 1 2 3 5 4 6 7
  • 10. 11/16/2017 10 Ball State University Card Identification Features VISA Holographic emblem Card expiration month and year. Do not accept a card after the expiration date. Only the person whose name is embossed on a VISA is entitled to use it. VISA card logo All VISA account numbers start with a 4, MasterCard starts with a 5 and Discover starts with a 6. Embossing should be clear and uniform in size and spacing. The number on the front and back of the card, plus the one printed on the sales receipt should all match. 3 digit security code also called the CVV2 number. Magnetic stripe containing identification, PAN and special security information. The signature on the back of the card should match the customer’s signature on the receipt. The signature panel is tamper‐evident. Ball State University American Express Card Identification Features Pre‐printed (non‐embossed) Card Identification Number (CID) should always appear above the account number. Card expiration month and year. Do not accept a card after the expiration date. Only the person whose name is embossed on an American Express Card is entitled to use it. The letters “AMEX” and a phosphorescence in the Centurion portrait are visible under an ultraviolet light. All American Express account numbers start with a 3. Embossing should be clear and uniform in size and spacing. The number on the front and back of the card, plus the one printed on the sales receipt should all match. With this statement on the card, American Express reserves the right to “pick up” the card at any time. Some cards have a hologram of the American Express image embedded into the magnetic stripe. The signature on the back of the card should match the customer’s signature on the receipt. The signature panel is tamper‐evident.
  • 11. 11/16/2017 11 Ball State University Importance of CVV2/CID American Express CID 4 digit number Visa, MasterCard and Discover 3 digit CVV2/CID number  The CVV2/CID number ensures the caller actually has a credit card in hand when making a purchase.  When a customer physically hands you their card and you swipe it in a credit card terminal, you will not need to use the CVV2/CID number.  Do you know why?  The terminal reads and transmits data from the magnetic strip which includes the CVV2/CID security code. Ball State University Processing Computers • Computers used for processing payments should only be used for processing payments • Should never be used for non‐work related processing such as e‐mail should not be stored or executed on payment processing computers • Only authorized activity should be executed • Absolutely no personal or authentication data can be stored on the computer
  • 12. 11/16/2017 12 Ball State University Point of Sale Registers • Identify any third‐party claiming to be maintenance or a repair person for payment card devices before granting them access to the device • Review their credentials and work order • Call the business they are representing • Before installing or replacing a received payment card device (or allowing a third‐party to do so) receive acceptance verification from your supervisor • Pay close attention to any suspicious behavior around a payment card device. • For example plugging something into the wall around or in the same room as the payment card device. • Opening the device • If you detect this report it immediately to your supervisor Ball State University Ball State Procedures • Contact the Controller’s Office when considering any changes to your credit card system • PCI Questionnaire and Scans • Daily Batch Settlements (covering and cross training in case of absences) • Daily Transmittals and Reconciliations • Retention policy • Incident response • Background checks
  • 13. 11/16/2017 13 Ball State University Basic Credit Card Security Rules  Keep the card in the customer’s line of sight at all times.  Match signatures on the signed receipt to the back of the card.  Accept only the 4 major credit cards, or those identified by your department.  Write cardholder information only on designated forms.  Obtain the security code on the back of the card for all telephone sales.  Store all documents containing cardholder data in a secure locked area.  Process refunds to the card used for the original purchase.  Never share cardholder information outside your work environment.  Never send or receive card data through e‐messaging. (ie. Email, e‐mail attachments, texting or chat rooms.) Note: Some of the rules may not apply to your department since each department may have different business processes. Always check with supervisor when you are not sure. Ball State University Keep the Card in the Customer’s Line of Sight at All Times DO’s  Place the card on the counter as you log into the POS terminal.  Hold the card up in front of you or keep it on the counter if you need to use both hands. DO NOT’s  Place the card below the counter  Walk away with the customer’s card or leave it sitting on the counter  Place the card in a drawer  Lastly, do not place the card behind anything that would block the customer’s view of seeing their card Basic Credit Card Security Rules
  • 14. 11/16/2017 14 Ball State University Match signatures on the signed receipt to the back of the card  Verify a signature appears on the card  Verify the signatures on the card and the receipt look a like.  Verify the signature area on the card is intact and not voided.  Verify the color markings on the signature stripe are there.  If you have any concerns or the signatures do not match contact your supervisor. Basic Credit Card Security Rules Ball State University Obtain the Security Code on the Back of the Card for all Telephone Sales Basic Credit Card Security Rules  When you ask for the security code you are validating the card is in the physical possession of the cardholder.  If the CVV2/CID number does not match the issuing bank’s file, the transaction will be declined.  The CVV2/CID number should never be written down on a paper document.  The CVV2/CID number can only be entered through a terminal.
  • 15. 11/16/2017 15 Ball State University Write Cardholder Data Only on Designated Forms Basic Credit Card Security Rules  If Mail/Phone order transactions are permitted in your department. Then record:  Customer’s name  Phone number  Credit card number  Once the order has been placed or recorded all paper documents should be securely shredded in cross shedder or securely stored if the department’s Mail/Phone procedure permits Ball State University Store All Documents Containing Card Holder Data in a Secure Locked Area Credit Card Security Rules  To secure cash and credit card receipts:  Organize credit card receipts into a stack  Place the receipts inside a cash bag  Deliver the bag to the safe or cash room  Order forms should only remain in a restricted area under lock and key until the forms can be destroyed by a designated individual.
  • 16. 11/16/2017 16 Ball State University Process Refunds to the Card Used for the Original Transaction Credit Card Security Rules  If the original order was an internet transaction the cardholder’s information and card number will be linked to the order. A refund will be automatically issued based on the information recorded.  Do NOT enter a customer’s card information over the phone to issue a refund for an internet transaction.  If a customer does not have their original card when requesting a refund inform them a check will be issued for the refund amount. Ball State University Do Not Discuss Cardholder Information Outside of Your Work Area Credit Card Security Rules  Do not discuss a customer and their credit card anywhere outside of the designated work area  This includes the break room, hallway or at lunch  Do not discuss or send any card data through e‐messaging  This includes e‐mails, e‐mail attachments, texting, chat rooms or any social media
  • 17. 11/16/2017 17 Ball State University PCI DSS Myths? Myth 1 – One vendor and product will make us compliant  No single vendor or product fully addresses all 12 requirements of PCI‐DSS Myth 2 – Outsourcing card processing makes us compliant  Outsourcing simplifies but does not provide automatic compliance  We must ensure providers comply with PCI standards  Request a certificate of compliance annually from providers Myth 3 – PCI compliance is an IT project  The IT staff implements technical and operational aspects  PCI compliance is an ongoing process of assessment, remediation, reporting Ball State University PCI DSS Myths? Myth 4 – PCI will make us secure  Successful completion of a scan or assessment is ONLY a snapshot in time  Security exploits are NON‐STOP and get stronger every day  PCI compliance efforts are a continuous process of assessment and remediation to ensure safety of cardholder data Myth 5 – PCI is unreasonable; it requires too much  Most aspects of PCI‐DSS are a common best practice for security Myth 6 – PCI requires us to hire a Qualified Security Assessor  PCI‐DSS provides the option of doing an internal assessment with an officer sign‐off if acquirer and/or merchant bank agree
  • 18. 11/16/2017 18 Ball State University PCI DSS Myths? Myth 7 – We don’t take enough credit cards to be compliant  PCI compliance is required for any business that accepts payment cards – even if the quantity of transactions is just one Myth 8 – We completed a SAQ so we’re compliant  Technically, this is true for merchants who are not required to do on‐site assessments for PCI‐DSS compliance. True security of cardholder data requires non‐stop assessment and remediation to ensure the likelihood of a breach is kept as low as possible. Myth 9 – PCI makes us store cardholder data  Both PCI‐DSS and the payment card brands strongly discourage storage of cardholder data by merchants and processors Ball State University PCI DSS Myths? Lastly…. Myth 10 – PCI is too hard  Understanding PCI‐DSS can seem daunting, especially for merchants without security or a large IT department  However, PCI‐DSS mostly calls for good, basic security