Post on 12-Jun-2020
Training for individuals involved in the processing of merchant card payments (credit card and debit card transactions) on behalf of the campus.
Applies to:• Full and part-time employees
• Temporaries• Consultants• Contractors• Volunteers
June 1, 2015
Training Objectives What is PCI-DSS Standards What is PCI Compliance? What is Cardholder Data? Applicability of PCI DSS What’s the Importance of PCI Compliance? Twelve Requirements of PCI DSS Personal Responsibility PCI Data Security Awareness Training Best Practices - Dos and Don’ts Behind the Scenes Card Brands’ Identification Features Chip and PIN Technology Next Steps
What is PCI-DSS Standards? The Payment Card Industry Data Security Standards
(PCI-DSS) are requirements of the merchant card brands
(Visa, MasterCard, Discover, American Express, JCB)
PCI-DSS were created on behalf of the brands by the PCI
Security Standards Council
The goal of PCI-DSS is to protect cardholder data
What is Cardholder Data? Cardholder data to be protected includes:
Cardholder’s name
Primary account number (PAN)
Expiration date (month/year)
Track data (On magnetic strip)
Security code / Card Verification Value (CVV)
PIN number (Debit cards only)
Cardholder data can be in:
Paper form or
Electronic form
Applicability of PCI-DSS PCI-DSS apply to anyone who does any one of the following:
Stores
Processes, or
Transmits cardholder data
PCI-DSS apply to all forms of payment card acceptance:
Phone
Fax
Point-of-sale
Online (Web)
What’s the Importance of PCI Compliance?
As a merchant accepting card payments, the campus must be in compliance with the PCI-DSS standards at all times
The campus has to periodically attest its compliance to appropriate parties
The campus’s failure to be compliant can result in: Damage to campus’s reputation and adverse publicity
Potential fines – Up to $1 million per occurrence
Costs associated with forensic investigations and notifying customers
Inability for campus to continue to accept card payments
Employee disciplinary actions
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security
parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Twelve Requirements of PCI-DSS
Although some of the requirements apply to the campus’s IT staff, many of the requirements apply to the campus’s business staff.
Personal Responsibility As an employee, contractor, student, or volunteer who
interacts with credit card data, you are the first line of defense against fraud and security breaches
You are expected to be aware of the campus’s policies and procedures and to be ever vigilant when interacting with payment card data and credit card transactions
PCI Data Security Awareness Training
You are required to complete training and attest to the training: Upon hire or initial engagement, and
Take annual refresher training
Through your continued vigilance and implementation of PCI standards, you assist the campus in being PCI compliant
Best Practices Adhering to best practices by individuals will assist the
campus in being PCI compliant
The following slides contain practices that should be followed and practices that should be avoided
Credit Card Receipts • Ensure credit card receipts are stored
securely
• Ensure that card receipts are disposed of by shredding in accordance with campus policy
Truncate PANs• Verify that both the campus and customer card receipts
only bear truncated versions of the primary account number (PAN)
• Only the last four digits should be displayed
Example: XXXX-XXXX-XXXX-9534
Physical Protection of Devices A new requirement of PCI-DSS (Version 3.0) requires the campus to institute
procedures to periodically physically inspect for fraudulent skimmers that may be attached to devices, and to check for fraudulent substitution by checking the serial numbers of the devices.
Devices include POS terminals, kiosks, PC’s used in processing card transactions
• Training of employees include:• Verify the identity of any third-
party persons claiming to be repair or maintenance personnel;
• Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices);
• Inspect POS terminals and devices at beginning of each shift for tampering
Physical Security of Card Media• Do not leave any paper or electronic card media physically unsecured
• Restrict physical access to areas where cardholder data is handled and stored
• Only allow employees who have a legitimate business need to access cardholder information
• Do not have card receipts or related documents on display to the general public
• Visitors in areas where cardholder data is stored must be identified and escorted, with a visitor’s log being maintained
Email Containing PANs• Do not send any unencrypted emails containing the
full primary account number (PAN). The truncated last four digits are okay to send.
• Do not process a payment based on information received by email.
• Should you receive an email containing a PAN:• Delete the email immediately• Do not print or forward the email• Notify the customer you are unable to process the payment
• These restrictions apply to instant messaging and chats
Two Types of Account DataThere are two types of Account Data:• Cardholder Data• Sensitive Authentication Data
Note that the data elements designated as sensitive authentication data can never be stored by the campus
Security ID Codes• Each of the card brands assign a unique security code to each
card issued• For Amex, it is a four-digit number located on the front of the card• For all other brands, it is a three digit number located on the back• The code is referred by different names and may be called the card
verification value or ID (CVV) (CW2) (CID)• The Security ID Code is considered “sensitive authentication data”
• Never write down, store, or email the security ID code
• The code is a fraud tool to prove the customer is in physical possession of the card. Keeping a record of the code defeats the purpose of the code.
• If provided to you, the number is only to be retained until the authorization has been approved by the card processor
• The potential fine levied by Visa for storing sensitive authentication data after authorization, such as CVV or PIN (in case of a debit card), is $50,000
Passwords• Adhere to the campus’s policy regarding
the creation of strong passwords and the frequent changing of passwords
• Do not write down passwords for others to find, or share your password
• Do not use vendor-supplied defaults for system passwords and other security parameters
• Ensure that vendor default passwords are changed before a system goes live
Social Engineering Social Engineering is a non-technical method of intrusion
hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures
Adhere to the campus’s security procedures pertaining to the use of computers, responding to emails, and visiting inappropriate websites
• Examples of social engineering include:• Phishing – Emails appearing to be from a known
person or organization asking for confidential information
• Shoulder surfing – Individuals looking over your shoulder to observe confidential information
• Tailgating – Individuals seeking entry to a restricted area
• Dumpster Diving –Individuals looking for confidential information in your trash (e.g., sticky note with password, discarded reports, etc.)
• Remote access – Individuals seeking to control your computer remotely
Service Providers The campus may use third-party service providers to
facilitate the processing of merchant cards
Campus management assumes the role of verifying that these providers are PCI compliant
Should you become aware that one of these service providers is not adhering to one of the PCI requirements, you should notify management
• Service providers include the merchant card processor, as well as any gateway that processes online payments
Payment Applications The campus may use various payment applications to
process card-present transactions, as well as mail orders and telephone orders (MOTO) Examples include POS software and Virtual Terminals Campus management assumes the role of verifying these
applications are PCI compliant (validated) before purchasing
• You must also follow the vendor’s implementation guide when using these applications in order to maintain the PCI compliance status:• Do not use the default password
• Do not deactivate anti-virus protection
• All updates must be applied timely
Security Incident Reporting The campus has a security incident reporting plan
Your role in this plan may vary, but will include: Notify your supervisor immediately of any suspected or real security
breach or of stolen cardholder data
Document any information you know while waiting for a response to the incident, including date, time, and the nature of the incident
• In case of a network environment:• Do not access or alter compromised systems
• Do not turn the compromised machine off
• Isolate compromised systems from the network
• Preserve logs and electronic evidence
• Log all actions taken
All incident reporting by the campus management is to be conducted through the Office of State Controller, not directly to any card brand
Behind the Scenes Various departments and staff within the campus have certain
responsibilities pertaining to PCI compliance, in addition to you as an individual
Examples: IT staff is involved with firewall management, encryption,
penetration testing, vulnerability scanning, log management, antivirus software updates, etc.
The business office staff is involved in monitoring service providers’ PCI compliance, ensuring that all POS software acquired is PCI compliant, completing self-assessment questionnaires, etc.
The campus utilizes a PCI Qualified Security Assessor (QSA) firm, known as Coalfire, to assist in its PCI compliance efforts
Card Brands’ Identification Features In addition to PCI-DSS requirements, each card brand has
certain card identification and fraud detection features which you should be aware of
Examples include:
Uniqueness of the brand’s 4-digit Bank Identification Number (BIN)
Location of the brand’s security code (card id number)
Visa, MC, and Discover are 3-digit on the back; Amex is 4-digit on front
Location of card’s expiration date
Number to call for a suspicious card (Code 10 authorization)
The following four slides depict each brand’s features
Chip and PIN Technology The campus may be acquiring new POS terminals that
incorporate new security features – Chip & Pin (aka EMV)
New technology involves processing cards that bare an imbedded Chip instead of a magnetic stripe
The POS terminals will be able to process the new Chip and PIN cards as well as the old magnetic stripe cards
The POS terminals may be stand-alone, or they may have a reader device that is attached to the swipe POS terminal
Next Steps You have completed the first step of your PCI Security Awareness Training The second step is to complete a quiz to test your understanding of this
training module You must score a grade of 80 percent or better to pass
The third step is to obtain and read the campus’s PCI Data Security Policy for Business Users You may be provided addition procedures that are specific to your job duties
(e.g., telephone orders, POS terminals, online orders, etc.)
The fourth step is to obtain the certificate of completion of training: Indicating you have passed the quiz Acknowledging your receipt of the campus’s PCI Data Security Policy
This training is good for one calendar year after you pass the quiz