E-Learning Module Credit/Debit Payment Card Acceptance and Security OBFS-Treasury...
-
Upload
catherine-wade -
Category
Documents
-
view
216 -
download
0
Transcript of E-Learning Module Credit/Debit Payment Card Acceptance and Security OBFS-Treasury...
e-Learning ModuleCredit/Debit Payment Card
Acceptance and SecurityOBFS-Treasury Operations-Merchant
Card ServicesFebruary 26, 2011
Instructor and Moderator, Rebecca Kornegay
Welcome
Introduction
• University of Illinois departments accepts and processes thousands of credit or debit card payment sales daily.
• Departments are required to comply with payment card industry data security standards (PCI DSS) of Visa, MasterCard, American Express, and Discover to secure cardholder information at all times.
Why Are We Doing This?
• University students, parents, and customers trust that their card information will be protected at the University of Illinois.
• To protect the University from a card security breach and monetary fines.
What Will You Learn?
• Anatomy of a Payment Card • Required Guidelines as Best Practices for
Handling Payment Card Information• Payment Card Security
Anatomy of a Payment Card
Credit/Debit Card –Data Embossed Front
Account Number
Cardholder Name
Bank Card Brand
Bank Card Logo
Verification Number(American Express Only)
Expiration Date
Anatomy of a Credit/Debit Payment Card
Credit/Debit Card –Data Imprinted Back
Magnetic Stripe
Signature Panel Security Code
(Visa, MasterCard, Discover)
‘
Payment Card Acceptance and Processing
Payment card transactions must be accepted using one of the following methods and technologies,
• Methods– Face to Face (card present)– Mail, Telephone or Fax (card NOT present)– University-approved internet application (card NOT
present)
• Technologies– Terminal– Point-of-Sale (POS) system– e-Commerce
Secure Methods
PhoneMail
Fax
Mail or Telephone Orders (MOTO)
Not Secure Methods
PDA Device
Wireless Devices
Staff entering a cardholder’s card information into computer or a website from their workstation computer.
Instant Messaging or Chat
Email Not A Secure Method
If a customer sends their card information via email,
• Delete the email from your inbox and deleted box, then send a message of response.
• If you reply to the original email, remove the card information before sending the message.
• Send a response that the card information is not accepted via email and provide alternative methods for sending their card information by fax, mail, phone, etc.
Card Present Transactions
Accepting a payment card from face-to-face
Card Present Transactions
If You Handle Card Present Transactions, • The payment card must be swiped through
the terminal or POS system card magnetic stripe reader.
• Do not keep any card information after the transaction has been authorized.
• Keep the payment card within the customer’s view and shield from the view of others.
• The physical payment card is not provided for processing.
• Requires manual entry of the card number into a processing technology.
Card NOT Present Transaction
In addition to manually entering the Cardholder Account Number, for card NOT present transactions you must enter,
• EXPIRATION DATE, 02/14• CARD BILLING ADDRESS STREET NUMBER, 3775• ZIP CODE, 61821• VERIFICATION NUMBER (FRONT OF AMEX CARD)• SECURITY CODE, CVS, CVV2, CID (VISA,
MASTERCARD, & DISCOVER CARDS)
Card NOT Present Transaction
Card NOT Present Transaction
Sensitive Security Authentication Data,must NEVER be stored after the transactionauthorized.• Security Code and Verification Number• PIN Numbers• Expiration Date• Payment Card Full Magnetic Stripe Data
Card NOT Present Transaction By Phone
Payment Card Data Acceptance Requirements• Phone
Card NOT Present Transaction By Phone
Payment Card Data Acceptance Requirements• Phone
Card NOT Present Transaction By FAX
Payment Card Data Acceptance Requirements• Fax
Card NOT Present Transaction By FAX
Payment Card Data Acceptance Requirements• Treat a fax the same way as you would treat
cash
$100 Bills
Card NOT Present Transaction By Mail
Payment Card Data Acceptance Requirements• Mail
$100 Bills
Card NOT Present TransactionBy Paper Based Forms
Payment Card Data Acceptance Requirements• Paper Based Forms
Card NOT Present TransactionBy Paper Based Forms
If paper records containing card account numbers,
• Remove all but the last four digits to be rendered unreadable by blackening the numbers with china marker grease pencil or with character replacements of *, #, X.
Card NOT Present TransactionBy Paper Based Forms
Designing Order, Registration, or Invoice Forms• Form area capturing card information must be,– Placed at bottom of form– Remove card information– After processing payment, cut or tear form bottom
to be shredded– Printed receipts or invoices distributed outside the
unit must show only the last four digits of account number.
Card NOT Present TransactionBy Paper Based Forms
If paper records containing card account numbers,
• Disposing of Paper Based Forms
Accessing and Storing Payment Card Information
Required Procedures for Accessing Card Information
• Limit access to documents and reports• Never share logins and/ or passwords with
others, including coworkers.
Accessing and Storing Payment Card Information
Required Procedures for Storing Card Information
• Databases, spreadsheets and other electronic systems must ONLY store the last four digits of the card account number.
• NEVER store the card expiration date, verification number, or security code in ANY electronic spreadsheet, database or system.
Accessing and Storing Payment Card Information
Required Procedures for Storing Card Information
• Store all materials containing cardholder account information in a secure and restricted area.
Payment Card Transactions Delayed Processing
Best practice is to process payment card information immediately for the transaction to be authorized.
• If a delay is required,– Do not store the card information in electronic
format.– Card information must be kept secure and with
restricted access until the payment is processed for authorization.
Payment Card Transactions Delayed Processing
• Secure the paper form containing payment card information following the same guidelines used for securing cash transactions.
• Treat delayed processing paper containing card information as if it were cash.
Security ReminderPhishing
Securing Payment Card Information• Be aware of phishing methods that attempt to
trick you into providing card data for malicious purposes.
• Never provide a customer’s payment card information to anyone.
• Merchant Card Services and the University’s bank processor, Global Payments, will never contact a department to request for you to provide card information.
What Happens if Payment Card Information is Lost or Stolen?
• Stolen card data might be used to make counterfeit cards.
• Can be sold for illegal purposes, such as facilitating identity theft.
• An expensive forensic investigation may result.• The University will be fined for the breach and
other associated costs, such as the forensic investigation.
Payment Card Security Breach Consequences
The consequences of a security breach,• A forensic investigation will determine the
amount of data lost and how the loss occurred. • All fines, monetary penalties, and other
associated costs related to the breach are paid by the department merchant that experienced the breach.
• Increased processing restrictions or loss of processing privileges for the department.
Payment Card Security Breach Consequences
Breach in security could result in,• Significant monetary fines to the University.• Potential loss of reputation and trust from
students, parents, and customers.• The entire University could lose the privilege
to accept and process credit/debit cards due to a department’s payment card security breach.
Thank you!Questions, contact Rebecca Kornegay at University of Illinois Merchant Card Services Office, by PHONE: 217-244-9384 or E-MAIL: [email protected]