While processing credit cards you will be exposed to a lot of sensitive information.

This training will show you how to handle credit card information in a safe and secure manner.

Albert Gonzalez, 28

With accomplices, he was involved in data breaches of most of the major data breaches: Heartland, Hannaford Bros., 7-Eleven, T.J. Maxx, Marshalls, BJ’s Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority, Dave & Busters, Boston Market, Forever 21, DSW and others.

Customers trust that we will keep their account

information safe from crooks like these.

Source:

Number of incidents per year.Source:

Source:

Source:

Source:

Source:

Source:

Source:

1. Securing the IT environment 2. Managing and retaining data 3. Managing IT risk and compliance 4. Ensuring privacy

6. Managing System Implementations 7. Preventing and responding to computer fraud

10. Managing vendors and service providers http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/TopTechnologyInitiatives/Pages/2013TTI.aspx

Orange text are all PCI related

https://www.youtube.com/watch?v=1boEXDVkKjU

Data Element Storage Permitted

ProtectionRequired

PCI DSS 3.4

Cardholder Data

Primary Account Number (PAN) Yes Yes Yes

Cardholder Name Yes Yes NoService Code Yes Yes No

Expiration Date Yes Yes No

SensitiveAuthentication

Data

Full Magnetic Stripe Data No N/A N/A

CVC2 / CVV2 / CID / CAV2 No N/A N/A

PIN / PIN Block No N/A N/A

• Acquirer (Merchant Bank) Bankcard association member that initiates

and maintains relationships with merchants that accept payment cards

• Hosting Provider Offer various services to merchants and

other service providers.

Card Brand

Acquirer

Hosting Provider

Merchant

Cardholder

Maintain standards for PCI

to provide quarterly scans

Card Brands

PCI SSC

QSA

ASV

Own and manage PCI DSS, including maintenance, revisions, interpretation and distribution Define common audit requirements to validate compliance Manage certification process for security assessors and network

scanning vendors Establish minimum qualification requirements Maintain and publish a list of certified assessors and vendors

Presenter

Presentation Notes

This includes organizations who only use paper based processing, organizations who outsource the credit card processing, to organizations that process credit cards in house.

Incident Evaluation

Safe Harbor

$$$$$$

Merchants may be subject to fines by the card associations if deemed non-compliant. For your convenience fine schedules for Visa and MasterCard are outlined below. (Banks no longer publish fines)

http://www.firstnationalmerchants.com/ms/html/en/pci_compliance/pci_data_secur_stand.html

Category Criteria Requirements Compliance date

Level 1

•Any merchant that has suffered a hack or an attack that resulted in an account data compromise•Any merchant having more than six million total combined MasterCard and Maestro transactions annually•Any merchant meeting the Level 1 criteria of Visa•Any merchant that MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system

•Annual Onsite Assessment1

•Quarterly Network Scan conducted by an ASV2 30 June 20123

Level 2

•Any merchant with more than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually•Any merchant meeting the Level 2 criteria of Visa

•Annual Self-Assessment4

•Onsite Assessment at Merchant Discretion4

•Quarterly Network Scan conducted by an ASV230 June 20124

Level 3

•Any merchant with more than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro e-commerce transactions annually•Any merchant meeting the Level 3 criteria of Visa

•Annual Self-Assessment•Quarterly Network Scan conducted by an ASV2 30 June 2005

Level 4 •All other merchants5 •Annual Self-Assessment•Quarterly Network Scan conducted by an ASV2 Consult Acquirer

Assess

ReportRemediate

https://www.youtube.com/watch?v=PoQwUT31Lgg

• Clearly primary account number (16 digit PAN)• Valid thru date• Holographic security emblem• Card logo (Visa)• Cardholder's name

(Click on the credit card to check your answers)

Look at the above card. Can you find each of the parts listed below?

Front side of cardFirst, lets look at the

front side of a typical credit card.

Valid thru date

Holographic emblem

Card logo

PAN

Now, look at the back side of a credit card.

• Signature panel• A 3 digit security code also called the

CVV2 number• Magnetic stripe

(Click on the credit card to check your answers)

Can you find each of the parts listed below on the above card?

Back side of card

CVV2

Signature Panel

Magnetic Strip

Have you ever wondered what

is encoded in the magnetic strip? • Cardholder name and address

• Account number• Expiration date• Special security information to detect

fraudulent cards

Once the card is swiped, this information is electronically relayed to the card issuer, who then uses it to authorize the sale.

The magnetic strip contains:

Now that you know the anatomy for Discover, MasterCard, and Visa

cards, lets explore American Express

card.

CID Code

The American Express card has the same safety features as Discover, MasterCard and Visa, but a little different structure.

The American Express's equivalent to the 3 digit CVV2 security code is a 4 digit CID security code which appears on the face of the card.

American Express Card

The Security number ensures the caller actually has a credit card in hand

when making the purchase.

CVV2/CID number

When a customer physically hands you their card and you swipe it in a credit card terminal, you will not need to use the security number. This is because when swiped through the card reader, the terminal reads and transmits data from the magnetic stripe which includes the CVV2/CID security code.

CAV2/CVC2/CVV2/CID

Check out these 10 rules for credit card

security.

Credit Card Security Rules

1. Do not process transaction for other businesses or entities. 2. Don’t process cash refunds.3. Keep the card in the customer’s line of sight.4. Match signatures on the signed receipt to the back of the card and

the last four digits of the PAN (card number).5. Accept only the major credit cards, or those identified by your

department. Honor customer’s choice. 6. Obtain the security code on the back of the card for all telephone

sales.7. Write cardholder information only on designated forms.8. Store all documents containing card holder data in a secure locked

area.9. Never send or receive card data through e-messaging10.Never share cardholder information outside your work environment.

Some of these rules may not apply to your department. Each department has a different business process, so remember to double check with your supervisor if you have any questions.

Sorry I cannot process a credit card and give you cash.

Refunds must be placed on card used

for the initial purchase. What if someone does not have their

original card?If a customer doesn’t have their original card, inform them a check will be issued for the refund amount. Internet TransactionsIt's much simpler for internet transactions since the cardholder’s information and card number are linked to the sale. A refund will be automatically issued based on the original transaction and card used.

Never enter the customer’s card information over the phone to issue a refund for an internet transaction.

Rule 3 applies to any sales situation where

a customer hands you a credit card.

Keep the card in the customer's line of sight at all times.

Do this:• Place the card on the counter as you log

into the POS terminal.• Hold the card up in front of you or

keeps it on the counter if you needs both hands.

NOT this:• Place the card below the counter• Walk away from your station with the

customer's card• Place the card in the drawer• Place the card behind an object that

blocks the customer's view

Rule 4 requires you to make sure the signatures match.

Check the following items:• A signature appears on the card.• The signatures on the card and receipt look similar.• The signature area on the card is intact and not voided.• Color markings appear on the signature stripe.

If the signatures do not match or you have a concern about the authenticity of the card, call your supervisor.

Match signatures on the signed receipt to the back of the card.

For magnetic-stripe card transactions, match the name and last four digits of the account

number onthe card to those printed on the receipt.

Can I see your ID please?

Accept only the credit cards your organization has

approved.

Make sure the logos above appear on the card. Your department may even limit which of these 4 cards they accept, so make sure you find out.

This is your last line of defense for preventing the fraudulent use of a

card via internet or phone.

Obtain the security code on the back of the card for all telephone sales.

• When you (the merchant) ask for this number, you are validating the card is in the physical possession of the cardholder (purchaser).

• If the security number does not match the issuing bank's file, the transaction will be declined and you will receive a message saying the security code does not match.

The CCAV2/CVC2/CVV2/CID number should never be written down on any paper document. It can only be entered through a terminal.

We protect your information!

This rule pertains mostly to telephone sales but should be kept in mind

for all credit card transaction.

Write cardholder data only on designated forms.

• Follow your department’s policy for MOTO (Mail/Telephone order) transactions.

• If MOTOs are allowed in your department, always record the customer's name, phone number, and credit card number on the designated form.

• Once the order has been placed or recorded, all paper documents are securely stored and destroyed when no longer needed.

This rule applies when cardholder data is received by mail, fax, or phone.

(Any physical copies of PAN)

Store all documents containing card holder data in a secure locked area.Place all order forms in a designated

restricted area under lock and key. These documents will remain here until they are later destroyed by designated staff.

To secure cash and credit card receipts:

• Organize credit card receipts into a stack.

• Place the receipts inside the cash bag. • Deliver the bag to the safe or cash

room.

Perform a search for CHD every 6 months

http://www.youtube.com/watch?v=iC38D5am7go

Under no circumstances should cardholder information

be sent via any electronic format.

Never send card data through e-messaging

This includes all electronic communication such as emails, attachments to emails, text messaging and chat rooms.

Never discuss a customer's personal

card information outside of work.

Never share cardholder information outside your work environment.

You can discuss at a high level about your work with

credit cards, but never mention specifics.

Customers are trusting you with their sensitive account

information! Treat their information as if it were your

own. Including SSN and other information.

To prevent skimming, you

should be on the lookout for:

https://www.youtube.com/watch?v=njET6_q1hWw