Credit Card Merchants - PowerPoint PPT Presentation

1 / 30

About This Presentation

Title:

Credit Card Merchants

Description:

All credit card companies in the U.S. have endorsed the Standard. ... on 1/26/07 with SSN's, birthdates and addresses of 1,400 currently enrolled students ... – PowerPoint PPT presentation

Number of Views:84

Avg rating:3.0/5.0

Slides: 31

Provided by: ziel

Category:

more less

Transcript and Presenter's Notes

Title: Credit Card Merchants

1
Welcome

Credit Card Merchants

2
Discussion Topics

PCI-DSS/Twelve Requirements
Credit Card Processing Guidelines
Required by Departments

3
Discussion Topics

Universities are at Risk/Compromises
Accomplishments
PCI Website

4
Discussion Topics

New Goals
Payment Application Best Practices (PABP)
Credit Card Fees

5
Discussion Topics

Omni 3750s
Reconciliation
Graham- Leach- Bliley Act

6
What is PCI-DSS?

Payment Card Industry (PCI)
Data Security Standards (DSS) set up by Visa and
MasterCard. (Visa Handout)
All credit card companies in the U.S. have
endorsed the Standard.
Created so there would be common industry
security requirements.

7
Why follow PCI Standards?

Protect customers against fraud and identity
theft
Mandated by credit card companies If you
accept our credit card, you must follow these
rules
For the Universitys protection to avoid huge
penalties and bad publicity

8
Twelve Requirements

Install and maintain a firewall configuration to
protect cardholder data.
Do not use vendor-supplied defaults for system
passwords and other security parameters.

9
Twelve Requirements

Protect stored cardholder data
a. Keep cardholder data storage to minimum
b. Do not store full track data,
card- validation codes, PIN, expiration date
c. Mask number down to last four digits (keep
merchant copy 18 months)

10
Twelve Requirements

Encrypt transmission of cardholder data across
open, public networks.
Use and regularly update anti-virus software or
programs.
Develop and maintain secure systems and
applications.(testing, documentation, back-up)

11
Twelve Requirements

Restrict access to cardholder data by business
need-to know.
Assign a unique ID to each person with computer
access.
a. Delete old/inactive usersb. Passwords min
6-8 characters, mix of alpha case, numeric, and
symbolsc. Limit repeated access attempts

12
Twelve Requirements

Restrict physical access to cardholder data
a. Visitors access monitored
b. Physically secure all data
c. Cross-cut or incinerate hardcopy
d. Destroy electronic media so cardholder data
cannot be reconstructed

13
Twelve Requirements

Track and monitor all access to network
resources and cardholder data
Regularly test security systems and processes

14
Twelve Requirements

Maintain a policy that addresses information
security for employees and contractors
a. Security policy
b. Usage policies NO WIRELESS
c. Approved products
d. Acknowledgement in writing
e. Background checks/screening

15
Credit Card Processing Guidelines (Handout)

Always changing
Retain merchant copy of receipt for 18 months for
Global
Chuck Perkins replaced Don Cruise
Do not use Right Fax
Technical Questions Call Systems Support at
438-5740

16
Required of Departments

Pre-approval on all software purchases with
credit card capabilities
Signature forms for all new employees
Yearly compliance questionnaire (on web)
Update Business Practices
Let PCI Committee know if anything changes
(procedures staff)

17
Universities Are At Risk

Eastern Illinois University had a desktop
computer stolen on 1/26/07 with SSNs, birthdates
and addresses of 1,400 currently enrolled
students
Northwestern University laptop stolen on 5/20/07
from Financial Aid Office with SSNs of unknown
of students
Northwestern University confidential files
available on-line on 6/1/07
Website www.privacyrights.org/

18
Top Three Vulnerabilities

Storage of Track Data (and other sensitive data)
Missing or Outdated Security Patches
Vendor Supplied Default Settings and Passwords

19
College University Breaches

Highest number of breaches 68 since February
200536 of all breaches reported
Open networks
Many merchants on one campus
Payment processes spread over large geographical
area

20
Compromise/Breach

Suspected or confirmed security breach (credit
card numbers have been compromised)
Contact the eCommerce Committee ASAP
Comptrollers Office will work with department to
determine extent of the breach
Comptrollers Office may need to contact Visa,
Local FBI, and U.S. Secret Service

21
ISUs Accomplishments

PCI Compliant as of August 2007!!
All departments completed questionnaire
Processes changed in some departments
Credit Card numbers removed
Yearly training
Signature forms
PCI Website

22
PCI Website

www.comptroller.ilstu.edu
A-Z listing (PCI Compliance)
PCI Committee Contact Information
University Policy, Procedures Guidelines
PCI Signature Form
Registration for Credit Card Processing
Credit Card Processing Change/Termination Form
Omni Installation Information

23
New Goals

Continue to Improve PCI Websiteecommerce_at_ilstu.ed
u for suggestions
PABP Requirements (Payment Application Best
Practices)
Lower Credit Card Fees
Update Omnis/Inventory of Omnis

24
PABP

Payment Application Best PracticesApplies to
Software vendors
Dont store sensitive data (full magnetic stripe,
CVC2, pin)
Protect stored cardholder data
Provide secure password features
Software vendors must provide PABP Implementation
Guide

25
Lower Credit Card Fees

Premium Credit Cards that offer Rewards
Business Visa/MasterCard
Debit Processed as Credit
Hand enters (Phone or Internet higher than
In-Person Transactions)

26
Omni 3750s

Upgrade to only print last four digits on Summary
Report, Customer Copy and Merchant Copy
Always settle before leaving office
Do Not allow anyone to inspect or remove unless
you know who they are
Clean read heads (CardKleen Item RR1222)
Dont move from one merchant to another

27
Omni Hardware Info