Title: Credit Cards Merchant Information
1Credit Cards -Merchant Information
- Finance Division Training Workshop
- April 26, 2006
2Stan Koziol, CPAFinancial Controls Manager104
Airport Dr, Suite 3200 T
919.962.1363Campus Box 1270
F 919.962.4140Chapel Hill, NC
27599-1270stan_at_unc.edu
http//www.unc.edu/finance/controller/fc/
3TODAYS AGENDA
- Merchants at UNC Chapel Hill
- Master Service Agreement
- PCI Data Security Standard
- Whats Next?
4UNC Chapel Hill Environment
- merchant IDs 130 and rising
- Admissions
- Undergraduate
- Graduate
- Professional Schools
- Cashiers
- OneCard
- Various Centers
- Performing Arts
5INTERESTING MERCHANTS
- Mouse Distribution
- Society of International Limnology ????
6LIMNOLOGY
- The scientific study of the life and phenomena of
- fresh water, especially lakes and ponds.
7TYPES OF PROCESSING
- Point of Sale (POS) Swipe Terminal
- POS Terminal (software)
- Yahoo Storefront
- Proprietary Internet Site
8CREDIT CARD PROCESSING SERVICE
- State of NC Contract with SunTrust Merchant
Services - (First Data Merchant Services)
9Payment Card IndustryData Security Standard (PCI
DSS)
10Who Made the Rules?
- PCI Payment Card Industry
- Requirements of Visa MasterCard
- Effective June, 2005
11PCI Security Standard
Reference USA VISA.com
12Target-Rich Environment
- Universities typically function in a
decentralized manner - University networks contain vast amounts of
personal information - Universities cultivate free exchange of ideas
- Universities are vulnerable to internal attacks
from pool of technologically savvy individuals
(primarily students) - Reference Ambiron TrustWave, Payment Card
Information Security for Higher Education
13Forecast for 2006
- Data Security Breaches Despite best efforts,
there are likely to be more security-related
issues affecting credit cards in 2006. While
these breaches do not reflect poorly on PCI from
a technical or enforcement standpoint, they are
likely to continue and result in additional
scrutiny of the industry's efforts to secure
payment data. Moreover, the media tends to
"sex-up" these incidents by labeling any
situation that results in the theft or loss of
sensitive information from credit card data to
social security numbers as "identify theft."
While assuming someone else's identity is a
serious offense and is on the increase in our
society, it is a distinctly different crime from
breaking into a database of credit card numbers
and seeking to profit from that information
through fraud. Regardless, data security breaches
are going to continue to make headlines. - Reference AmbironTrustWave Trusted News
Reference Brian Koerner, Identity Theft
14Compliance Penalties
- Loss or theft of account information
- A member or the member's service provider, or a
merchant or the merchant's service provider must
immediately report the suspected or confirmed
loss or theft of any material or records that
contain Visa cardholder data. - If a member knows or suspects a security breach
with a merchant or service provider, the member
must take immediate action to investigate the
incident and limit the exposure of cardholder
data. - If a Visa member fails to immediately notify Visa
USA Fraud Control of the suspected or confirmed
loss or theft of any Visa transaction
information, the member will be subject to a
penalty of 100,000 per incident. - Members are subject to fines, up to 500,000 per
incident, for any merchant or service provider
that is compromised and not compliant at the time
of the incident. - Safe Harbor
- Safe harbor provides members protection from Visa
fines and compliance exposure in the event its
merchant or service provider experiences a data
compromise. To attain safe harbor status - A member, merchant, or service provider must
maintain full compliance at all times, including
at the time of breach as demonstrated during a
forensic investigation. - A member must demonstrate that prior to the
compromise their merchant had already met the
compliance validation requirements, demonstrating
full compliance. - It is important to note that the submission of
compliance validation documentation, in and of
itself, does not provide the member safe harbor
status. The entity must have adhered to all the
requirements at the time of the compromise.
Reference USA VISA.com
15PCI Compliance Committee
Joint effort between University Controllers
Office and Information Technology Services
16WHATS NEXT ?
- Policies and Procedures
- New University Contact
- Training
- Self Assessment
17SUMMARY
- Wide variety of merchants at UNC Chapel Hill
- Mandated to use the State contract for credit
card processing - Achieving compliance to the PCI Standard is a
priority and represents a high risk area - Announcement of new Policies and Procedures
- Training and Self Assessments will be available
18The Goal!
19More Information?
- Visit the
- Credit Cards - Merchant Information Site
- linked from the Controllers Office page.
- http//www.unc.edu/finance/controller/
20(No Transcript)
21Questions?
22FRAUD REPORT QUIZ
- True or False
- Most frauds are detected by audits and internal
controls. - FALSE
- Tips
23SUSPECT FRAUD ?
- Contact
- UNC Chapel Hill Internal Audit Department
- Office of the State Auditor Hotline
- (800) 730-TIPS
24(No Transcript)