Credit Cards Merchant Information

1
Credit Cards -Merchant Information

• Finance Division Training Workshop
• April 26, 2006

2
Stan Koziol, CPAFinancial Controls Manager104
Airport Dr, Suite 3200 T
919.962.1363Campus Box 1270
F 919.962.4140Chapel Hill, NC
27599-1270stan_at_unc.edu
http//www.unc.edu/finance/controller/fc/

3
TODAYS AGENDA

• Merchants at UNC Chapel Hill
• Master Service Agreement
• PCI Data Security Standard
• Whats Next?

4
UNC Chapel Hill Environment

• merchant IDs 130 and rising
• Admissions
• Undergraduate
• Graduate
• Professional Schools
• Cashiers
• OneCard
• Various Centers
• Performing Arts

5
INTERESTING MERCHANTS

• Mouse Distribution
• Society of International Limnology ????

6
LIMNOLOGY

• The scientific study of the life and phenomena of
• fresh water, especially lakes and ponds.

7
TYPES OF PROCESSING

• Point of Sale (POS) Swipe Terminal
• POS Terminal (software)
• Yahoo Storefront
• Proprietary Internet Site

8
CREDIT CARD PROCESSING SERVICE

• State of NC Contract with SunTrust Merchant
  Services
• (First Data Merchant Services)

9
Payment Card IndustryData Security Standard (PCI
DSS)
10
Who Made the Rules?

• PCI Payment Card Industry
• Requirements of Visa MasterCard
• Effective June, 2005

11
PCI Security Standard
Reference USA VISA.com
12
Target-Rich Environment

• Universities typically function in a
  decentralized manner
• University networks contain vast amounts of
  personal information
• Universities cultivate free exchange of ideas
• Universities are vulnerable to internal attacks
  from pool of technologically savvy individuals
  (primarily students)
• Reference Ambiron TrustWave, Payment Card
  Information Security for Higher Education

13
Forecast for 2006

• Data Security Breaches Despite best efforts,
  there are likely to be more security-related
  issues affecting credit cards in 2006. While
  these breaches do not reflect poorly on PCI from
  a technical or enforcement standpoint, they are
  likely to continue and result in additional
  scrutiny of the industry's efforts to secure
  payment data. Moreover, the media tends to
  "sex-up" these incidents by labeling any
  situation that results in the theft or loss of
  sensitive information from credit card data to
  social security numbers as "identify theft."
  While assuming someone else's identity is a
  serious offense and is on the increase in our
  society, it is a distinctly different crime from
  breaking into a database of credit card numbers
  and seeking to profit from that information
  through fraud. Regardless, data security breaches
  are going to continue to make headlines.
• Reference AmbironTrustWave Trusted News

Reference Brian Koerner, Identity Theft
14
Compliance Penalties

• Loss or theft of account information
• A member or the member's service provider, or a
  merchant or the merchant's service provider must
  immediately report the suspected or confirmed
  loss or theft of any material or records that
  contain Visa cardholder data.
• If a member knows or suspects a security breach
  with a merchant or service provider, the member
  must take immediate action to investigate the
  incident and limit the exposure of cardholder
  data.
• If a Visa member fails to immediately notify Visa
  USA Fraud Control of the suspected or confirmed
  loss or theft of any Visa transaction
  information, the member will be subject to a
  penalty of 100,000 per incident.
• Members are subject to fines, up to 500,000 per
  incident, for any merchant or service provider
  that is compromised and not compliant at the time
  of the incident.
• Safe Harbor
• Safe harbor provides members protection from Visa
  fines and compliance exposure in the event its
  merchant or service provider experiences a data
  compromise. To attain safe harbor status
• A member, merchant, or service provider must
  maintain full compliance at all times, including
  at the time of breach as demonstrated during a
  forensic investigation.
• A member must demonstrate that prior to the
  compromise their merchant had already met the
  compliance validation requirements, demonstrating
  full compliance.
• It is important to note that the submission of
  compliance validation documentation, in and of
  itself, does not provide the member safe harbor
  status. The entity must have adhered to all the
  requirements at the time of the compromise.

Reference USA VISA.com
15
PCI Compliance Committee
Joint effort between University Controllers
Office and Information Technology Services
16
WHATS NEXT ?

• Policies and Procedures
• New University Contact
• Training
• Self Assessment

17
SUMMARY

• Wide variety of merchants at UNC Chapel Hill
• Mandated to use the State contract for credit
  card processing
• Achieving compliance to the PCI Standard is a
  priority and represents a high risk area
• Announcement of new Policies and Procedures
• Training and Self Assessments will be available

18
The Goal!
19
More Information?

• Visit the
• Credit Cards - Merchant Information Site
• linked from the Controllers Office page.
• http//www.unc.edu/finance/controller/

20
(No Transcript)
21
Questions?
22
FRAUD REPORT QUIZ

• True or False
• Most frauds are detected by audits and internal
  controls.
• FALSE
• Tips

23
SUSPECT FRAUD ?

• Contact
• UNC Chapel Hill Internal Audit Department
• Office of the State Auditor Hotline
• (800) 730-TIPS

24
(No Transcript)