Title: Welcome to the 2nd Annual Campus Merchant Awareness Training Meeting
1Welcome to the 2nd Annual Campus Merchant
Awareness Training Meeting
2Agenda
- Introductions
- Merchant Account Basics
- FAQs
- What Have We Learned In this case, left is
always better! - PCI Compliance Changes
- PCI Compliance Overview
- Resources
3Merchant Accounts Updates
- System down?- Voice Authorization- 1.800.936.2632
Need MID. - Questions on Accounts?
- DST 1.800.228.5882- 24/7 service
- Statement issues
- Authorization Problems
- Supplies
- Bursar Support Services
- Dial Pay
- Wireless Terminal
- POS Terminals
4Merchant Accounts Updates
- Account /Statement Review
- Review Monthly for errors charges
- Jul VS zero floor limit fee
- Analyze yearly for cost/service assessment
- Minimum Charges on Statements
- Visa EIRFs 2.30- manually entered cards
- Plastic bag around card
- Clean terminal
- Rub card magnetic strip
- Debit pin pads
5Merchant Accounts Updates
- Sales Calls
- Bank of America Merchant Contact
- Upgrading Pin Devices
- Fraud Control- http//usa.visa.com/merchants/risk_
management/index.html - American Express Rate Change-All campus 2.05
consumer card Discover 1.75 - Staff Training Resources- Many options for the
front line staff as well as IT and MRPs.
6Merchant Accounts Updates
- Phishing Alert-
- Bank of America temporarily suspended your
account. - Reason Billing failure.
- We need you to complete an account update so we
can unlock your account. - To start the update process follow the link below
- http//www.secureyouraccountnow.com
- Once you have completed the process, we will send
you an email notifying that your account is
available again. After that you can access your
account at any time. - The information provided will be treated in
confidence and stored in our secure database. - If you fail to provide required information your
account will be automatically deleted from Bank
of America database.
7Frequently Asked Questions
- Service Charges
- No- Varied rules between Visa and other card
brands. Flat fee versus . - May be some legislation changes
- No service charge encourages prompt payment
customer response - Establishing minimum charge amount-
- Card organizations forbid you from establishing
any transaction dollar limits.
8More FAQs
- Requiring pictured identification
- Card organizations state the credit card sale
cannot be turned down due to lack of picture id. - Phone authorization
- Card not signed
- Suspected counterfeit card
- Fax Machines Laptops
- MOTOs - Virtual Terminals Dial Pay
9Still More FAQs
- Self Assessment Questionnaire
- Annual
- A great of merchants have completed
- Security Policies/Procedures
- Departmental
- Campus
- Network Configuration
- Abraham Kuo- UITS Security Operations
10What Have We Learned?- That in this case-Left is
always better!
- Merchant Compromise
- Paper and fax machines
- SAQ C Merchants
- Compliance Failures
- Shopping Cart, Operating Systems and Other
Patches - Firewall Rule Review
- Segmentation /flat networks
- Look for an alternative (Move to the left)
- Keep MOTO to Dial Pay or Point of Sale Terminal
11Compliance Changes
- New Annual third party assessment
- MasterCard Notification of Level 2 Merchants
- Report on Compliance (ROC) assessment
documentation - SAQ Specific
- You are not alone, we are right beside you.
- SAQ C Training
12Questions?
13PCI Compliance Requirements and Resources
- Sylvia Johnson, University Information Security
Officer - Kelley Bogart, Senior Information Security
Specialist - October 23, 2009
14Agenda
- Role of the Information Security Office
- PCI Overview
- InfoSec PCI Web Page Compliance Roadmap
- Payment Methods Validation Requirements
- Ongoing Compliance
15InfoSec Role
- Information Security Policy Access to UA data,
computers and network is subject to policies and
laws. - PCI compliance is mandated by
- contract with Bank of America
- FRS Policy 8.14.
- Info Security Policy InfoSec will issue
guidance to assist units in implementing
information security related policies.
16What/Who Does PCI Cover?
- PCI security requirements apply to
- all merchants who store, process or transmit
card holder data - all system components in or connected to the card
holder data environment - network components
- servers
- applications
17Digital Dozen
18PCI Requirements
- 225 specifics
- Some technical
- Some operational
- Consequences
- Monetary fines
- Restrictions on merchant processing
- Loss of privilege
- Merchant Responsible Persons are responsible for
ALL of them
19http//security.arizona.edu/pci
20Payment Methods Validation Requirements
21On-Site Assessment
22Report on Compliance
23Process Flow Diagram
- A description of how the credit card information
moves through the network - To which systems the data is passed/stored
- Through which network devices the data passes
- Which ports and protocols are used to pass data
- Which and when encryption algorithms are used
- Which data is stored, where and for how long
(PAN, CVV2/CVC2, expiration date, etc.) - All inbound sources of CHD to the network
- All outbound flows of CHD (e.g., to a payment
processor, 3rd parties)
24Continuous Compliance
PCI DSS compliance is much more than a project
with a beginning and end its an ongoing
process of assessment, remediation and reporting.
Implementing PCI DSS should be part of a sound,
basic enterprise security strategy, which
requires making this activity part of your
ongoing business plan and budget.
25SAQ A Compliance Timeline
26SAQ B Compliance Timeline
27SAQ C Compliance Timeline
28SAQ D Compliance Timeline
29Campus Resources
- Abraham Kuo- UITS - 626.9736
- Kelley Bogart ISO - 626.8232
- Robbyn Lennon FSO-Bursars - 621.5781
- Security Metrics Securitymetrics.com
- BankofAmerica.com/merchantsupport
- https//www.pcisecuritystandards.org/
- Prioritized Approach for DSS 1.2
-https//www.pcisecuritystandards.org/education/pr
ioritized.shtml - PCI Quick Reference Guide
- https//www.pcisecuritystandards.org/pdfs/pci_ssc_
quick_guide.pdf
30Questions?