Priceless

1
Priceless

• Education- 85,000
• Parking Tickets- 350
• 426 Caramel Macchiatos- 1500.
• Looking Good- 7000
• Travel -4800.
• Finally Graduating Tortilla Toss, Smile and Sigh
  of Relief - Priceless!

2
Welcome

• Annual
• Campus Merchant
• Meeting
• October 15, 2008

3
Goals of this Meeting

• Introduce team
• FRS Policy 8.14 Merchant (Bank Card/Credit Card)
  Acceptance Policy and Procedures
• Security standards such as Payment Card Industry-
  Data Security Standards (PCI-DSS)- started in
  2005 to assist merchants and consumers from
  suffering financial and data loss through
  unprotected systems- continues evolving
• Remove concerns/questions and replace with
  information/action
• Introduce you to available resources

4
Team Members

• FSO-Bursar Department Services staff- Mark
  Barton- Bursar Theresa Couch, Eileen Gerrish,
  Lisa Martinez, and Robbyn Lennon
• Bank of America Liaison- Melanie Molzahn
• Information Security Office - Sylvia Johnson and
  Kelley Bogart

5
FSO-Bursars Department Services

• What we do-
• Banking and cash handling training
• Merchant Services, equipment, chargebacks
• Assist ACH/Wires, deposits, concerns, etc.
• Services Available-
• Temporary Use of POS Machines and Dial Pay
• Banking deposit information and supplies
• Equipment handling

6
FSO-Bursars Department Services

• Merchant Options-
• Equipment based such as Point of Sale Terminals
• Dial Pay which simply uses the telephone
• E Commerce Options-
• Virtual Terminal
• Web page connections through Hosted Order Page,
  Silent Order API, and API interface.

7
Interesting Campus Merchant Info

• 184 Campus Merchants
• 2007 Bankcard Campus Transactions- 1,046,287
• 2007 Bankcard Campus Volume-150,984,973.37
• Discover and American Express-
• Discover lowered the bundled rate to 1.75 for
  consumer cards, 1.4 gift cards, 2.28 corporate
  cards
• American Express- 2.05-2.15

8
Bank of America Melanie Molzahn -VP Sr. Account
Manager

• Customer Service/Differentiated Service Team
  (DST)
• 1.800.228.5882
• Always need 16 digit MID
• Typical day to day operation needs- statement
  information, chargebacks, terminal supplies and
  trouble shooting

9
Bank of America

• Cybersource
• Payment Card Industry Compliant Product
• What is a V ?
• Who can help answer my questions?
• Extensive Online Library
• Customer Support team
• http//www.cybersource.com/help
• Can I speak with a live person?
• 1.866.501.7958 600am 600pm (Pacific Time) M-F

10
Changes for Merchants

• Retention Schedule of Bank Card Receipts (CC) -
  R.S. Code 234 Six Months after month of
  creation. Visa Regulations require that the
  merchant retain all original documentation for a
  total of 18 months. Due to fiscal year
  differences, you may retain for 24 months.
• FRS Policy 8.14
• Merchant Receipt Truncation
• Annual completion of PCI Questionnaire
• FSO-Bursar Department Services Expanded
  Information on www. Bursar.arizona.edu
• FSO-Bursar Department Services Email-
  Merchants_at_fso.arizona.edu

11
FRS Policy 8.14 Merchant Acceptance Policy and
Procedures

• Goal of Policy 8.14
• to bring consistency to campus merchants
• to provide guidance for units and auditors
• to better assist the departments to maintain and
  meet credit card security standards
• to provide a proactive campus regulatory
  foundation
• to create an efficient chain of notification

12
Key Points of FRS Policy 8.14

• ABOR authority to administer Merchant Banking
• Details merchant responsibilities
• Auditor controls
• Department assigns a Merchant Responsible Person
  (MRP) to comply with PCI-DSS security measures
  for department notification efficiency

• PCI-DSS Compliance Regulations
• Mandatory Annual Meeting
• PCI Questionnaire Completion/Security Metrics
  annual service
• Security Standards
• Outlines procedures and provides definitions
• Located at https//www.fso.arizona.edu/fso/deptman
  /8/

13
PCI Compliance Resources

• Sylvia Johnson, University Information Security
  Officer
• Kelley Bogart, Senior Information Security
  Specialist

14
Agenda

• InfoSec Role
• PCI Overview
• InfoSec PCI Web Page
• Payment Methods and Validation Requirements
• Hosted Order Page
• Compliance Roadmap
• Resources for Compliance

15
InfoSec Role

• Information Security Policy Access to UA data,
  computers and network is subject to policies and
  laws.
• PCI compliance is mandated by
• agreement with Bank of America
• FRS Policy 8.14.
• Info Security Policy InfoSec will issue
  guidance to assist units in implementing
  information security related policies.

16
What/Who Does PCI Cover?

• PCI security requirements apply to
• all Merchants, Members and Service Providers
  who
• Store card holder data
• Process card holder data
• Transmit card holder data
• all system components in or connected to the
  cardholder data environment
• Network components
• Servers
• Applications

17
Digital Dozen
18
PCI Requirements

• Break down into 226 specifics
• Some are technical
• Some are operational
• Merchant Responsible Persons are responsible for
  ALL of them
• Consequences Monetary fines and/or restrictions
  on merchant processing!

19
PCI Oversimplified

• All merchants must achieve and maintain
  compliance at all times
• Merchants cannot store certain credit card
  information
• CVV2, CVC2 and CID codes (3- or 4-digit numbers)
• track data from the magnetic strip
• PIN data
• Additional security standards must be met if
  permitted credit card information (name, card
  number and expiration date) is stored

20
InfoSec PCI Web Pagehttp//security.arizona.edu/p
ci
21
Payment Methods Validation Requirements

22
CyberSource Hosted Order Page
23
CyberSource Hosted Order Page

• Meets the requirements for SAQ A
• Card-not-present (e-commerce or mail/telephone
  order) transactions only - no face-to-face
  point-of-sale environment
• Third party handles all storage, processing or
  transmission of cardholder data on your premises
• Third party is PCI DSS compliant
• No electronic storage of cardholder data
• 11 questions
• Requirement 9 Restrict physical access to
  cardholder data
• Requirement 12 Maintain an information security
  policy
• No quarterly scan

24
Compliance Roadmap

• Identify the payment method and understand
  validation requirements.
• Understand the technical and operational
  requirements and determine your unit's needs.
• React immediately and plan for ongoing compliance
  in your units budget planning cycles.
• Implement the technical requirements.
• Implement the operational requirements.
• Fill out the Self Assessment Questionnaire.
• Sign up for scans, if required.
• Maintain compliance as rules and systems change.

25
Resources for Compliance

• Annual Awareness Sessions
• Merchant Responsible Person MUST attend
• IT Staff recommended
• Validation
• Self-Assessment Questionnaire must be submitted
  annually
• Quarterly scans, if required
• Collaborate with InfoSec and FSO to assure
  compliance
• Compliance Action Plan
• Policies and procedures
• Training/awareness material
• Watch for email notices updates on InfoSec
  website

26
Wrap-Up

• FSO-Bursar Department Services-
  http//www.bursar.arizona.edu/departments/index.as
  p
• Print out Merchant Agreement and return to FSO
  -Bursars Department Services (Robbyn) no later
  than November 3rd, 2008.
• Monthly updates via listserv
• PCI-DSS training through University Information
  Security Office to be scheduled.
• Questions?
• Email FSO-Bursar Department Services-
  Merchants_at_fso.arizona.edu or
• Contact Robbyn Lennon 621-5781