PAYMENT CARD ACCEPTANCE POLICIES

1
PAYMENT CARD ACCEPTANCE POLICIES
2
Payment Card Industry Data Security Standard (PCI
DSS)

• Developed by Visa/MasterCard and has been adopted
  by other major payment card companies
• Extensive set of guidelines that help keep
  customers payment card information safe

3
PCI DSS cont

• Compliance with PCI DSS guidelines is required,
  regardless of volume or method of acceptance
• Non-compliance, in the event of data exposure,
  may result in significant fines for the merchant
  of 500,000 and up
• Each unit responsible for cost of being compliant
  and any costs resulting from a breach

4
Types of Payment Cards Accepted

• Visa
• MasterCard
• American Express
• Discover
• Debit cards with Visa or MasterCard logo

5
Obtaining Credit Card Data (CHD)

• Telephone
• In-Person
• Written
• U.S. mail
• Fax
• Personal Delivery

6
Telephone Transactions

• Accept only if person making payment is the
  cardholder
• Suggestion
• Cardholder faxes signed letter of approval to
  Extension office (Make sure there is NO credit
  card data on this just use approval and
  signature)
• Enter data directly into system during phone
  conversation. Do not write down unless absolutely
  necessary.

7
In-Person

• Accept payment card only if person making payment
  is the cardholder
• Check photo ID
• Cardholder (preferred) or employee enters data
  directly into online registration system

8
Written Document

• Received by
• U.S. mail
• Fax
• Personal delivery
• Faxed information
• Receive only on machine not networked to the
  internet
• Machine cannot be connected to a cable phone
  line okay

9
Do Not Use Email

• Do not request data via email
• If receive unsolicited CHD via email
• Strongly request user not communicate card data
  this way again
• Suggest preferred way(s)
• Delete message from your IN box
• Delete your reply from your SENT box
• Empty your trash

10
Purging CHD

• Destroy hardcopy materials ASAP after data
  entered into system
• Cross-cut-shred, incinerate or pulp so cardholder
  data cannot be reconstructed
• Store in locked file until they are destroyed

11
Storage of CHD

• Defined primarily as card and expiration date
• Never store on desktop computers of servers
• E.g. Excel, Word, scanned images of documents
• Strictly forbidden to store
• Track data from the magnetic stripe
• Card Security Code
• FYI Storage of only the last 4-digits is not
  storing

12
Reasons Not to Store CHD

• No need for this information once payment
  processed
• Avoid other detailed compliance requirements
• Security risk and cost of breach
• Forensic investigation 10,000
• Onsite Audit 20,000
• Penalties from Visa and MasterCard

13
Encrypt Transmission

• Do not use wireless
• Do not use email
• Do not use networked fax
• Okay via
• US Mail
• Non-networked fax
• Over the phone
• In person

14
Anti-virus

• Install anti-virus software on all PCs used to
  access webCredit
• Ensure that all anti-virus applications, tools,
  etc. are kept up-to-date

15
Restrict Access

• Business need-to-know basis only
• Select one person per office to handle credit
  card payments
• CED signature to acknowledge employee
• Restrict physical access to PCs and CHD
• Lock office
• Lock down PC (ctrl-alt-del)
• Lock file cabinets if storing paper
• Restrict access to fax if applicable

16
Unique ID

• webCredit
• Requires unique user ID do not share
• Strong password rules (8-char, alpha-numeric)
• Password change at least every 90 days (not same
  as last four used)
• Lock-out after 3 unsuccessful attempts
• Managed by unit
• Revoke access for terminated users

17
Written PCI DSS Policy Adherence

• Unit required to write own set of procedures
• Must address all PCI DSS requirements
• Must train employees at hire and at least
  annually
• Must include procedures to review and update at
  least annually

18
Additional Staff Responsibilities

• Awareness Training
• Payment Card Security Form
• Coordinator signature
• CED signature
• Background History Check
• Required if have access to more than one card
  number at a time (e.g. if receive several at once
  in the mail)

19
Breach Reporting

• Report suspected exposure or loss of data to MSU
  Controllers Office immediately
• Non-compliance
• Significant fines (up to 500,000 / card brand)
• Each unit is responsible for the cost of being
  compliant and any costs resulting from breach

20
Web Sites of Interest

• Payment Card Industry Security Standards Council
• https//www.pcisecuritystandards.org/
• University Policies and Procedures for Units that
  Accept Payment Cards
• http//ctlr.msu.edu/COCashiers/Default.aspx
• Managing Sensitive Data Initiative web site
• http//lct.msu.edu/security

21
Contact Information

• Business Office Practices
• Mary Nelson, Controllers Office
• 355-5023, ext 150 or nelsonm_at_ctlr.msu.edu
• Questions about webCredit
• 353-4420, ext 311 or webcredit_at_ais.msu.edu
  or
• https//www.ais.msu.edu/webcredit_info/webcredit
  _intro.asp
• Audit Concerns
• Steve Kurncz or Mike Chandel
• 355-5030 or kurncz_at_msu.edu or chandel_at_msu.edu

22
Questions?