Training for individuals involved in the processing of merchant card payments (credit card and debit card transactions) on behalf of the campus.

Applies to:• Full and part-time employees

• Temporaries• Consultants• Contractors• Volunteers

June 1, 2015

Training Objectives What is PCI-DSS Standards What is PCI Compliance? What is Cardholder Data? Applicability of PCI DSS What’s the Importance of PCI Compliance? Twelve Requirements of PCI DSS Personal Responsibility PCI Data Security Awareness Training Best Practices - Dos and Don’ts Behind the Scenes Card Brands’ Identification Features Chip and PIN Technology Next Steps

What is PCI-DSS Standards? The Payment Card Industry Data Security Standards

(PCI-DSS) are requirements of the merchant card brands

(Visa, MasterCard, Discover, American Express, JCB)

PCI-DSS were created on behalf of the brands by the PCI

Security Standards Council

The goal of PCI-DSS is to protect cardholder data

What is Cardholder Data? Cardholder data to be protected includes:

Cardholder’s name

Primary account number (PAN)

Expiration date (month/year)

Track data (On magnetic strip)

Security code / Card Verification Value (CVV)

PIN number (Debit cards only)

Cardholder data can be in:

Paper form or

Electronic form

Applicability of PCI-DSS PCI-DSS apply to anyone who does any one of the following:

Stores

Processes, or

Transmits cardholder data

PCI-DSS apply to all forms of payment card acceptance:

Mail

Phone

Fax

Point-of-sale

Online (Web)

What’s the Importance of PCI Compliance?

As a merchant accepting card payments, the campus must be in compliance with the PCI-DSS standards at all times

The campus has to periodically attest its compliance to appropriate parties

The campus’s failure to be compliant can result in: Damage to campus’s reputation and adverse publicity

Potential fines – Up to $1 million per occurrence

Costs associated with forensic investigations and notifying customers

Inability for campus to continue to accept card payments

Employee disciplinary actions

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security

parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

Twelve Requirements of PCI-DSS

Although some of the requirements apply to the campus’s IT staff, many of the requirements apply to the campus’s business staff.

Personal Responsibility As an employee, contractor, student, or volunteer who

interacts with credit card data, you are the first line of defense against fraud and security breaches

You are expected to be aware of the campus’s policies and procedures and to be ever vigilant when interacting with payment card data and credit card transactions

PCI Data Security Awareness Training

You are required to complete training and attest to the training: Upon hire or initial engagement, and

Take annual refresher training

Through your continued vigilance and implementation of PCI standards, you assist the campus in being PCI compliant

Best Practices Adhering to best practices by individuals will assist the

campus in being PCI compliant

The following slides contain practices that should be followed and practices that should be avoided

Credit Card Receipts • Ensure credit card receipts are stored

securely

• Ensure that card receipts are disposed of by shredding in accordance with campus policy

Truncate PANs• Verify that both the campus and customer card receipts

only bear truncated versions of the primary account number (PAN)

• Only the last four digits should be displayed

Example: XXXX-XXXX-XXXX-9534

Physical Protection of Devices A new requirement of PCI-DSS (Version 3.0) requires the campus to institute

procedures to periodically physically inspect for fraudulent skimmers that may be attached to devices, and to check for fraudulent substitution by checking the serial numbers of the devices.

Devices include POS terminals, kiosks, PC’s used in processing card transactions

• Training of employees include:• Verify the identity of any third-

party persons claiming to be repair or maintenance personnel;

• Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices);

• Inspect POS terminals and devices at beginning of each shift for tampering

Physical Security of Card Media• Do not leave any paper or electronic card media physically unsecured

• Restrict physical access to areas where cardholder data is handled and stored

• Only allow employees who have a legitimate business need to access cardholder information

• Do not have card receipts or related documents on display to the general public

• Visitors in areas where cardholder data is stored must be identified and escorted, with a visitor’s log being maintained

Email Containing PANs• Do not send any unencrypted emails containing the

full primary account number (PAN). The truncated last four digits are okay to send.

• Do not process a payment based on information received by email.

• Should you receive an email containing a PAN:• Delete the email immediately• Do not print or forward the email• Notify the customer you are unable to process the payment

• These restrictions apply to instant messaging and chats

Two Types of Account DataThere are two types of Account Data:• Cardholder Data• Sensitive Authentication Data

Note that the data elements designated as sensitive authentication data can never be stored by the campus

Security ID Codes• Each of the card brands assign a unique security code to each

card issued• For Amex, it is a four-digit number located on the front of the card• For all other brands, it is a three digit number located on the back• The code is referred by different names and may be called the card

verification value or ID (CVV) (CW2) (CID)• The Security ID Code is considered “sensitive authentication data”

• Never write down, store, or email the security ID code

• The code is a fraud tool to prove the customer is in physical possession of the card. Keeping a record of the code defeats the purpose of the code.

• If provided to you, the number is only to be retained until the authorization has been approved by the card processor

• The potential fine levied by Visa for storing sensitive authentication data after authorization, such as CVV or PIN (in case of a debit card), is $50,000

Passwords• Adhere to the campus’s policy regarding

the creation of strong passwords and the frequent changing of passwords

• Do not write down passwords for others to find, or share your password

• Do not use vendor-supplied defaults for system passwords and other security parameters

• Ensure that vendor default passwords are changed before a system goes live

Social Engineering Social Engineering is a non-technical method of intrusion

hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures

Adhere to the campus’s security procedures pertaining to the use of computers, responding to emails, and visiting inappropriate websites

• Examples of social engineering include:• Phishing – Emails appearing to be from a known

person or organization asking for confidential information

• Shoulder surfing – Individuals looking over your shoulder to observe confidential information

• Tailgating – Individuals seeking entry to a restricted area

• Dumpster Diving –Individuals looking for confidential information in your trash (e.g., sticky note with password, discarded reports, etc.)

• Remote access – Individuals seeking to control your computer remotely

Service Providers The campus may use third-party service providers to

facilitate the processing of merchant cards

Campus management assumes the role of verifying that these providers are PCI compliant

Should you become aware that one of these service providers is not adhering to one of the PCI requirements, you should notify management

• Service providers include the merchant card processor, as well as any gateway that processes online payments

Payment Applications The campus may use various payment applications to

process card-present transactions, as well as mail orders and telephone orders (MOTO) Examples include POS software and Virtual Terminals Campus management assumes the role of verifying these

applications are PCI compliant (validated) before purchasing

• You must also follow the vendor’s implementation guide when using these applications in order to maintain the PCI compliance status:• Do not use the default password

• Do not deactivate anti-virus protection

• All updates must be applied timely

Security Incident Reporting The campus has a security incident reporting plan

Your role in this plan may vary, but will include: Notify your supervisor immediately of any suspected or real security

breach or of stolen cardholder data

Document any information you know while waiting for a response to the incident, including date, time, and the nature of the incident

• In case of a network environment:• Do not access or alter compromised systems

• Do not turn the compromised machine off

• Isolate compromised systems from the network

• Preserve logs and electronic evidence

• Log all actions taken

All incident reporting by the campus management is to be conducted through the Office of State Controller, not directly to any card brand

Behind the Scenes Various departments and staff within the campus have certain

responsibilities pertaining to PCI compliance, in addition to you as an individual

Examples: IT staff is involved with firewall management, encryption,

penetration testing, vulnerability scanning, log management, antivirus software updates, etc.

The business office staff is involved in monitoring service providers’ PCI compliance, ensuring that all POS software acquired is PCI compliant, completing self-assessment questionnaires, etc.

The campus utilizes a PCI Qualified Security Assessor (QSA) firm, known as Coalfire, to assist in its PCI compliance efforts

Card Brands’ Identification Features In addition to PCI-DSS requirements, each card brand has

certain card identification and fraud detection features which you should be aware of

Examples include:

Uniqueness of the brand’s 4-digit Bank Identification Number (BIN)

Location of the brand’s security code (card id number)

Visa, MC, and Discover are 3-digit on the back; Amex is 4-digit on front

Location of card’s expiration date

Number to call for a suspicious card (Code 10 authorization)

The following four slides depict each brand’s features

Chip and PIN Technology The campus may be acquiring new POS terminals that

incorporate new security features – Chip & Pin (aka EMV)

New technology involves processing cards that bare an imbedded Chip instead of a magnetic stripe

The POS terminals will be able to process the new Chip and PIN cards as well as the old magnetic stripe cards

The POS terminals may be stand-alone, or they may have a reader device that is attached to the swipe POS terminal

Next Steps You have completed the first step of your PCI Security Awareness Training The second step is to complete a quiz to test your understanding of this

training module You must score a grade of 80 percent or better to pass

The third step is to obtain and read the campus’s PCI Data Security Policy for Business Users You may be provided addition procedures that are specific to your job duties

(e.g., telephone orders, POS terminals, online orders, etc.)

The fourth step is to obtain the certificate of completion of training: Indicating you have passed the quiz Acknowledging your receipt of the campus’s PCI Data Security Policy

This training is good for one calendar year after you pass the quiz