Presentation Transcript

1. e-Learning ModuleCredit/Debit Payment Card Acceptance and Security

   OBFS-Treasury Operations-Merchant Card Services February 26, 2011 Instructor and Moderator, Rebecca Kornegay
2. Welcome
3. Introduction University of Illinois departments accepts and processes thousands of credit or debit card payment sales daily. Departments are required to comply with payment card industry data security standards (PCI DSS) of Visa, MasterCard, American Express, and Discover to secure cardholder information at all times.
4. Why Are We Doing This? University students, parents, and customers trust that their card information will be protected at the University of Illinois. To protect the University from a card security breach and monetary fines.
5. What Will You Learn? Anatomy of a Payment Card Required Guidelines as Best Practices for Handling Payment Card Information Payment Card Security
6. Anatomy of a Payment Card Credit/Debit Card –Data Embossed Front Bank Card Brand Verification Number (American Express Only) Account Number Expiration Date Bank Card Logo Cardholder Name
7. Anatomy of a Credit/Debit Payment Card Credit/Debit Card –Data Imprinted Back Magnetic Stripe Signature Panel ‘ Security Code (Visa, MasterCard, Discover)
8. Payment Card Acceptance and Processing Payment card transactions must be accepted using one of the following methods and technologies, Methods Face to Face (card present) Mail, Telephone or Fax (card NOT present) University-approved internet application (card NOT present) Technologies Terminal Point-of-Sale (POS) system e-Commerce
9. Secure Methods Mail or Telephone Orders (MOTO) Fax Phone Mail
10. Not Secure Methods Instant Messaging or Chat Wireless Devices Staff entering a cardholder’s card information into computer or a website from their workstation computer. PDA Device
11. Email Not A Secure Method If a customer sends their card information via email, Delete the email from your inbox and deleted box, then send a message of response. If you reply to the original email, remove the card information before sending the message. Send a response that the card information is not accepted via email and provide alternative methods for sending their card information by fax, mail, phone, etc.
12. Card Present Transactions Accepting a payment card from face-to-face
13. Card Present Transactions If You Handle Card Present Transactions, The payment card must be swiped through the terminal or POS system card magnetic stripe reader. Do not keep any card information after the transaction has been authorized. Keep the payment card within the customer’s view and shield from the view of others.
14. Card NOT Present Transaction The physical payment card is not provided for processing. Requires manual entry of the card number into a processing technology.
15. Card NOT Present Transaction In addition to manually entering the Cardholder Account Number, for card NOT present transactions you must enter, Expiration Date, 02/14 Card Billing Address Street Number, 3775 ZIP code, 61821 Verification Number (front of AMEX Card) Security Code, CVS, CVV2, CID (Visa, MasterCard, & Discover Cards)
16. Card NOT Present Transaction Sensitive Security Authentication Data, must NEVER be stored after the transaction authorized. Security Code and Verification Number PIN Numbers Expiration Date Payment Card Full Magnetic Stripe Data
17. Card NOT Present Transaction By Phone Payment Card Data Acceptance Requirements Phone
18. Card NOT Present Transaction By Phone Payment Card Data Acceptance Requirements Phone
19. Card NOT Present Transaction By FAX Payment Card Data Acceptance Requirements Fax
20. Card NOT Present Transaction By FAX Payment Card Data Acceptance Requirements Treat a fax the same way as you would treat cash $100 Bills
21. Card NOT Present Transaction By Mail Payment Card Data Acceptance Requirements Mail $100 Bills
22. Card NOT Present TransactionBy Paper Based Forms Payment Card Data Acceptance Requirements Paper Based Forms
23. Card NOT Present TransactionBy Paper Based Forms If paper records containing card account numbers, Remove all but the last four digits to be rendered unreadable by blackening the numbers with china marker grease pencil or with character replacements of *, #, X.
24. Card NOT Present TransactionBy Paper Based Forms Designing Order, Registration, or Invoice Forms Form area capturing card information must be, Placed at bottom of form Remove card information After processing payment, cut or tear form bottom to be shredded Printed receipts or invoices distributed outside the unit must show only the last four digits of account number.
25. Card NOT Present TransactionBy Paper Based Forms If paper records containing card account numbers, Disposing of Paper Based Forms
26. Accessing and Storing Payment Card Information Required Procedures for Accessing Card Information Limit access to documents and reports Never share logins and/ or passwords with others, including coworkers.
27. Accessing and Storing Payment Card Information Required Procedures for Storing Card Information Databases, spreadsheets and other electronic systems must ONLY store the last four digits of the card account number. NEVER store the card expiration date, verification number, or security code in ANY electronic spreadsheet, database or system.
28. Accessing and Storing Payment Card Information Required Procedures for Storing Card Information Store all materials containing cardholder account information in a secure and restricted area.
29. Payment Card Transactions Delayed Processing Best practice is to process payment card information immediately for the transaction to be authorized. If a delay is required, Do not store the card information in electronic format. Card information must be kept secure and with restricted access until the payment is processed for authorization.
30. Payment Card Transactions Delayed Processing Secure the paper form containing payment card information following the same guidelines used for securing cash transactions. Treat delayed processing paper containing card information as if it were cash.
31. Security ReminderPhishing Securing Payment Card Information Be aware of phishing methods that attempt to trick you into providing card data for malicious purposes. Never provide a customer’s payment card information to anyone. Merchant Card Services and the University’s bank processor, Global Payments, will never contact a department to request for you to provide card information.
32. What Happens if Payment Card Information is Lost or Stolen? Stolen card data might be used to make counterfeit cards. Can be sold for illegal purposes, such as facilitating identity theft. An expensive forensic investigation may result. The University will be fined for the breach and other associated costs, such as the forensic investigation.
33. Payment Card Security Breach Consequences The consequences of a security breach, A forensic investigation will determine the amount of data lost and how the loss occurred. All fines, monetary penalties, and other associated costs related to the breach are paid by the department merchant that experienced the breach. Increased processing restrictions or loss of processing privileges for the department.
34. Payment Card Security Breach Consequences Breach in security could result in, Significant monetary fines to the University. Potential loss of reputation and trust from students, parents, and customers. The entire University could lose the privilege to accept and process credit/debit cards due to a department’s payment card security breach.
35. Thank you! Questions, contact Rebecca Kornegay at University of Illinois Merchant Card Services Office, by PHONE: 217-244-9384 or E-MAIL: kornegay@uillionois.edu