PCI Compliance Training University of Nevada, Reno

Slides:



Advertisements
Similar presentations
HIV Drug Resistance Training
Advertisements

606 CMR 14.00: Background Record Checks What you need to know!
University of Minnesota
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
P-Card User Guide Standard Profile July RCNJ-BOA Purchasing Card User Guide – Standard Profile Ramapo College and Bank of America VISA Procurement.
JPMorgan Chase Purchasing Card Training
Procurement Card Policies and Guidelines Arkansas Tech University.
P URCHASING C ARD T RAINING FOR R EVIEWERS AND C ARDHOLDERS Presented by Blair Blankinship UBs Director of Procurement.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Chapter 7: Physical & Environmental Security

2009 Data Protection Seminar
Checking & Corrective Action
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
Review Questions Business 205
Complying With Payment Card Industry Data Security Standards (PCI DSS)
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Springfield Technical Community College Security Awareness Training.
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
Cleveland School District Gerald Finley, Property Manager Friday, July 27, 2012.
C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?
Information Security Policies and Standards
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
PCI and how it affects College Stores… ROBIN MAYO | PCIP ECOMMERCE MANAGER EAST CAROLINA UNIVERISTY.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Youngstown State University PCI Training enter or left click on mouse to advance slides.
Network security policy: best practices
Purchasing Card Record Keeping & Retention REVISED
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
Before and After: Looking at the Changes in Business Processes.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
2015 ANNUAL TRAINING By: Denise Goff
HIPAA PRIVACY AND SECURITY AWARENESS.
Procurement Card Presented By: Denise Matias, CAH February 1, 2012.
Best Practices for Protecting Data. Section Overview Mobile Computing Devices Technical Procedures Data Access and Permissions Verbal Communication Paper.
FTC RED FLAG RULE As many as nine million Americans have their identities stolen each year. Identity thieves may drain their accounts, damage their credit,
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Cash Handling and Funds Collection Policies and Procedures.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
P URCHASING C ARD T RAINING FOR R EVIEWERS AND C ARDHOLDERS Presented by Blair Blankinship UB’s Director of Procurement.
e-Learning Module Credit/Debit Payment Card Acceptance and Security
Legal Holds Department of State Division of Records Management Kevin Callaghan, Director.
1 Banking and Reconciliation. 2 To Certify As A Cash Handler  Visit the training website  Review the Payment Card Industry (PCI)
State of Oklahoma Statewide Purchase Card. The Purchase Card program began in 2000 as a pilot program and became permanent in It is authorized by.
Fall  Comply with PCI compliance policies set forth by industry  Create internal policies and procedures to protect cardholder data  Inform and.
1 10/2013. This training is provided for cashiers, phone-a-thon participants, and fiscal personnel involved in payment card activities that are never.
Protection of Minors Program Coordinators Information Session November 2015 Carolyn Brownawell Melisa Giraldo Dietrich Warner.
Somerset ISD Online Acceptable Use Policy. Somerset Independent School District Electronic Resources Acceptable Use Policy The purpose of this training.
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
Payment Card Industry (PCI) Rules and Standards
Blackboard Security System
UW Whitewater Procurement Card Program
Payment Card Industry (PCI) Rules and Standards
Records Retention NYS Magistrates’ Association
Larry Brownfield, CPO, OHE – KOA, Inc.
UGA Extension Credit Card Processing Training
Internal Controls.
Records Management Compliance Training
Red Flags Rule An Introduction County College of Morris
County HIPAA Review All Rights Reserved 2002.
Property Control Asset Forms
Internal Controls.
UD PCI GUIDELINES A guide for compliance with PCI DSS and the University of Delaware Payment Card Program ALWAYS Process payments immediately using a solution.
Internal Controls.
Presentation transcript:

PCI Compliance Training University of Nevada, Reno Presented by The Controller’s Office

PCI Compliance In 2008, UNR reached an e commerce transaction volume threshold requiring the university to follow the Payment Card Industry Data Security Standards (PCI-DSS). In response to this requirement, UNR has developed an information security policy related to credit card processing by university departments. This training will provide you with an over view of the policies and procedures you must follow in order to continue to receive payments via credit card.

What is PCI Compliance? The PCI-DSS Program is a mandated set of security standards created by the major credit card companies to offer merchants and service providers a complete, unified approach to safeguarding cardholder data for all credit card brands. The PCI-DSS requirements apply to all payment card network members, merchants and service providers that store, process or transmit cardholder data. The requirements apply to all methods of credit card processing, the most comprehensive and demanding of which apply to e commerce websites, and retail POS systems that process credit cards over the Internet.

PCI Compliance – Policy Roles and Responsibilities All employees, contractors, vendors and third-parties that use, maintain or handle UNR information assets must follow this policy. The following university positions and departments have responsibilities related to the development, monitoring and enforcement of this policy. Chief Information and Chief Security Officers - The Chief Information Officer, Steve Zink, is responsible for coordinating and overseeing UNR’s compliance regarding the confidentiality, integrity and security of its information assets. The Chief Security Officer, Jeff Springer, works closely with the Chief Information Officer and other UNR managers and staff involved in securing the university’s information assets to enforce established policies, identify areas of concern, and implement appropriate changes as needed.

PCI Compliance – Policy Roles and Responsibilities Network Security Department - The Network Security Department works with department system managers, administrators and users to develop security policies, standards and procedures to help protect the assets of UNR. IT Critical Systems Group - UNR IT Critical Systems Group is the direct link between information security policies and the network, systems and data. Human Resources - The Human Resources Department will, when requested by the department, perform background checks including pre-employment, criminal, and credit history on all potential employees who will have access to systems, networks, or data that contain credit card information.

PCI Compliance –Policy Roles and Responsibilities University Departments – Departments are responsible for ensuring that reference checks are done on all classified and professional employees hired. Departments will request that Human Resources conduct background checks including pre-employment, criminal, and credit history on all potential employees who will have access to systems, networks, or data that contain credit card information. Departments will enter termination information into the Employee Separation Notification form on the HR website which generates an email sent to the notification group which notifies Computing and Telecommunications when any employee is terminated. This will result in the employees’ access being terminated for all university PCI systems.

PCI Compliance – Policy Roles and Responsibilities BCN Purchasing Department – The Purchasing Department will ensure third parties, with whom cardholder data is shared, are contractually required to adhere to the PCI-DSS requirements and to acknowledge they are responsible for the security of the cardholder data which they process. Controller’s Office – The Controller’s Office will verify that all employees responsible for processing credit card payments attend a security awareness training upon hire and at least annually. If training is not completed, then the department’s merchant number will be deactivated.

PCI Compliance – Policy Roles and Responsibilities Each user of UNR computing and information resources must realize the fundamental importance of information resources and recognize their responsibility for safekeeping those resources. The following are specific responsibilities of all UNR information system users: Understand what the consequences of their actions are with regard to computing security practices and act accordingly. Embrace the “Security is everyone’s responsibility” philosophy to assist UNR in meeting its business goals. Maintain awareness of the contents of the information security policies. Employees must read and sign the UNR Security Awareness and Acceptable Use Policy and accept the Campus Use Agreement during the NetID activation process and annually thereafter. All users must accept the Campus Use Agreement during the NetID activation process.

PCI Compliance – Data Access General Access All confidential or sensitive data must be protected via access controls to ensure that data is not improperly disclosed, modified, deleted or rendered unavailable. Employees will only be authorized to view information based on what is required to perform their job.

PCI Compliance – Data Access Data Access Request Process-PCI Network As part of the PCI compliance process at UNR a separate PCI network has been established to process credit card transactions for certain campus software applications such as the WolfCard and the bookstore. Employees needing access to this network will be required to complete an additional security application and have a separate login and password. Shared or group user IDs are never permitted for user-level access. Every user must use a unique user ID and a personal secret password for access to UNR information systems and networks.

Credit Card Processing Methods of accepting credit card numbers Departments may receive credit card numbers by phone, fax or mail. After the authorization for the charge is received the credit card number must be shredded or if retained, it must be kept in a locked, secure location and shredded after 120 days. Only employees with a business need to know should have access to the stored receipts. Credit card numbers may not be received via email, this is not a secure transmission method. If an email is received do not process the payment. Respond to the sender that the payment cannot be processed through an email request. Make sure the credit card number does not appear in your response. Immediately delete the original email containing the credit card number.

Credit Card Processing Methods of Processing credit card transactions: Using credit card terminals that are connected to the bank via an analog phone line or an IP connection. A website hosted by the university where the credit card payment is made via a third party processor, such as Authorize.net. A website hosted by a third party. Manual credit card machines that make an imprint of the credit card are not allowed. Use of credit card terminals off campus for special events must be connected via an analog phone line to be PCI compliant. Departments are not allowed to enter a credit card number using a UNR computer unless the computer is dedicated for this purpose only and has been set up by Network Security in the PCI network.

Credit Card Processing PCI rules and procedures apply to university pcards and transactions between departments. University pcard numbers may not be stored in any electronic format, but may be stored on a hard copy which is kept in a locked, secure location. NRS 597.945 prohibits a business from printing more than the last 5 digits of a credit card number on any copy of the receipt. All departments should have been contacted by Wells Fargo Bank in December 2009 or January 2010 to modify existing or replace existing credit card terminals so that they meet this requirement.

Incident Response Plan and Procedures Incident Identification Employees must be aware of their responsibilities in detecting security incidents to facilitate the incident response plan and procedures. All employees have the responsibility to assist in the incident response procedures within their particular areas of responsibility. Some examples of security incidents that an employee might recognize in their day to day activities include, but are not limited to: Theft, damage, or unauthorized access (e.g., unauthorized logins, papers missing from their desk, broken locks, missing log files, alert from a security guard, video evidence of a break-in or unscheduled/unauthorized physical entry) Fraud – Inaccurate information within databases, logs, files or paper records

Incident Response Plan and Procedures Incident Identification (continued) Abnormal system behavior (e.g., unscheduled system reboot, unexpected messages, abnormal errors in system log files or on terminals). Security event notifications (e.g., file integrity alerts, intrusion detection alarms, and physical security alarms). All employees, regardless of job responsibilities, should be aware of the potential incident identifiers and who to notify in these situations.

Incident Response Plan and Procedures With the exception of steps outlined below, it is imperative that any investigative or corrective action be taken only by Network Security Department personnel to assure the integrity of the incident investigation and recovery process. When faced with a potential situation you should do the following: If the incident involves a compromised computer system. Do not alter the state of the computer system. The computer system should remain on and all currently running computer programs left as is. Do not shutdown the computer or restart the computer.

Incident Response Plan and Procedures Immediately disconnect the computer from the network by removing the network cable from the back of the computer. Document any information you know while waiting for the Network Security Department to respond to the incident. If known, this must include date, time, and the nature of the incident. Any information you can provide will aid in responding in an appropriate manner.

Incident Response Plan and Procedures Reporting and Incident Declaration Procedures The Network Security Department should be notified immediately of any suspected or real security incidents involving UNR computing assets. If it is unclear as to whether a situation should be considered a security incident, the Network Security Department should be contacted to evaluate the situation. No one should communicate with anyone outside of their supervisor(s) or the Network Security Department about any details or generalities surrounding any suspected or actual incident. All communications with law enforcement or the public will be coordinated by the Network Security Department to the Vice President for Information Technology who will notify the President’s Office.

Data Retention Policies Retention Requirements Cardholder data for all transactions should be kept for 120 days. This applies to all cardholder data retained in any kind of format. Cardholder data utilized for recurring transactions may be retained for the lifetime of the customer’s account with UNR. Once a customer’s account is disabled or terminated, all the cardholder data for that account must be purged within 120 days of the termination using an approved destruction method. Cardholder “authorization data”, including track, CVV2, and PIN information, may be retained only until completion of the authorization of a transaction. After authorization, the data must be deleted according to an approved disposal process described in the following section. Storage of cardholder authentication data post-authorization is forbidden.

Data Retention Policies Hardcopy and Electronic Media Confidential or sensitive information, including credit card information, must never be copied onto removable media without authorization from the Network Security Department. At no time are hardcopy or electronic media containing confidential or sensitive information to be removed from any UNR secure office environment. The credit card number may not be kept in any electronic format, including Excel spreadsheets or USB thumb drives. All hardcopy documents containing credit card information currently in on or off-campus storage that are older than 3 years should be shredded. At the end of each of the next 3 years the oldest year’s documents should be shredded so that at the end of the 3 year period all credit card documents will be retained for a period of 120 days only.

Data Disposal Policy Hardcopies (paper receipts, paper reports, and faxes): should be cross-cut shredded, incinerated, or pulped. A record must be maintained that indicates the records disposed of and the date of disposal. Before computer or communications equipment can be sent to a vendor for trade-in, servicing or disposal, all confidential or sensitive information must be destroyed or removed according to the approved methods in this policy. Outsourced destruction of media containing confidential or sensitive information must use a bonded Disposal Vendor that provides a “Certificate of Destruction”. If your department is involved in an audit, investigation, or litigation all destruction of records in your custody must cease. When you are notified that the audit, investigation or litigation is ended or resolved you may destroy documents according to this policy.

PCI Compliance - Inventory A Media Inventory Log (Appendix D) is to be kept in all secure media (hardcopy and electronic) storage locations. Electronic Media - All stored electronic media containing confidential or sensitive information must be inventoried at least annually by the Network Security Department. At this time, the security controls on the storage mechanism will be checked. Upon completion of the inventory the log will be updated. Hardcopy Media - All stored hardcopy media containing PCI data must be inventoried at least annually by the Campus Department and the Media Inventory Logs must be submitted to the Controller’s Office who will verify that all the required logs have been completed. The Controller’s Office will submit the forms to Campus Auditors. At this time, the Campus Auditors will check security controls on the storage mechanism and review and approve the log.

PCI Compliance - Summary All departments and department employees that accept payment via credit card must be aware of and follow the University’s information security policy and must attend training on the policy annually. Credit card data is confidential data and access to this data should be limited and granted only on a business need to know basis. This access should be terminated whenever an employee changes job duties or terminates employment. Before a web application may be established to accept credit card payments, the department must obtain approval in writing from the Network Security Department – Jeff Springer 784-8247 (jeffs@unr.edu) and Rhonda Dome at 784-4297 or Renee Reed at 784-3573.

PCI Compliance - Summary Credit card data is sensitive and confidential and should only be retained as required for business purposes and must be deleted after 120 days. Credit card data may not be kept in any electronic format unless the format and method of storage has prior approval from the UNR Network Security Department. When credit card data is no longer needed or after 120 days, whichever comes first, the data must be deleted using an approved method such as sanitizing, incinerating, pulverizing or shredding. The Network Security Department can provide assistance with data destruction if needed.

PCI Compliance - Summary Before computer or communications equipment can be sent to a vendor for trade-in, servicing or disposal, all confidential or sensitive information must be destroyed or removed according to approved removal methods. If your department is involved in an audit, investigation, or litigation all destruction of records in your custody must cease. When you are notified that the audit, investigation or litigation is ended or resolved you may destroy documents according to this policy.

Contacts Philomena McCaffrey: Rhonda Dome Renee Reed Email: philomenam@unr.edu Phone: 784-4176 Rhonda Dome Email: rhondad@unr.edu Phone: 784-4297 Renee Reed Email: rmreed@unr.edu Phone: 784-3573

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.