Download presentation
Presentation is loading. Please wait.
Published byEverett Harmon Modified over 9 years ago
1
PCI and how it affects College Stores… ROBIN MAYO | PCIP ECOMMERCE MANAGER EAST CAROLINA UNIVERISTY
2
Agenda What is PCI Accepting Payment Cards Securing and Segmenting Device Tampering Other PCI requirements What NOT to do What’s New Q&A
3
PCI – Payment Card Industry Set of policies and standards created by card brands to ensure the security of payment card data Merchants must adhere to PCI requirements and remain compliant or merchant status can be revoked Fines – up to $500,000 per card brand, all fraud losses, cost of re-issuing cards, consumer fraud monitoring expenses
4
Accepting payment cards Prior to contracting with any vendor for software, hardware or services that involves credit/debit card payments, you should work with your campus to: verify the vendor is PCI compliant verify the software is PA-DSS compliant verify the hardware is PCI compliant and compatible with your acquirer document in your contract which requirements you and/or the vendor will be responsible (PCI Req 12.8.5) secure and segment workstation/register – this includes networked printers utilized by your PCI workstations/registers
5
Securing and Segmenting Workstations, registers, computers, etc. that process, store or transmit cardholder data should be segmented from the rest of your network within your campus’ PCI firewall Designated PCI workstations should: Only have one purpose – software that processes transactions all other software/functionality should be removed from workstation Not have email or instant messaging Not have internet access except for that needed to process transactions Should only be able to print to local printers (connected directly to workstation) or to a networked printer that is also segmented within your PCI firewall Servers associated with your workstations/software should also be segmented Remote access to your PCI designated servers or workstations must utilize 2 factor authentication
6
Segmenting and Scope Example Registers On campus servers Firewall Internet – approved IPs only PCI Firewall Printers
7
Device Tampering Train staff to inspect devices daily or at the beginning of their shift for tampering Inspection should include the following: Verifying device is in the appropriate location Make/model are correct Colors, labels, etc. are the same as usual Verify stickers and labels on devices have not been compromised Look for scratches or marks on device Cords/cables connected to device are the same color/type as usual Also inspect the general vicinity to look for any unusual electronic devices, cameras or new displays
8
Device Tampering - examples https://www.pcisecuritystandards.org/documents/Skimming%20Prevention%20BP%20for%20Merchants%20Sept2014.pdf
9
Device Tampering - examples https://www.pcisecuritystandards.org/documents/Skimming%20Prevention%20BP%20for%20Merchants%20Sept2014.pdf
10
Other important PCI requirements Training – employees and volunteers who process transactions or handle card holder information must be trained upon hire and annually Criminal Background checks – should be completed for all staff who can access more than one card number at a time or impact the security of your cardholder data environment (for others it is a good practice but not required) Terminated employees – immediately revoke physical and electronic access for employees who leave under bad circumstances, are suspended or under investigation; employees who leave under good terms should have their access revoked within a reasonable time frame Sensitive areas – you should control access to sensitive areas and limit access to as few employees as possible Passwords – should be a minimum of 7 characters and include alpha and numerical
11
It is a good habit NOT to … …Email cardholder data …Allow faxes with cardholder data to a copier/fax on network (analog fax machines only PCI) …Store full card numbers electronically ….Store full card numbers(hard copies) after processing unless you have a documented business need …Process any payments or allow others to submit transactions on computers in your department unless it has been approved and those computers have been secured for PCI …Process transactions on mobile/wireless devices (Wi-Fi is NOT always secure) …Surplus/trash old credit card terminals/devices – your campus should have a method to have these destroyed securely First & Last 4 digits are safe to store electronically and hard copy
12
What’s changing… New requirements PCI DSS v 3.1 - effective April 2015 EMV chip cards – Oct 2015 Contactless (NFC) – Apple Pay P2PE – Point to Point Encryption
13
Questions???
14
Thank you Robin Mayo mayoro@ecu.edu (252)737-4729
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.