Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI and how it affects College Stores… ROBIN MAYO | PCIP ECOMMERCE MANAGER EAST CAROLINA UNIVERISTY.

Published byEverett Harmon Modified over 9 years ago

Similar presentations

Presentation on theme: "PCI and how it affects College Stores… ROBIN MAYO | PCIP ECOMMERCE MANAGER EAST CAROLINA UNIVERISTY."— Presentation transcript:

1 PCI and how it affects College Stores… ROBIN MAYO | PCIP ECOMMERCE MANAGER EAST CAROLINA UNIVERISTY

2 Agenda  What is PCI  Accepting Payment Cards  Securing and Segmenting  Device Tampering  Other PCI requirements  What NOT to do  What’s New  Q&A

3 PCI – Payment Card Industry  Set of policies and standards created by card brands to ensure the security of payment card data  Merchants must adhere to PCI requirements and remain compliant or merchant status can be revoked  Fines – up to $500,000 per card brand, all fraud losses, cost of re-issuing cards, consumer fraud monitoring expenses

4 Accepting payment cards  Prior to contracting with any vendor for software, hardware or services that involves credit/debit card payments, you should work with your campus to:  verify the vendor is PCI compliant  verify the software is PA-DSS compliant  verify the hardware is PCI compliant and compatible with your acquirer  document in your contract which requirements you and/or the vendor will be responsible (PCI Req 12.8.5)  secure and segment workstation/register – this includes networked printers utilized by your PCI workstations/registers

5 Securing and Segmenting  Workstations, registers, computers, etc. that process, store or transmit cardholder data should be segmented from the rest of your network within your campus’ PCI firewall  Designated PCI workstations should:  Only have one purpose – software that processes transactions  all other software/functionality should be removed from workstation  Not have email or instant messaging  Not have internet access except for that needed to process transactions  Should only be able to print to local printers (connected directly to workstation) or to a networked printer that is also segmented within your PCI firewall  Servers associated with your workstations/software should also be segmented  Remote access to your PCI designated servers or workstations must utilize 2 factor authentication

6 Segmenting and Scope Example Registers On campus servers Firewall Internet – approved IPs only PCI Firewall Printers

7 Device Tampering  Train staff to inspect devices daily or at the beginning of their shift for tampering  Inspection should include the following:  Verifying device is in the appropriate location  Make/model are correct  Colors, labels, etc. are the same as usual  Verify stickers and labels on devices have not been compromised  Look for scratches or marks on device  Cords/cables connected to device are the same color/type as usual  Also inspect the general vicinity to look for any unusual electronic devices, cameras or new displays

8 Device Tampering - examples https://www.pcisecuritystandards.org/documents/Skimming%20Prevention%20BP%20for%20Merchants%20Sept2014.pdf

9 Device Tampering - examples https://www.pcisecuritystandards.org/documents/Skimming%20Prevention%20BP%20for%20Merchants%20Sept2014.pdf

10 Other important PCI requirements  Training – employees and volunteers who process transactions or handle card holder information must be trained upon hire and annually  Criminal Background checks – should be completed for all staff who can access more than one card number at a time or impact the security of your cardholder data environment (for others it is a good practice but not required)  Terminated employees – immediately revoke physical and electronic access for employees who leave under bad circumstances, are suspended or under investigation; employees who leave under good terms should have their access revoked within a reasonable time frame  Sensitive areas – you should control access to sensitive areas and limit access to as few employees as possible  Passwords – should be a minimum of 7 characters and include alpha and numerical

11 It is a good habit NOT to …  …Email cardholder data  …Allow faxes with cardholder data to a copier/fax on network (analog fax machines only PCI)  …Store full card numbers electronically  ….Store full card numbers(hard copies) after processing unless you have a documented business need  …Process any payments or allow others to submit transactions on computers in your department unless it has been approved and those computers have been secured for PCI  …Process transactions on mobile/wireless devices (Wi-Fi is NOT always secure)  …Surplus/trash old credit card terminals/devices – your campus should have a method to have these destroyed securely First & Last 4 digits are safe to store electronically and hard copy

12 What’s changing…  New requirements PCI DSS v 3.1 - effective April 2015  EMV chip cards – Oct 2015  Contactless (NFC) – Apple Pay  P2PE – Point to Point Encryption

13 Questions???

14 Thank you Robin Mayo mayoro@ecu.edu (252)737-4729

Download ppt "PCI and how it affects College Stores… ROBIN MAYO | PCIP ECOMMERCE MANAGER EAST CAROLINA UNIVERISTY."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,

Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,
JPMorgan Chase Purchasing Card Training

JPMorgan Chase Purchasing Card Training
October 28, 2013. Who? What? When? Why? Comply with PCI compliance policies set forth by industry Create internal policies and procedures to protect.

October 28, Who? What? When? Why? Comply with PCI compliance policies set forth by industry Create internal policies and procedures to protect.
Mobile Payment Security The Good, the Bad and the Ugly

Mobile Payment Security The Good, the Bad and the Ugly
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.

Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?

C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.

Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.

Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

Similar presentations

Ads by Google