Presentation is loading. Please wait.

Presentation is loading. Please wait.

e-Learning Module Credit/Debit Payment Card Acceptance and Security

Published byCatherine Wade Modified over 9 years ago

Similar presentations

Presentation on theme: "e-Learning Module Credit/Debit Payment Card Acceptance and Security"— Presentation transcript:

1 e-Learning Module Credit/Debit Payment Card Acceptance and Security
OBFS-Treasury Operations-Merchant Card Services February 26, 2011 Instructor and Moderator, Rebecca Kornegay

2 Welcome -WELCOME! To the e-Learning Module of credit/debit payment card acceptance and security. -I’m……Name -The lessons will provide immediate awareness to securely accept and process credit/debit card payments for the sale of departmental goods and services. -Let’s Get Started!

3 Introduction University of Illinois departments accepts and processes thousands of credit or debit card payment sales daily. Departments are required to comply with payment card industry data security standards (PCI DSS) of Visa, MasterCard, American Express, and Discover to secure cardholder information at all times. -University of Illinois departments accepts and processes thousands of credit or debit card transactions daily for the sale of goods/services. -Each department accepting payment cards must comply with payment card data security standards (PCI DSS) -Set by the Payment Card Industry Security Standards Council (PCI SSC) to secure cardholder information at all times.

4 Why Are We Doing This? University students, parents, and customers trust that their card information will be protected at the University of Illinois. To protect the University from a card security breach and monetary fines. -The University of Illinois has an obligation to safeguard payment card information. -As a University employee who handles payment cards by acceptance, processing, transmitting and accessing, you are responsible for protecting and securing card information at all times. -Payment card data should be treated as carefully as any other confidential information, because students, parents, clients, patrons, patients, and customers trusts that their payment card information will be protected at the University of Illinois.

5 What Will You Learn? Anatomy of a Payment Card
Required Guidelines as Best Practices for Handling Payment Card Information Payment Card Security You will learn in this presentation about best practices that are to be followed when a credit/debit card is presented in person, card present transaction -Or when the card is not physically provided, Card NOT Present Transaction, -the customer gives their card information to be processed as a transaction by phone, mail, or fax. -Departments following the required best practice guidelines will protect the University from potential payment card fraud and processing mistakes that makes the institution vulnerable to security breaches. -This e-Learning Module (training) provides you valuable information regarding: Anatomy of Credit/Debit Payment Card Data embossed and imprinted on the payment card Required Guidelines as Best Practices for Handling Payment Card Information Payment Card Present In-Person (card present transaction) Payment Card Not Present (card NOT physically present transaction) Accessing and Storing Card Information Delayed Payment Processing Payment Card Information Security At the end of the training, you will have the knowledge of awareness to secure payment card information at all times.

6 Anatomy of a Payment Card
Credit/Debit Card –Data Embossed Front Bank Card Brand Verification Number (American Express Only) Account Number Expiration Date Bank Card Logo Cardholder Name Data on the Front of the payment card includes: Account Number Cardholder Name Expiration Date Verification Number (American Express) Bank Card Logo-Hologram Visa-MasterCard-Discover-American Express Verification Number The Verification Number (located on the front of American Express cards) must be manually entered for a Card Not Present transaction.

7 Anatomy of a Credit/Debit Payment Card
Credit/Debit Card –Data Imprinted Back Magnetic Stripe Signature Panel Security Code (Visa, MasterCard, Discover) Data on the Back of the payment card includes: Magnetic Stripe Signature Panel Security Code (Visa, MasterCard, Discover) Magnetic Stripe The payment card Magnetic Stripe is read during a Card Present Transaction. The Magnetic Stripe contains the Account Number, Cardholder Name, and Expiration Date but does not contain the verification number or security code. Security Code The Security Code (located on the back of Visa, MasterCard, and Discover cards) must be manually entered for a Card Not Present transaction. Personal Identification Number (PIN) The PIN is a special code which is not stored on the payment card or within the magnetic stripe. A PIN must be entered by the cardholder during a Card Present Debit transaction.

8 Payment Card Acceptance and Processing
Payment card transactions must be accepted using one of the following methods and technologies, Methods Face to Face (card present) Mail, Telephone or Fax (card NOT present) University-approved internet application (card NOT present) Technologies Terminal Point-of-Sale (POS) system e-Commerce Payment Card Process Payment card processing can be broken down into two general methods using three kinds of technologies. Technologies:  1. Terminal  2. Point-of-Sale (POS)  3. e-Commerce Methods: Payment card transactions must be accepted using one of the following methods: Graphic Animation-NARRATION-Payment card transactions can be presented in person, via telephone, mail, secure restricted use fax, or through secure University-approved internet applications. -Regardless of the method or technology used, the customer trusts that the unit accepting his/her payment card data will be kept safe. CARD PRESENT Face-to-face (card present) CARD NOT PRESENT Mail or Fax Form or telephone (card NOT present) University-approved Internet application (e-Commerce/card not present)  Regardless of the method or technology used, the customer trusts that the unit accepting his/her payment card data will be kept safe.

9 Mail or Telephone Orders (MOTO)
Secure Methods Mail or Telephone Orders (MOTO) SECURE METHODS: Phone, Mail, and Stand-Alone Fax Machines (in a restricted area of immediate access to receive fax documents containing card information) -Are the only secure methods for accepting payment card information to process a sale/transaction. Fax Phone Mail

10 Not Secure Methods Instant Messaging or Chat Wireless Devices
Do NOT send or accept payment card information via , Wireless Devices, PDAs, Instant messaging, or Chat applications. Staff entering a cardholder’s card information into computer or a website from their workstation computer. PDA Device

11 Email Not A Secure Method
If a customer sends their card information via , Delete the from your inbox and deleted box, then send a message of response. If you reply to the original , remove the card information before sending the message. Send a response that the card information is not accepted via and provide alternative methods for sending their card information by fax, mail, phone, etc. VIA If a customer sends their card information via , delete that and send a response that card information is not accepted via . In the response, give the customer a list of alternative methods of sending their card information (FAX, mail, phone, etc.) If you reply to the original , make sure you remove any card information before sending the message. Also, be sure to delete the message from your inbox and deleted box.

12 Card Present Transactions
Accepting a payment card from face-to-face If You Handle Card Present Transactions , -The transactions are face-to-face, where the customer physically presents the actual payment card for a transaction and -the magnetic stripe on card’s back is swiped at a terminal’s or point-of-sale (POS) system’s card magnetic stripe reader.

13 Card Present Transactions
If You Handle Card Present Transactions, The payment card must be swiped through the terminal or POS system card magnetic stripe reader. Do not keep any card information after the transaction has been authorized. Keep the payment card within the customer’s view and shield from the view of others. If You Handle Card Present Transactions , The card must be swiped through the card processing terminal. Debit Card transactions require the customer to enter their own Personal Identification Number (PIN), which is a private code that is stored on the payment card or within the Magnetic Stripe. Ask the customer to enter their own PIN and never ask a customer for their private PIN. Do not keep any card information after the transaction authorization has been completed. Follow the prompts given by the terminal. Keep the payment card within the customer’s view and shield from the view of others. When in doubt, treat the payment card like a stack of $100 bills

14 Card NOT Present Transaction
The physical payment card is not provided for processing. Requires manual entry of the card number into a processing technology. If You Handle Card Not Present Transactions  A card not present transaction payment card information is MANUALLY entered by the merchant department for an order by mail, telephone, or fax; or by the customer who enters their own card information at an e-commerce (Internet) site.

15 Card NOT Present Transaction
In addition to manually entering the Cardholder Account Number, for card NOT present transactions you must enter, Expiration Date, 02/14 Card Billing Address Street Number, 3775 ZIP code, 61821 Verification Number (front of AMEX Card) Security Code, CVS, CVV2, CID (Visa, MasterCard, & Discover Cards) If You Handle Card Not Present Transactions  In addition to manually entering the Cardholder Account Number, for card NOT present transactions you must enter, Expiration Date Card’s billing address (street number, 2125 and ZIP code, 61821) Verification Number or Security Code

16 Card NOT Present Transaction
Sensitive Security Authentication Data, must NEVER be stored after the transaction authorized. Security Code and Verification Number PIN Numbers Expiration Date Payment Card Full Magnetic Stripe Data Sensitive Security Authentication data on paper based forms, Payment card security code and verification number, PIN numbers, or Full magnetic stripe data,  Must NEVER be stored after the transaction authorization is completed, even if this data is encrypted.

17 Card NOT Present Transaction By Phone
Payment Card Data Acceptance Requirements Phone Accepting the payment card information via a telephone transaction is allowed.

18 Card NOT Present Transaction By Phone
Payment Card Data Acceptance Requirements Phone -, if any card information is written down when processing the transaction, that information must be shredded once the transaction has been completed for authorization.  -NEVER enter card information into an electronic document to process the payment later (Will discuss later, See Delayed Payment Processing).

19 Card NOT Present Transaction By FAX
Payment Card Data Acceptance Requirements Fax -Most PC-based FAX software does not provide a secure repository for storing incoming FAXes. Note: Digital Senders, such as the RightFaxsystem, are not a secure FAX and they should not be used for transmitting payment card information. -Therefore the best method to accept card information is by a standalone FAX machine in a controlled/restricted accessible location.

20 Card NOT Present Transaction By FAX
Payment Card Data Acceptance Requirements Treat a fax the same way as you would treat cash -Treat a FAX the same way as you would treat cash. (STACK $100 Bills equal sign=Fax Machine) $100 Bills

21 Card NOT Present Transaction By Mail
Payment Card Data Acceptance Requirements Mail VIA MAIL  -Documents being mailed by customers for department receipt that capture card information is permissible /allowed. -Do not retain the full card Account Number, Expiration Date, Verification Number, or Security Code, after the transaction has been authorized on the mailed form. -Treat a FAX the same way as you would treat cash. (STACK $100 Bills equal sign=Fax Machine) $100 Bills

22 Card NOT Present Transaction By Paper Based Forms
Payment Card Data Acceptance Requirements Paper Based Forms Required Procedures for Paper Containing Sensitive Card Information -All printed customer receipts and/or invoices that are distributed outside the unit must show only the last four digits of the account number. -Card account number, expiration date, card security code or verification number, zip code must be rendered unreadable -And never retained or kept on the form or on copies of the form.

23 Card NOT Present Transaction By Paper Based Forms
If paper records containing card account numbers, Remove all but the last four digits to be rendered unreadable by blackening the numbers with china marker grease pencil or with character replacements of *, #, X. -If paper records containing card account numbers are stored, remove all but the last four digits to be rendered unreadable by -Blacken the numbers with a china marker (grease pencil). -OR with character replacements of &*, #, X.

24 Card NOT Present Transaction By Paper Based Forms
Designing Order, Registration, or Invoice Forms Form area capturing card information must be, Placed at bottom of form Remove card information After processing payment, cut or tear form bottom to be shredded Printed receipts or invoices distributed outside the unit must show only the last four digits of account number. Paper Forms Design Form area capturing the card info must be -Placed at the bottom of form-ease of access to remove the card info from form for shredding disposal -After processing the payment, remove bottom of form that includes the card info, so it can be shredded after the transaction authorization. -All printed customer receipts and/or invoices that are distributed outside the unit must show only the last four digits of the account number.

25 Card NOT Present Transaction By Paper Based Forms
If paper records containing card account numbers, Disposing of Paper Based Forms -Card information on paper must rendered unreadable and prior to disposable ROLL GRPAHICS~ -IF NOT the disposed paper will be as valuable as cash in the trash. -After the payment has been processed, the form or the bottom of the form that captures the card data can be cut or torn to be shredded. -Discarded paper forms containing payment card information must always be shredded (e.g. by cross-cut-shredding).

26 Accessing and Storing Payment Card Information
Required Procedures for Accessing Card Information Limit access to documents and reports Never share logins and/ or passwords with others, including coworkers. -Limit access to sales drafts, reports, or other documents (paper or electronic) containing cardholder data to only those employees who need access to the data. only employees who need-to-know basis of their job responsibility. -Never Share logins and passwords, including with cowork

27 Accessing and Storing Payment Card Information
Required Procedures for Storing Card Information Databases, spreadsheets and other electronic systems must ONLY store the last four digits of the card account number. NEVER store the card expiration date, verification number, or security code in ANY electronic spreadsheet, database or system. -Databases, spreadsheets and other electronic systems can only store the last four digits of the payment card account number. -Also, the payment card expiration date, verification number, or security code should never be stored in any electronic system.

28 Accessing and Storing Payment Card Information
Required Procedures for Storing Card Information Store all materials containing cardholder account information in a secure and restricted area. Store all materials containing cardholder account information in a restricted and area, such as a locked cabinet, safe, or other secure storage mechanism.

29 Payment Card Transactions Delayed Processing
Best practice is to process payment card information immediately for the transaction to be authorized. If a delay is required, Do not store the card information in electronic format. Card information must be kept secure and with restricted access until the payment is processed for authorization. Best practice is to process payment card information immediately for transaction authorization. -If a delay is required, Do not store the card information in electronic format. Card information must be kept secure and with restricted access until the payment is processed for authorization

30 Payment Card Transactions Delayed Processing
Secure the paper form containing payment card information following the same guidelines used for securing cash transactions. Treat delayed processing paper containing card information as if it were cash. -Secure the paper form containing payment card information following the same guidelines used for securing cash transactions. -Treat the paper containing card information as if it were cash.

31 Security Reminder Phishing
Securing Payment Card Information Be aware of phishing methods that attempt to trick you into providing card data for malicious purposes. Never provide a customer’s payment card information to anyone. Merchant Card Services and the University’s bank processor, Global Payments, will never contact a department to request for you to provide card information. -Never provide a customer’s payment card information to anyone. -Merchant Card Services and the University’s bank processor, Global Payments, will never contact a department to request that you provide card information. Such as the Customer’s FULL Account Number, Expiration Date, Verification Number, or Security Code.

32 What Happens if Payment Card Information is Lost or Stolen?
Stolen card data might be used to make counterfeit cards. Can be sold for illegal purposes, such as facilitating identity theft. An expensive forensic investigation may result. The University will be fined for the breach and other associated costs, such as the forensic investigation. Stolen payment card data might be used to make counterfeit cards or sold for illegal purposes, such as facilitating identity theft.  • An expensive forensic investigation must be performed to determine how the breach occurred and how much data has been lost.  • The University department will be fined for the breach and other associated costs, such as the forensic investigation.

33 Payment Card Security Breach Consequences
The consequences of a security breach, A forensic investigation will determine the amount of data lost and how the loss occurred. All fines, monetary penalties, and other associated costs related to the breach are paid by the department merchant that experienced the breach. Increased processing restrictions or loss of processing privileges for the department. -By not protecting payment card information, stolen cardholder data can be used to make counterfeit cards or sold for illegal purposes, such as identity theft. -If a unit experiences a breach or compromise of any payment information or related data, the unit must report the event immediately to -Merchant Card Services and notify its respective campus Information Security office.

34 Payment Card Security Breach Consequences
Breach in security could result in, Significant monetary fines to the University. Potential loss of reputation and trust from students, parents, and customers. The entire University could lose the privilege to accept and process credit/debit cards due to a department’s payment card security breach. Processing payment cards can present challenges and risks. Therefore, we must carefully analyze merchant operations to minimize the risk of a breach in security and loss of cardholder data. At the University of Illinois, there are hundreds of merchants who process thousands of payment card transactions daily. Each merchant is responsible for protecting the payment card data that they process. A breach of cardholder data from one merchant department can affect all University merchant departments and their ability to process payment card transactions. Therefore, it is extremely important to secure cardholder data at all times. The consequences of a breach in security are significant in terms of monetary fines to the University, the tremendous loss of reputation and trust from customers, as well as potentially losing the ability to process payment card transactions.

35 Thank you! Questions, contact Rebecca Kornegay at University of Illinois Merchant Card Services Office, by PHONE: or

Download ppt "e-Learning Module Credit/Debit Payment Card Acceptance and Security"

Similar presentations

Weighing the Risks and Benefits of Online Financial Transactions

Weighing the Risks and Benefits of Online Financial Transactions
© 2007 First Data Corporation. All Rights Reserved. This document contains unpublished, confidential and proprietary information of First Data Corporation.

© 2007 First Data Corporation. All Rights Reserved. This document contains unpublished, confidential and proprietary information of First Data Corporation.
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
JPMorgan Chase Purchasing Card Training

JPMorgan Chase Purchasing Card Training
October 28, 2013. Who? What? When? Why? Comply with PCI compliance policies set forth by industry Create internal policies and procedures to protect.

October 28, Who? What? When? Why? Comply with PCI compliance policies set forth by industry Create internal policies and procedures to protect.
CARIBBEAN CREDIT CARD CORPORATION LTD.

CARIBBEAN CREDIT CARD CORPORATION LTD.
National Bank of Dominica Ltd. 2011 Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Accepting Credit Cards and PCI Compliance

Accepting Credit Cards and PCI Compliance
1.7.2.G1 © Family Economics & Financial Education – Revised May 2005 – Financial Institutions Unit – Electronic Banking Funded by a grant from Take Charge.

1.7.2.G1 © Family Economics & Financial Education – Revised May 2005 – Financial Institutions Unit – Electronic Banking Funded by a grant from Take Charge.
1. 2 Someone steals your personal information to commit fraud. A “buy now, pay never” shopping experience. What is Identity Theft?

1. 2 Someone steals your personal information to commit fraud. A “buy now, pay never” shopping experience. What is Identity Theft?
1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.

1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.
Contactless Payment. © Family Economics & Financial Education – January 2007 –– Financial Institution Unit – Contactless Payment - 2 Funded by a grant.

Contactless Payment. © Family Economics & Financial Education – January 2007 –– Financial Institution Unit – Contactless Payment - 2 Funded by a grant.
C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?

C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?
CARD ACCEPTANCE PROCEDURES Facilitator: Kristy A Stanley Fraud and Compliance Officer June 16 2011.

CARD ACCEPTANCE PROCEDURES Facilitator: Kristy A Stanley Fraud and Compliance Officer June
Debit Card Plastic card that looks like a credit card

Debit Card Plastic card that looks like a credit card
© Copyright IBSP – IBSP Hong Kong Ltd 2010 www.ibsp.net Internet Business Service Provider.

© Copyright IBSP – IBSP Hong Kong Ltd Internet Business Service Provider.
$$$$$$$ Know your Money! Financial Institutions and Services.

$$$$$$$ Know your Money! Financial Institutions and Services.
1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.

1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.

Similar presentations

Ads by Google