Post on 09-Feb-2017
While processing credit cards you will be exposed to a lot of sensitive information.
This training will show you how to handle credit card information in a safe and secure manner.
Albert Gonzalez, 28
With accomplices, he was involved in data breaches of most of the major data breaches: Heartland, Hannaford Bros., 7-Eleven, T.J. Maxx, Marshalls, BJ’s Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority, Dave & Busters, Boston Market, Forever 21, DSW and others.
Customers trust that we will keep their account
information safe from crooks like these.
Source:
1. Securing the IT environment 2. Managing and retaining data 3. Managing IT risk and compliance 4. Ensuring privacy
6. Managing System Implementations 7. Preventing and responding to computer fraud
10. Managing vendors and service providers http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/TopTechnologyInitiatives/Pages/2013TTI.aspx
Orange text are all PCI related
Data Element Storage Permitted
ProtectionRequired
PCI DSS 3.4
Cardholder Data
Primary Account Number (PAN) Yes Yes Yes
Cardholder Name Yes Yes NoService Code Yes Yes No
Expiration Date Yes Yes No
SensitiveAuthentication
Data
Full Magnetic Stripe Data No N/A N/A
CVC2 / CVV2 / CID / CAV2 No N/A N/A
PIN / PIN Block No N/A N/A
• Acquirer (Merchant Bank) Bankcard association member that initiates
and maintains relationships with merchants that accept payment cards
• Hosting Provider Offer various services to merchants and
other service providers.
Card Brand
Acquirer
Hosting Provider
Merchant
Cardholder
Maintain standards for PCI
to provide quarterly scans
Card Brands
PCI SSC
QSA
ASV
Own and manage PCI DSS, including maintenance, revisions, interpretation and distribution Define common audit requirements to validate compliance Manage certification process for security assessors and network
scanning vendors Establish minimum qualification requirements Maintain and publish a list of certified assessors and vendors
Incident Evaluation
Safe Harbor
$$$$$$
Merchants may be subject to fines by the card associations if deemed non-compliant. For your convenience fine schedules for Visa and MasterCard are outlined below. (Banks no longer publish fines)
http://www.firstnationalmerchants.com/ms/html/en/pci_compliance/pci_data_secur_stand.html
Category Criteria Requirements Compliance date
Level 1
•Any merchant that has suffered a hack or an attack that resulted in an account data compromise•Any merchant having more than six million total combined MasterCard and Maestro transactions annually•Any merchant meeting the Level 1 criteria of Visa•Any merchant that MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system
•Annual Onsite Assessment1
•Quarterly Network Scan conducted by an ASV2 30 June 20123
Level 2
•Any merchant with more than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually•Any merchant meeting the Level 2 criteria of Visa
•Annual Self-Assessment4
•Onsite Assessment at Merchant Discretion4
•Quarterly Network Scan conducted by an ASV230 June 20124
Level 3
•Any merchant with more than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro e-commerce transactions annually•Any merchant meeting the Level 3 criteria of Visa
•Annual Self-Assessment•Quarterly Network Scan conducted by an ASV2 30 June 2005
Level 4 •All other merchants5 •Annual Self-Assessment•Quarterly Network Scan conducted by an ASV2 Consult Acquirer
Assess
ReportRemediate
• Clearly primary account number (16 digit PAN)• Valid thru date• Holographic security emblem• Card logo (Visa)• Cardholder's name
(Click on the credit card to check your answers)
Look at the above card. Can you find each of the parts listed below?
Front side of cardFirst, lets look at the
front side of a typical credit card.
Valid thru date
Holographic emblem
Card logo
PAN
Now, look at the back side of a credit card.
• Signature panel• A 3 digit security code also called the
CVV2 number• Magnetic stripe
(Click on the credit card to check your answers)
Can you find each of the parts listed below on the above card?
Back side of card
CVV2
Signature Panel
Magnetic Strip
Have you ever wondered what
is encoded in the magnetic strip? • Cardholder name and address
• Account number• Expiration date• Special security information to detect
fraudulent cards
Once the card is swiped, this information is electronically relayed to the card issuer, who then uses it to authorize the sale.
The magnetic strip contains:
Now that you know the anatomy for Discover, MasterCard, and Visa
cards, lets explore American Express
card.
CID Code
The American Express card has the same safety features as Discover, MasterCard and Visa, but a little different structure.
The American Express's equivalent to the 3 digit CVV2 security code is a 4 digit CID security code which appears on the face of the card.
American Express Card
The Security number ensures the caller actually has a credit card in hand
when making the purchase.
CVV2/CID number
When a customer physically hands you their card and you swipe it in a credit card terminal, you will not need to use the security number. This is because when swiped through the card reader, the terminal reads and transmits data from the magnetic stripe which includes the CVV2/CID security code.
CAV2/CVC2/CVV2/CID
Check out these 10 rules for credit card
security.
Credit Card Security Rules
1. Do not process transaction for other businesses or entities. 2. Don’t process cash refunds.3. Keep the card in the customer’s line of sight.4. Match signatures on the signed receipt to the back of the card and
the last four digits of the PAN (card number).5. Accept only the major credit cards, or those identified by your
department. Honor customer’s choice. 6. Obtain the security code on the back of the card for all telephone
sales.7. Write cardholder information only on designated forms.8. Store all documents containing card holder data in a secure locked
area.9. Never send or receive card data through e-messaging10.Never share cardholder information outside your work environment.
Some of these rules may not apply to your department. Each department has a different business process, so remember to double check with your supervisor if you have any questions.
Sorry I cannot process a credit card and give you cash.
Refunds must be placed on card used
for the initial purchase. What if someone does not have their
original card?If a customer doesn’t have their original card, inform them a check will be issued for the refund amount. Internet TransactionsIt's much simpler for internet transactions since the cardholder’s information and card number are linked to the sale. A refund will be automatically issued based on the original transaction and card used.
Never enter the customer’s card information over the phone to issue a refund for an internet transaction.
Rule 3 applies to any sales situation where
a customer hands you a credit card.
Keep the card in the customer's line of sight at all times.
Do this:• Place the card on the counter as you log
into the POS terminal.• Hold the card up in front of you or
keeps it on the counter if you needs both hands.
NOT this:• Place the card below the counter• Walk away from your station with the
customer's card• Place the card in the drawer• Place the card behind an object that
blocks the customer's view
Rule 4 requires you to make sure the signatures match.
Check the following items:• A signature appears on the card.• The signatures on the card and receipt look similar.• The signature area on the card is intact and not voided.• Color markings appear on the signature stripe.
If the signatures do not match or you have a concern about the authenticity of the card, call your supervisor.
Match signatures on the signed receipt to the back of the card.
For magnetic-stripe card transactions, match the name and last four digits of the account
number onthe card to those printed on the receipt.
Can I see your ID please?
Accept only the credit cards your organization has
approved.
Make sure the logos above appear on the card. Your department may even limit which of these 4 cards they accept, so make sure you find out.
This is your last line of defense for preventing the fraudulent use of a
card via internet or phone.
Obtain the security code on the back of the card for all telephone sales.
• When you (the merchant) ask for this number, you are validating the card is in the physical possession of the cardholder (purchaser).
• If the security number does not match the issuing bank's file, the transaction will be declined and you will receive a message saying the security code does not match.
The CCAV2/CVC2/CVV2/CID number should never be written down on any paper document. It can only be entered through a terminal.
We protect your information!
This rule pertains mostly to telephone sales but should be kept in mind
for all credit card transaction.
Write cardholder data only on designated forms.
• Follow your department’s policy for MOTO (Mail/Telephone order) transactions.
• If MOTOs are allowed in your department, always record the customer's name, phone number, and credit card number on the designated form.
• Once the order has been placed or recorded, all paper documents are securely stored and destroyed when no longer needed.
This rule applies when cardholder data is received by mail, fax, or phone.
(Any physical copies of PAN)
Store all documents containing card holder data in a secure locked area.Place all order forms in a designated
restricted area under lock and key. These documents will remain here until they are later destroyed by designated staff.
To secure cash and credit card receipts:
• Organize credit card receipts into a stack.
• Place the receipts inside the cash bag. • Deliver the bag to the safe or cash
room.
Perform a search for CHD every 6 months
Under no circumstances should cardholder information
be sent via any electronic format.
Never send card data through e-messaging
This includes all electronic communication such as emails, attachments to emails, text messaging and chat rooms.
Never discuss a customer's personal
card information outside of work.
Never share cardholder information outside your work environment.
You can discuss at a high level about your work with
credit cards, but never mention specifics.
Customers are trusting you with their sensitive account
information! Treat their information as if it were your
own. Including SSN and other information.
To prevent skimming, you
should be on the lookout for: