2013 PCI Data Security Awareness Training

2013 PCI Data Security 2013 PCI Data Security Awareness TrainingAwareness Training

What is PCI-DSS?The Payment Card Industry Data Security Standards (PCI-DSS) are

regulations that were created to ensure safe handling of sensitive

information and to protect cardholder data.

Importance of Training

Your customers will*Appreciate your ability to reduce the threat of identity theft

*Trust you to complete transactions without creating duplicate or invalid charges

*Enjoy peace of mind, knowing that their credit card information is in good hands

The university *Takes pride in a skilled workforce

*Values your ability to build customer confidence

*Needs your help in limiting potential losses, fines & penalties

…..and you *will have confidence in your ability to safely and efficiently do your job

*will recognize and evaluate key security features on valid cards

*will be alert to the warning signs of fraud

*will know that you can make informed decisions under pressure

UGA Credit Card Policy and Procedure Overview of PCI DSS Yearly Scans and Questionnaires What happens if a breach occurs Audits Changes and Revisions Guest Speakers Questions

Agenda

Policy and Procedures• Do NOT store, process or transmit credit card information on the UGA

network

• Third-party application for any new or updated changes to credit card acceptance.

• PCI Questionnaire and Scans

• Daily Batch Settlements (covering and cross training in case of absences)

• Daily Transmittals and Reconciliations

• Retention policy

• Incident response

• Background checks

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure NetworkRequirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder DataRequirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networksMaintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus softwareRequirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control MeasuresRequirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer accessRequirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test NetworksRequirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processesMaintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

PCI

Yearly Scans and Questionnaires

• Annual Assessment Questionnaire

– Required of all merchants – regardless of level– Self Self-Assessment or performed by Qualified Security Assessor (QSA): A, B, C-VT, C, D

• Security Vulnerability Scan – Quarterly

– Required for External facing IP addresses• Web applications• POS Software and databases on networks• Applies even if there is a re-direction link to third third-party

– Must be performed by Approved Scanning Vendor (ASV)– Validation based on Level assigned to merchant, based on transaction volume

• Visa & MC schedules are different• Visa’s schedule is what most go by

• Zappos! – (January) 24 million records including partial credit card numbers illegally accessed. Estimated direct cost –

$46,560,000,000.00

• Global Payments – (February) 1.5 million card numbers and other information stolen in a security breach which reportedly occurred between Jan. 21 and Feb. 25 2012. Estimated direct cost –

$291,000,000.00

Breaches 2012 - Business

• Schnucks Markets – (March) 2.4 million credit and debit card numbers stolen. Estimated direct cost –

• $465,600,000.00

• Wyndham Hotels– (June) the FTC files a lawsuit against the hotel chain for failing to secure customer data. Chain was hacked three times in two years, resulting in the theft of more than 600,000 credit card numbers. Estimated direct cost –

• $11,640,000.00

• State of South Carolina– (September) The SC Department of Revenue lost 6.4 million taxpayer records that included Social Security Numbers, Credit Card Numbers, and Debit card numbers. Anyone filing an online tax return from 1998 to 2012 was potentially affected. Estimated direct cost –

$12,416,000,000.00

Breaches 2012 – Higher Education

• University System of Maryland (January) – 8000 records of prospective students, some with credit card numbers were found on a public server. Estimated direct cost –

$1,552,000.00

• Universities of Maine, Arkansas, and Rochester NY (May) 4617 records stolen from the computer stores that serviced the campuses. Estimated direct cost total –

$895,698.00

Breach Example 1

• A Friday in September: an employee entering credit card information on a kiosk decides to check their email.

• Their inbox contains an email from a friend. The subject line reads “Still need tickets?” The message says “He needs to sale these!!! CHEAP!” It contains a link. The employee clicks the link& is taken to a website that has nothing to do with football tickets.

• They leave the site, but have already downloaded malicious software.

Breach Example 2

• Over the weekend an attacker manages to spoof a trusted IP address and gain access to a payment card network.

• The attacker quickly runs through a list of known manufacturer’s passwords and discovers that no one changed the password on a POS system.

• It is quick work for the attacker to introduce a backdoor to filter transaction details. It could be months or even years before the vulnerability is detected.

Breach Example 3

• While in a checkout line, a customer accidentally knocks over her handbag, scattering its contents on the floor behind and under the counter.

• While the cashier is distracted by helping the customer, a second person switches out the Point of Sale unit with an identical one set up to skim pin numbers and card information.

• Thousands of debit and credit card numbers are intercepted before a new POS is installed and the switch is discovered.

Breach Example 4

• Strange traffic is logged on your payment card network over Christmas break. A physical sweep of the area where the kiosk is located reveals an unauthorized wireless access point in a nearby closet.

• One of the custodial staff reports an IT guy doing some work in the closet a few months ago. They were in there early in the morning, and that was memorable.

• No one on your staff fits the description given.

What is a Compromise or Incident?

• Malicious Code—a virus, worm, Trojan horse, or other malicious code that infects a computer

• Inappropriate Usage—a person violates computing use policies or laws

• Unauthorized Access—a person gains logical or physical access to a network, system, application, data, or other resource without permission

• Theft - of data or devices

Immediate Response

• Should you become aware that any cardholder data was subject to compromise, you alert the following IMMEDIATELY:

UGA Office of Information Security

UGA Bursar’s Office

• Immediately work with the Office of Information Security to limit the exposure.

• Bursar’s Office will work with you and Credit Card Processor regarding appropriate response to them as well as customers impacted.

Security Incident Reporting

Contacting Information Security

– Call EITS Help Desk

– Phone : 706-542-3106 (press 2)

– If you cannot get assistance by calling the EITS Help Desk, you can report incidents by sending an email to [email protected].

– If criminal violation, notify UGA Police

The Role of Information Security

– Assess the Situation & Extent of Loss

– Collaborate on a Remediation Plan

– Legal and Policy Compliance

Compromised System Response

• Do not access or alter compromised systems

• Do not turn the compromised machine off

• Isolate compromised systems from the network

• Preserve logs and electronic evidence

• Log all actions taken

• Be on high alert and monitor all systems

Aftermath

• The Bursar’s Office will Provide all compromised accounts to the merchant services provider and to any other agency/company as instructed by the merchant services provider and/or card associations

• Provide an Incident Response Report document to each Card Association (within the timeframe they specify)

• If required by the card associations, undergo an independent forensic investigation

Changes and RevisionsUpdate to UGA procedure:

All Point-of-Sale Terminals, that utilize a wired connection, must be done so with a Centrex Analog line. The UGA Office of Telephone Services can be consulted should you have any questions on a connection, new or existing.

WARNING:

NEVER ALLOW ANYONE TO INSPECT, PROGRAM OR REMOVE YOUR TERMINAL UNLESS YOU HAVE OBTAINED AUTHORIZATION FROM THE CREDIT CARD OFFICE.

VISA and Card Industry Updates:

Technology Innovation Program

•Effective October 1, 2012, Visa will expand the Technology Innovation Program (TIP)1 to the U.S. TIP will eliminate the requirement that eligible merchants annually validate their compliance with the PCI DSS for any year in which at least 75 percent of the merchant’s Visa transactions originate from dual-interface EMV chip-enabled terminals, in addition to meeting other qualification criteria.

© Copyright 2011 | First Data Corporation

Interchange & Market Trends Of Card Processing University of Georgia

Presenter: Susan Peek, First DataApril 25, 2013

24 | © Copyright 2011 | First Data Corporation

Credit Card Transaction: Process Flow

Consumer

(Cardholder)Merchant

Acquiring Processor

Issuing Bank

Associations


Customers expect to pay for goods and services just as producers expect to be paid for the goods and services they provide. • Consumers

Desire to purchase goods and services without making an immediate cash disbursement.

• Merchants Want to provide customers with the broadest range of payment options possible with the minimum investment. Need the payment process to be as simple and fast as possible.

• Issuing Banks Desire to offer a broad range of financial services to consumers. Want to charge an annual fee for issuing the card and interest on the credit card balance.

• Associations Want to offer a broad range of payment options to consumers. Need to cover the cost of processing and the risk associated with the transaction. They are required to compensate the issuing bank with the proceeds of the interchange fee.

• Acquiring Processor Desires to provide merchants with the maximum range of payment options with minimum investment. Need to make a profit on the transactions processed.

Participants in the Credit Card Cycle


Interchange is a fee charged to Merchants for the service of accepting Association Branded Cards as payment for purchases made by customers.

• Interchange is set by the Card Associations - The Interchange Fees are determined by the Associations based on a

specific set of rules published by each entity

- Interchange rate schedules can change at any time

- Changes generally take place in the fall and spring of each year

• Charged by the Acquiring Processor - First Data/SunTrust Merchant Services

• Paid to the Issuing Bank - Examples : Wells Fargo, Chase, Bank of America, etc…

What is Interchange?


The Interchange Fees charged by the Associations (Visa, MasterCard, and other entities) are composed of two basic parts • Percentage %

• Flat transaction fee $0.00

An Example:

A student pays for lab fees that have a total cost of $50.00 and is paying with a Visa Card. A typical Interchange Fee for this transaction under a university industry code would be 1.43% plus a transaction charge of $0.05. Visa would charge the Acquirer (First Data) a total of $0.765 or $0.77 when rounded up.

$50.00 x .0143 = $0.715 + 0.05

$0.765 or $0.77 rounded up

Other fees charged to the merchant include: • Card Association fees including the Assessment Fee and the Access Fee

• Acquiring Processor fees may include a per transaction processing fee

Components of the Interchange Fee


Interchange Program –

A specific classification set by an Association with a given rate, qualifications and rules for downgrades.

• Example: Visa’s CPS Retail 2 (Emerging Market)

Qualifications –

The specific conditions required by an Association to be able to use a given Interchange Program.• Example: Visa’s CPS Retail 2 requires (among other things), 2 day settlement

Downgrades – The act of substituting a more expensive Interchange Program (and rate) when a specific qualification is not met. • Example: Visa’s CPS Retail 2 becomes EIRF if settlement occurs within 3 days, otherwise, it

becomes Standard. A transaction must meet the qualifications of the downgraded program or it will be downgraded again.

Key Interchange Terminology


Card Type Used By Customer For Payment• Example: Consumer Card, Rewards Card, Business Card, Commercial Card, Purchasing Card

Payment Channel Used To Accept Payment• Example: In Person Face-To- Face, Hand Keyed, Online

Merchant Category Code (MCC) Of Accepting Merchant• Example: Government & Higher Education generally qualify for lower interchange rate than retail stores

Timeliness of Settlement • Example: Best interchange rate may require 2 day settlement from date of authorization

Interchange Fee Qualification Factors


• Card Branded Prepaid Cards run through your point of sale device or solution just as any other credit card transaction so there is no need for a different point of sale device.

• Prepaid Cards generally qualify at a higher interchange rate than consumer credit cards. Their interchange qualification rate is much like other special cards such as the rewards, business, corporate and purchasing cards.

• Prepaid Cards may be considered a higher risk card particularly for card not present transactions and mostly in high fraud industry type merchants. Universities are generally not considered high fraud merchants.

• Fraud protection for Prepaid Cards is the same as other payment cards. • Use of fraud protection tools like collecting the Card Verification Value (CVV and CVV2) or using

Address Verification Services (AVS) particularly for card not present transactions is considered a best practice for all card types.

Prepaid Card acceptance is the same as any other type of credit card acceptance as long as the prepaid card presented has a card brand logo on the front of the card such as a Visa, MasterCard, American Express or Discover Card logo.

Prepaid Card Acceptance


• Convergence of online & offline commerce

• Increased security threats

• Increased levels of regulatory change

• Changing technologies

• Consumer expectations are rising

• New emerging shopping behaviors

Industry & Market Trends

What is Changing?


Today’s card processing environment is much more sophisticated and complex than just swiping a card at the point of sale.

• Example: ecommerce, mobile payments, gateway (API’s and Hosted Pages)

Consumers are increasingly expecting an integrated buying experience that is personalized, secure, and smart. • Example: Offers sent via smart devices based on buying habits or current location

Today’s customer wants to pay whenever and wherever they want and expect to be able to do so. • Example: in-person, online, via smart device, wireless or stand alone terminal

Merchants need to be ready to provide the payment types and payment channels their

customers want to use while meeting compliance regulations and protecting against

fraud. • Example: Alternative payment types (Pay Pal, Google Pay) , mobile commerce, EMV chip

cards

Industry & Market Trends

THIS DOCUMENT CONTAINS UNPUBLISHED, CONFIDENTIAL AND PROPRIETARY INFORMATION OF AMERICAN EPXRESS. NO DISCLOSUREOR USE OF ANY PORTION MAY BEMADE WITHOUT THE EXPRESS WRITTEN CONSENT OF AMERICAN EXPRESS. © AMERICAN EXPRESS.

American Express and The University of Georgia

2013 Credit Card Conference

April 25, 2013

American Express and

March 2013


American Express Overview

A Variety of Different Charge, Credit, & Prepaid Products to Meet the Needs of Our Customers

Co-Branded Cards – Costco, Delta SkyMiles, Hilton, Starwood, Jet Blue, Dillard’s, and others.

Consumer & Business Cards via Other Issuers – Bank of America, Citi, etc.

Charge Cards

Corporate and Small Business Cards

Purchasing Cards

“Cash-Back” Cards

Prepaid, Gift, Stored-Value, Reloadable Cards

And one of our newest offerings …..


Accepting an American Express Prepaid Card

35

35

• All American Express Prepaid Cards show the American Express “Blue Box” logo either on the face or back of the Prepaid Card. Prepaid Cards may or may not be embossed.

• Most Prepaid Cards can be used for both in-store and online purchases.

• Prepaid Cards are valid through the date on the Card. • Simply swipe the Card at the point of sale just like any other Card.

• A Prepaid Card must be tendered for an amount that is no greater than the funds available on the Card

. Because Prepaid Cards are pre-funded, if you receive a Decline when seeking

Authorization, ask the customer to call the toll-free number on the back of the Card to confirm that the purchase price does not exceed the available funds on the Prepaid Card.

If the Prepaid Card does not have enough funds to cover the purchase price, process a Split Tender Transaction or request an alternative form of payment.

You must create a Charge Record for a Prepaid Card as you would any other Card.


Current Cost of Accepting American Express Cards

One “all-in” Discount Rate for Charge/Credit Card Transactions = 2.15%

Same Rate for …..

all charge/credit card transaction types (Rewards Cards, Business Cards, etc.)

and all acceptance methods (online, mail, in-person, etc.)

No Additional Fees charged by American Express !!!

1.65% for AXP Prepaid Card Transactions

Other

No Additional Equipment Needed

Complimentary AXP-Only or Multi-Card Decals, Plaques, and Other Point-of-Purchase Items

The Basics of Offering American Express as a Customer Payment Option


Solutions to Help Reduce Inquiries and Chargebacks

Inquiries are expensive for all parties involved. Follow these general steps

and you may avoid unnecessary Inquiries and Chargebacks:

Keep track of all Charge Records.

Issue Credits immediately after determining that Credit is due.

Disclose all terms and conditions of your sale/return/exchange/cancellation policies at the point of sale, on all Charge Records and customer receipts and on your website.

Contact your Processor or us to make sure the name that you provide to us in your Submission matches your business name.

Submit Charges only after goods have been shipped or services have been provided.

Advise Cardmembers when goods or services will be delivered or completed, and always advise the Cardmember of any delays.

Obtain a Cardmember's signature whenever completing a service or work order.

37


Solutions to Help Reduce Inquiries and Chargebacks: Card-Not-Present

Obtain the Following from the Customer:

Signature on fax order formsCard NumberExpiration DateCard Identification Number (CID) …… this is a 4-digit number on the front of the card for American Express Cards, and a 3-Digit number on the back of other cardsName as it appears on the CardBilling Address for the Card for Automatic Address Verification

Authorization / Approval Code (very important!)

1-800-528-2121 is the number to call to get approval codes for American Express transactionsWrite down approval codeEnter approval code when keying-in Card number and other information into terminal

Optional:You can also ask customers to include a copy of the front and back of their Card if they FAX in their order, however I understand that you may not want to maintain this type of information.

38


Recommendations to Help Reduce Customer Disputes

CUSTOMER STATEMENT DESCRIPTOR

• Ensure that the Descriptor of the charge that the Customer will see on their card statement is as

specific to the charge as possible. (e.g. Utility Payment)

− The Descriptor that appears on an American Express Cardmember’s Statement is driven by what is in “Data Field 20 – Merchant Contact Information” (40 bytes of alphanumeric information allowed) that we receive in the Financial Settlement File from your processor.

• State at the Point-of-Sale how the charge will appear on the Customer's statement.

Example: “This charge will appear on your statement as Utility Payment”)

• Add a Phone# to the Descriptor on the Customer's statement. Sometimes a quick call to an in-

house merchant will completely clear-up a matter of confusion and completely eliminate a dispute.

• Ensure terms and conditions (and refund/cancellation policies, if applicable) are highlighted at

the Point-of-Sale, and have Customer agree, such as by checking a box, to the acceptance of the

terms and conditions.


Help Reduce Counterfeit and Card-Not-Present Fraud

The Card Identification Number (CID) fraud reduction tool is designed to ensure Cards

that are manually keyed and/or swiped have not been altered or counterfeited.

40

Card Identification Digit

Help reduce counterfeit card fraud by validating the CID number

Help combat Internet and mail/phone order fraud

Lower costs associated with chargebacks and fraud investigations


Automatic Address Verification

The Automatic Address Verification (AAV) service can help you reduce fraudulent charges. When you

submit the Cardmembers’ billing address and zip code, the issuer will verify that the information

provided matches the billing information on file for the account.

41

Automatic Address Verification

Help reduce card-not-present Card fraud by validating the address provided

Help combat Internet and mail/phone order fraud with an effective solution

Lower costs associated with chargebacks and fraud investigations

As an employee of UGA who is involved in credit card processing, I agree that I:

o Have read, understand and agree to comply with the University’s credit card policies and procedures as located on the Bursar’s website.

o Have reviewed, understand and agree to comply with the PCI-DSS training requirements.

______________________________________________________________________________ Printed Name Merchant ID # Department ______________________________________________________________________________ Signature Date

Resource Links

• http://usa.visa.com/merchants/risk_management/cisp.html

• https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

• https://www.pcisecuritystandards.org/

• https://www.pcisecuritystandards.org/saq/index.shtml

• https://www.pcisecuritystandards.org/pin/

• http://www.discovernetwork.com/fraudsecurity/disc.html

• http://www.mastercard.com/us/sdp/index.html

• http://www.globalpaymentsinc.com/USA/customerSupport/index.html41

• http://www.dfa.cornell.edu/treasurer/cashoperations/cashmanagement/creditcards/annualrequirements/index.cfm

• http://www.tntech.edu/bursar/payment-card-industry/

• http://www.google.com/imgres?q=question+mark+with+a+credit+card&um=1&hl=en&tbo=d&biw=1344&bih=673&tbm=isch&tbnid=j4K7efSfxXsEHM:&imgrefurl=http://www.bills.com/credit-help/&docid=LwbYO_SO33bdxM&imgurl=http://cdn.bills.com/images/articles/originals/credit-card-question-mark.jpg&w=478&h=324&ei=MgAQUc-jLZSC8AT04YDwDA&zoom=1&iact=rc&dur=110&sig=104541759428307438929&page=1&tbnh=135&tbnw=207&start=0&ndsp=32&ved=1t:429,r:3,s:0,i:90&tx=129&ty=105

• https://financial.ucsc.edu/Pages/Introduction_TrainingBenefits.aspx

http://www.globalpaymentsinc.com/USA/customerSupport/index.html41

http://www.dfa.cornell.edu/treasurer/cashoperations/cashmanagement/creditcards/annualrequirements/index.cfm

http://www.dfa.cornell.edu/treasurer/cashoperations/cashmanagement/creditcards/annualrequirements/index.cfm

http://www.tntech.edu/bursar/payment-card-industry/

2013 PCI Data Security Awareness Training

Documents

Transcript of 2013 PCI Data Security Awareness Training