e-Learning ModuleCredit/Debit Payment Card

Acceptance and SecurityOBFS-Treasury Operations-Merchant

Card ServicesFebruary 26, 2011

Instructor and Moderator, Rebecca Kornegay

Welcome

Introduction

• University of Illinois departments accepts and processes thousands of credit or debit card payment sales daily.

• Departments are required to comply with payment card industry data security standards (PCI DSS) of Visa, MasterCard, American Express, and Discover to secure cardholder information at all times.

Why Are We Doing This?

• University students, parents, and customers trust that their card information will be protected at the University of Illinois.

• To protect the University from a card security breach and monetary fines.

What Will You Learn?

• Anatomy of a Payment Card • Required Guidelines as Best Practices for

Handling Payment Card Information• Payment Card Security

Anatomy of a Payment Card

Credit/Debit Card –Data Embossed Front

Account Number

Cardholder Name

Bank Card Brand

Bank Card Logo

Verification Number(American Express Only)

Expiration Date

Anatomy of a Credit/Debit Payment Card

Credit/Debit Card –Data Imprinted Back

Magnetic Stripe

Signature Panel Security Code

(Visa, MasterCard, Discover)

‘

Payment Card Acceptance and Processing

Payment card transactions must be accepted using one of the following methods and technologies,

• Methods– Face to Face (card present)– Mail, Telephone or Fax (card NOT present)– University-approved internet application (card NOT

present)• Technologies– Terminal– Point-of-Sale (POS) system– e-Commerce

Secure Methods

PhoneMail

Fax

Mail or Telephone Orders (MOTO)

Not Secure Methods

PDA Device

Wireless Devices

Staff entering a cardholder’s card information into computer or a website from their workstation computer.

Instant Messaging or Chat

Email Not A Secure Method

If a customer sends their card information via email,

• Delete the email from your inbox and deleted box, then send a message of response.

• If you reply to the original email, remove the card information before sending the message.

• Send a response that the card information is not accepted via email and provide alternative methods for sending their card information by fax, mail, phone, etc.

Card Present Transactions

Accepting a payment card from face-to-face

Card Present Transactions

If You Handle Card Present Transactions, • The payment card must be swiped through

the terminal or POS system card magnetic stripe reader.

• Do not keep any card information after the transaction has been authorized.

• Keep the payment card within the customer’s view and shield from the view of others.

• The physical payment card is not provided for processing.

• Requires manual entry of the card number into a processing technology.

Card NOT Present Transaction

In addition to manually entering the Cardholder Account Number, for card NOT present transactions you must enter,

• EXPIRATION DATE, 02/14• CARD BILLING ADDRESS STREET NUMBER, 3775• ZIP CODE, 61821• VERIFICATION NUMBER (FRONT OF AMEX CARD)• SECURITY CODE, CVS, CVV2, CID (VISA,

MASTERCARD, & DISCOVER CARDS)

Card NOT Present Transaction

Card NOT Present Transaction

Sensitive Security Authentication Data,must NEVER be stored after the transactionauthorized.• Security Code and Verification Number• PIN Numbers• Expiration Date• Payment Card Full Magnetic Stripe Data

Card NOT Present Transaction By Phone

Payment Card Data Acceptance Requirements• Phone

Card NOT Present Transaction By Phone

Payment Card Data Acceptance Requirements• Phone

Card NOT Present Transaction By FAX

Payment Card Data Acceptance Requirements• Fax

Card NOT Present Transaction By FAX

Payment Card Data Acceptance Requirements• Treat a fax the same way as you would treat

cash

$100 Bills

Card NOT Present Transaction By Mail

Payment Card Data Acceptance Requirements• Mail

$100 Bills

Card NOT Present TransactionBy Paper Based Forms

Payment Card Data Acceptance Requirements• Paper Based Forms

Card NOT Present TransactionBy Paper Based Forms

If paper records containing card account numbers,

• Remove all but the last four digits to be rendered unreadable by blackening the numbers with china marker grease pencil or with character replacements of *, #, X.

Card NOT Present TransactionBy Paper Based Forms

Designing Order, Registration, or Invoice Forms• Form area capturing card information must be,– Placed at bottom of form– Remove card information– After processing payment, cut or tear form bottom to

be shredded– Printed receipts or invoices distributed outside the

unit must show only the last four digits of account number.

Card NOT Present TransactionBy Paper Based Forms

If paper records containing card account numbers,

• Disposing of Paper Based Forms

Accessing and Storing Payment Card Information

Required Procedures for Accessing Card Information

• Limit access to documents and reports• Never share logins and/ or passwords with

others, including coworkers.

Accessing and Storing Payment Card Information

Required Procedures for Storing Card Information

• Databases, spreadsheets and other electronic systems must ONLY store the last four digits of the card account number.

• NEVER store the card expiration date, verification number, or security code in ANY electronic spreadsheet, database or system.

Accessing and Storing Payment Card Information

Required Procedures for Storing Card Information

• Store all materials containing cardholder account information in a secure and restricted area.

Payment Card Transactions Delayed Processing

Best practice is to process payment card information immediately for the transaction to be authorized.

• If a delay is required,– Do not store the card information in electronic

format.– Card information must be kept secure and with

restricted access until the payment is processed for authorization.

Payment Card Transactions Delayed Processing

• Secure the paper form containing payment card information following the same guidelines used for securing cash transactions.

• Treat delayed processing paper containing card information as if it were cash.

Security ReminderPhishing

Securing Payment Card Information• Be aware of phishing methods that attempt to

trick you into providing card data for malicious purposes.

• Never provide a customer’s payment card information to anyone.

• Merchant Card Services and the University’s bank processor, Global Payments, will never contact a department to request for you to provide card information.

What Happens if Payment Card Information is Lost or Stolen?

• Stolen card data might be used to make counterfeit cards.

• Can be sold for illegal purposes, such as facilitating identity theft.

• An expensive forensic investigation may result.• The University will be fined for the breach and

other associated costs, such as the forensic investigation.

Payment Card Security Breach Consequences

The consequences of a security breach,• A forensic investigation will determine the

amount of data lost and how the loss occurred. • All fines, monetary penalties, and other

associated costs related to the breach are paid by the department merchant that experienced the breach.

• Increased processing restrictions or loss of processing privileges for the department.

Payment Card Security Breach Consequences

Breach in security could result in,• Significant monetary fines to the University.• Potential loss of reputation and trust from

students, parents, and customers.• The entire University could lose the privilege

to accept and process credit/debit cards due to a department’s payment card security breach.

Thank you!Questions, contact Rebecca Kornegay at University of Illinois Merchant Card Services Office, by PHONE: 217-244-9384 or E-MAIL: kornegay@uillionois.edu