Transcript
Pay
Payment Card Industry Data Security Standards (PCI DSS) Quick Reference Guide Overview You should have already been trained, and possibly refreshed, in PCI DSS requirements, and how the standards relate to your employment duties at UWE. This guide will remind you of your responsibilities, and what is required of you operationally during your daily duties, to ensure the safety of cardholder data. You will already have read and understood the following documentation, however do go back to any of these if you are unsure of what they cover:
UWE PCI DSS policy (and other policies linked into the document such as IT Security Policy); UWE Incident response Plan (section 11 of the PCI DSS Policy) – details of what action should be taken in the event of a card data breach; what information needs to be reported, and who to report it to; UWE PDQ Management policy - for Managers responsible for Income Collection in their area.
Reminder: What is PCI DSS? PCI DSS is a global standard of best practice that was designed by card payment brands, to increase security and decrease fraud relating to cardholder data. MasterCard or Visa can, and will, impose substantial financial penalties for non-compliance, with further financial penalties for any actual data breach incidents that arise. If there is a continued breach of data security, as a final resort, the University’s permission to process card data may be removed. Reminder: How does PCI DSS relate to what I do? The following table summarises the key requirements for each payment method, which if properly followed, will greatly reduce the risk of cardholder data being stolen. Some of the scenarios might not be relevant or appropriate to you, however if you are unsure how to apply PCI DSS to your processes, please seek advice from your manager. Remember, the best defence against cardholder data theft is not to store it – if we do not have it, it cannot be stolen from us.
Finance Document – PCI DSS Quick reference Guide
Pay
Payment method Online
Face-to-face 1. using a card terminal (PDQ – cardholder present)
2. PDQ terminal1. security
2.
Finance Document – PCI DSS Quick reference Guide
Do.......... Encourage students / customers to make payments online themselves where possible, and if not possible, offer an alternative payment method.
Don’t.......... DO NOT WRITE DOWN CARD DETAILS
However, in exceptional circumstances, card payments can be processed online if the student/customer cannot/will not pay online, by a trained member of staff working in the Income Office.
DO NOT READ OUT CARD DETAILS
Ensure that you are aware of how to detect a fraudulent key-logging device being installed to your computer (see Appendix 1), as this will enable cardholder data to be stolen.
Intentionally blank
Once you have entered the amount, the customer should put their card in the terminal for chip and pin transactions, or pass their card over the terminal for contactless transactions.
Staff should not need to handle the customer’s card.
If your terminal prints the full Primary Account Number (PAN – 16-digit card number) on the merchant (UWE) copy of the receipt, you must bring this to your manager’s attention or contact the PCI DSS team immediately.
Intentionally blank
Always keep the device in view during business hours, and locked away with restricted access outside of business hours.
Intentionally blank
Managers are responsible for ensuring that PDQ’s are properly and securely managed and controlled.
Intentionally blank
PDQ terminal checks
Always co-operate with the annual device audit undertaken by the Income Office Manager.
Intentionally blank
Regularly inspect the device to detect tampering (see Appendix 1) or substitution (by checking the serial number or other device characteristics), as this will enable cardholder data to be stolen.
Intentionally blank
Ensure that adequate controls exist for visitors of your restricted area where card payments are processed (if applicable – e.g. Conference Centre); Telephone 1. (cardholder not present)
2.
Ensure that all students and staff wear UWE identification lanyards; Ensure that all external visitors are authorised to enter, and escorted at all times; Ensure that all external visitors are identified and given a visitor badge, which is returned when they leave; Ensure that an external visitor log is maintained.
Telephone payments are discouraged; students/customers are encouraged to pay online themselves.
DO NOT READ OUT CARD DETAILS
However, in exceptional circumstances, card payments can be processed by telephone if the payer cannot/will not pay online. If a telephone payment is taken, you must enter the details straight into the University’s online software.
DO NOT WRITE DOWN CARD DETAILS
.
DO NOT RECORD TELEPHONE CALLS Calls where card payments are taken must never be recorded
If the software is not available for any reason, you should arrange to call the customer back when it is available, and then enter the details directly into the software during the call. Ensure you are aware of how to detect fraudulent key-logging device being installed on your computer.
Finance Document – PCI DSS Quick reference Guide
Intentionally blank
Telephone (cardholder not present) cont’d…..
Intentionally blank
DO NOT READ OUT CARD DETAILS When processing a card payment via telephone in a busy working area, never read the customer’s card details back to them, in case you are overheard. You can confirm part of the number (e.g. the last 4 digits) if necessary.
Application forms may contain cardholder data, which must be securely locked away, with restricted access, until needed.
Intentionally blank
1. Card details received by post (application forms)
2.
Payment transactions must be processed as soon as possible, and within 5 working days of receiving the application form. After the payment has been processed, the application form should be hand delivered to the Income Office within 2 working days.
3. Card details received by email
The Income Office must immediately crossshred the card details section of the applications form, and securely store the rest of the form. Card details received by email must be immediately and permanently deleted without being processed by permanently deleting it from ‘Recover Deleted Items’ after it has been originally deleted.
Never ask a customer to email their card details to you.
Card details received by fax must be crossshredded without being processed.
Never ask a customer to provide cardholder details by any of these methods.
4.
Card details received by fax or messaging technologie s (i.e. 1. instant messaging and chat)
Finance Document – PCI DSS Quick reference Guide
Intentionally blank
Card details received by message must be deleted without being processed. If you receive cardholder details in any of these methods, email the student / customer directly and advise them to pay online, or in person.
If a customer emails you card details, you must not process them, or forward them onto another member of staff.
Card details received by fax ore messaging must not be processed.
Physical storage and disposal of card data
Cardholder data should only be retained and securely stored (locked away with restricted access), if there is a business need to do so
1. Electronic storage of card data
2. Dealing with declined card transaction
What should I do if I suspect someone has gained unauthorised access to card data?
If you are unsure if card details should be kept, check with your line manager. If you have any card data stored electronically, you must contact the PCI DSS team immediately (e.g. data stored in files, eFax, recorded telephone calls) If you collect CCTV, you must ensure that it cannot capture card data. Advise the customer immediately if a card transaction is declined and offer an alternative payment option.
Card data must never be stored electronically – if it is on our networks, there is the potential for unauthorised access. This includes data stored in files on your computer or network; electronic images, such as eFax; recorded telephone calls. Do not take a note of the card details and try to re-process at a later date.
If processed via a PDQ device, give the customer the customer copy receipt stating that the payment was declined and securely store the merchant copy.
Intentionally blank
If processed online, advise the customer that they must contact their card issuer and offer an alternative payment option.
Intentionally blank
If there has been a break in to an area where cardholder data is processed, or you believe a terminal has been tampered with, you must follow the PCI DSS policy section 11 - Incident Response Plan.
Do not change anything on the terminal/PC. Do not unplug the terminal/PC. Do not continue to use the terminal/PC.
Stop using that terminal/PC immediately and disconnect the network or telephone line - ensure that you keep the device under your watchful eye until told otherwise. Immediately record known or suspected incident details and email your Line Manager, Income Office Manager, Data Protection Compliance Officer data
[email protected] and PCI DSS Team
[email protected]
Finance Document – PCI DSS Quick reference Guide
NEVER TAKE COPIES OF CARDHOLDER DATA E.g. on paper, spreadsheets, USB drives, or network shares.
Pay
Appendix 1 How to detect fraudulent tampering of your PDQ terminal and/or computer What is skimming? Skimming is a method used by criminals to capture data from the magnetic stripe on the back of a card. How does skimming work? Typically, someone in a workplace uses a small, manual skimmer to steal information from a card’s magnetic stripe. That information is sold to criminals, put onto a counterfeit card and used to make fraudulent purchases. While making it look like they are performing maintenance, criminals can open the PDQ terminal and install the skimmer. In some circumstances, they remove the existing PDQ terminal and replace it with one already modified. They can also install a device on one of the PDQ terminal’s communication cables, capturing the card information during its transmission. You should be vigilant of any potential skimming activity and take actions to prevent this criminal activity in your workplace. What does a skimming device look like? Skimming devices, or “skimmers”, come in many shapes and sizes, and are small and portable, with a slot where the card can be swiped and “skimmed”. Many of these devices are hand held but some can be installed inside the PDQ card terminal, or on one of its cables or connections.
Manual Skimmer – captures data Stored on the magnetic stripe of the card.
Compact Manual Skimmer – smaller version of the manual skimmer, can be concealed more easily.
What is key logging? Key logging is where a device (key logger) is plugged into your computer’s USB port by criminals, to record key strokes to capture data typed in.
Hardware Key logger connected to your computer’s USB port records keystrokes and stores the data.
Finance Document – PCI DSS Quick reference Guide
