Credit Card Merchant Training

PCI 2015

Why Now?

• In October 2015, there will be a fraud liability shift that will affect merchants not able to accept EMV chip cards. This shift will mean that whoever does not have the superior EMV technology between the merchant (i.e. WKU) and the card issuer will absorb any financial loss due to fraud.

• PCI DSS 3.1 new security requirements effective October 1, 2015

Challenges for Universities

• Decentralized environment• Variety of credit card data locations• Variance in procedures• Network connections

Goals for WKU

• Secure, concise practices to benefit and protect departments, employees and WKU

• Proactive focus on security• Compliance with data security standards to be

viewed as an “everyday, business-as-usual practice.”(Mills-Sen, 2015 p.5)

What’s New?

• Acceptance of American Express • Ingenico ICT 220 – mag-stripe reader, EMV

card-entry slot, integrated contactless reader• Privileged User Access form and Terminal log• Ethernet port connection – dedicated port(s)• SAQ requirement will change to B-IP due to

change from phone lines to Ethernet

What is the Same?

• Security processes as outlined in the Policy & Procedures for Credit Card Merchants, http://www.wku.edu/policies/docs/146.pdf

• Annual SAQ questionnaire - prompt response is strongly encouraged to submit completed SAQ in a timely manner

• Transmittal process

Departmental Practices

• Departments may accept credit cards in person (preferred), by mail, phone, and fax.

• Always obscure all but the last four digits of the card numbers immediately after the transaction is approved.

• Never email credit card information or store credit card numbers in any database or spreadsheet.

• Never send credit card information via text messages or any end-user messaging technology.

Departmental Practices

• If you receive compromised information via email or text:

• Open a NEW email or text, reply to sender, alert them that credit card information should never be sent via email or text and as a result their information could have been compromised. Inform them we will delete all records of the email or text(s) for security reasons. Ask them to submit the card information using a secure method – in person, by mail, over the phone, fax.

• Delete ALL records of the email or text (including the trash folder) immediately.

Departmental Practices

• Keep all documentation in a secure, locked location.• Store receipts according to WKU’s record retention

schedule. All receipts must be shredded after that time.

• Watch for tampering, add-ons or anything unusual around the device.

• Be cautious of anyone claiming to be from BB&T stating they are supposed to work on the terminal. If you have concerns, call the Office of the Bursar for verification.

Transmittals

• After credit cards are processed for the day, batch the credit card machine (this may also happen overnight).

• Submit batch settlements to the Office of the Bursar. Please do not include individual sales receipts for each transaction, only submit the batch total. The transaction details are to be maintained by the department. Please submit transmittals daily per University policy.

What’s Next?

• Pick up new machines• WKU IT will schedule a time to check terminal,

record MAC address, turn on the dedicated port(s) and test operation

• Return ALL old credit card terminals to Office of the Bursar by September 30

• Future training (required by PCI DSS 3.1) to provide ongoing education and campus security

Questions?

• Training for new terminal:BB&T 1-800-847-2876M-F 6:00 am – 5:00 pm AZT

• Questions or changes to merchant account?– Contact Rachel Norton, Bursar Specialist– 270-745-5375, rachel.norton@wku.edu

References

• Branch Banking and Trust. EMV (Europay-MasterCard/Visa). 2015.

• Mead, Ann K. (authorized). WKU Policy & Procedures for Credit Card Merchants, 3.3101. 2011.

• Mills-Sen, Pamela. PCI Compliance Crackdown. University Business Magazine Web Feb 2015.

• PCI Security Standards Council, LLC. PCI DSS SAQ B, v3.0 – Section 2: Self-Assessment

Questionnaire. © 2006-2014.