How to complete this assignment

This “course” consists of a PDF document that follows this page.

To receive credit for completing the course, you must confirm you have read and understood the material that follows this page.

You will do this by reading the material, closing the document, and selecting Confirm in the box that appears after the document

is closed.

In order for the confirmation box to appear, you must disable your browser’s pop-up blocker or change its settings to allow pop-

ups for these sites:

skillport.com

skillwsa.com

gotrain.net

See this Online Learning FAQ entry for detailed instructions: How do I disable my browser's pop-up blocker or change its

settings to allow pop-ups for Skillsoft sites?

After reading the material on the following page(s), you must take these steps to complete the

course.

1. Close the browser tab or window that contains

the PDF.

In most browsers, you can close a tab by

selecting the X icon on the tab or using the

keyboard shortcuts Ctrl+W (Windows and

Linux) or ⌘+W (Mac). Be sure not to close the

browser entirely!

2. When the confirmation box appears after

closing the tab or window, select Confirm to

complete the course.

If you don’t see the confirmation box, it may be

hidden behind other windows or your pop-up

blocker may be enabled. In order for the

confirmation box to appear, you must disable

your browser’s pop-up blocker or change its

settings to allow pop-ups for Skillsoft sites.

After completing a course, you may need to select

Refresh in order to update your completion

status on the Training Modules or Learning Plan

page.

The University of Alabama

Housing and Residential Communities

Credit and Debit Card Security Policies and Procedures

Last Updated: April 26, 2016 Effective July 27, 2012

Purpose

This document describes Housing and Residential Communities (HRC) policy and procedures for the proper handling of

credit and debit card transactions processed through automated systems and/or manual procedures. It is intended for:

Any individual who accepts, captures, stores, transmits and/or processes of credit or debit card payments received

for HRC services, for HRC contributions, for collection of University services related to HRC, etc.

Any individual who supports any HRC effort to accept, capture, store, transmit and/or process credit card

information, such as a technical support staff member whose role gives him or her access to computer hardware and

software holding credit card information, individuals tasked with shredding credit card information, etc.

This policy and procedures are intended to ensure that credit and debit card information is handled and disposed of in a

manner that satisfies the University of Alabama’s obligation to protect such information to the level that meets or exceeds

that required by the Payment Card Industry.

Since any unauthorized exposure of credit or debit card information could subject the University to reputational damage,

increased transaction fees, suspension of credit card privileges and significant penalties, failure to comply with the policy

contained within this document will be considered a serious matter.

Principles

HRC is committed to complying fully with the expectations of the University of Alabama as specified by the Payment Card

Industry in its Data Security Standard (PCI-DSS). Compliance requires that:

1. Only authorized and properly trained individuals may accept and/or access credit or debit card information.

2. Credit and debit card payments may be accepted only using methods approved by the Office of Student Receivables.

3. Each person who has access to credit or debit card information is responsible for protecting the information.

4. Credit and debit card information must be destroyed as soon as it is no longer necessary.

5. Appropriate checks and balances must be maintained in the handling of credit and debit card information

6. Credit card terminals must be maintained and inspected for possible tampering or substitution.

7. Suspected theft of credit or debit card information must be reported immediately.

8. Annual Review of PCI-DSS and HRC policies and procedures must be maintained.

Failure to comply with these principles, as implemented in this Policy, may result in the revocation of the ability to process

credit and debit card transactions and/or could lead to disciplinary action.

Procedures to Implement Principles

1. Only Authorized and Properly Trained Individuals May Accept and/or Access Credit or Debit Card Information

No individual is authorized to accept, access or support systems housing credit or debit card information until the following

requirements are satisfied:

The individual must be trained in the proper handling of credit and debit card information.

The individual must acknowledge his or her understanding of this policy and must confirm his or her commitment

to comply with all related University and HRC policies and procedures before he or she assumes credit and/or debit

card handling duties and on an annual basis thereafter. This requirement may be satisfied by the individual

physically signing this “Credit and Debit Card Security Policies and Procedures”, or electronically indicating his or

her understanding and intent to comply with this policy in an electronic form. HRC’s Associate Director for Finance is responsible for maintaining a record of the physically or electronically signed agreements.

2. Credit and Debit Card Payments May Be Processed and Accepted Only using Methods Approved by the Office of

Student Receivables.

Credit and debit card payments may only be accepted in the following manner:

A. through an automated system with a housing-developed Hosted Payment Gateway (SAQ A) in which only the

customer enters data,

B. use of Card Swipe Terminals (SAQ B)

1. in person

2. via telephone,

3. via FAX at TBD (secured location at Central Office only/verify with Finance Area),

4. via physical mail (not e-mail),

C. through an automated system that is entirely hosted by a PCI-DSS-compliant third party organization such as

Tix.com (SAQ C),

Note: The Office of Student Receivables is responsible for annually confirming that automated systems are PCS-DSS

compliant and will notify HRC accordingly.

3. Each Person Who Has Access to Credit or Debit Card Information is Responsible for Protecting the Information

Individuals who have access to credit or debit card information are responsible for properly safeguarding the data and must

comply with all requirements of the University’s Privacy Statement and Information Security Plan to protect the integrity

and privacy of such information.

The following pieces of information are considered “confidential” and must be protected appropriately from initial capture

through destruction regardless the storage mechanisms used (e.g., on University computers, on electronic, on paper, etc.):

Complete (non-truncated) credit or debit card number

Credit or debit card expiration date

Cardholder Verification Value (CVV2) – the 3- or 4-digit code number generally located on the back of the credit or

debit card.

Personal identification number (PIN)

Cardholder’s name, address and/or phone number when used in conjunction with the above fields

Note: No HRC staff should have need for cardholder PIN; therefore, should never be collected.

All personal credit card information must be strictly controlled and protected. The information above should never be stored on

a personal computer, personal electronic device or any type of transportable USB drive.

No employee should ever send or request cardholder information to be sent via e-mail, instant messaging, chat, Facebook,

twitter, etc. If a staff member receives credit card information that has been transmitted in this manner, the staff member should

delete the credit card information immediately and remind the cardholder that there are alternative methods in place for

submitting credit card information that would provide better security of personal data. Exception: In a case of an authorized

collection effort, the staff member may complete a credit card payment form and immediately fax or deliver to Billing

Coordinator for processing before deleting credit card information.

Transport of secured credit card data to another area – Generally receipts for credit card transactions are generated by HRC

Central Office, are retained within the department, and do not require transport to another area. However, there are events that

may require the transaction to be generated in a separate HRC location. If so, all data containing credit card information must be

maintained in locked storage until responsible staff can pick up or deliver. Since transactions may occur after normal business

hours, data must be picked up/delivered before close of business the following day.

Card Swipe Terminals are configured to print only the last four characters of the credit or debit card number on both the

customer and the merchant receipts, and on any reports that may be produced by the device. If more than four characters

are printed, contact Office of Student Receivables immediately. Physical location of card terminals should not be accessible by the public. HRC maintains two Card Swipe Terminals.

One is maintained at Central Office in a secure room not accessible to the public. The second machine is normally located

at Central Office locked in a safe only accessible by authorized staff except for use as authorized for HRC events such as

housing check-in at Bama Bound Orientation. If used at another location, Associate Director for Finance and appropriate

staff members will ensure terminal is not accessible by the public.

Credit Card information received in person, by telephone, by fax, or physical mail – Card information taken from a

cardholder is processed immediately or taken to a staff member responsible for processing card transactions. Forms should

not be stored at a staff member’s desk overnight. Any documents with cardholder data that must be stored overnight must

be stored in the safe located in the Central Office Finance area and only accessible by authorized staff.

Merchant copies of credit card receipts generated from a terminal are accumulated throughout the day by the responsible

staff member. Credit/Debit card receipts are also safely stored in the safe. No lists should be maintained that include entire

credit or debit card numbers.

Physical documents, such as signed authorization forms, merchant receipts, reports, etc., that contain credit or debit card

information should be retained only as long as there is a valid business reason to do so, and no longer than an Academic

Year. While the documents are retained, they are stored in the secure safe with access restricted to authorized individuals

on a need-to-know basis.

Credit Card Information received online through a Hosted payment gateway (See 2A. and 2C. above) No staff member

may enter credit or debit card data on behalf of the customer into any website or payment gateway.

Since HRC employees do not have access to confidential information as described in Section 3 above, see Office of

Student Receivables for credit card policies and procedures concerning hosted gateway transactions.

For transactions processed through a 3rd party such as Tix.com, only employees in the Finance area have access to reports

with truncated information for viewing and reconciliation.

4. Credit and Debit Card Information Must Be Destroyed as Soon as It is No Longer Necessary

All credit and debit card information must be destroyed as soon as it is no longer necessary, and may not be retained for

more than an Academic Year.

All physical documents that are no longer necessary must be cross-cut shredded in an approved PCI-compliant micro-cut

shredder.

5. Appropriate Checks and Balances in the Handling of Credit and Debit Card Information

HRC will segregate, to the extent possible, all duties related to data processing and storage of credit and/or debit card

information. Segregation of duties applies to card swipe terminal transactions only.

Responsible staff member accepts credit or debit card information.

Billing Coordinator processes card terminal transactions and settles Terminal Activity daily.

Accounting Specialist in Financial Affairs Business Activities office or Billing Coordinator prepares and submits

Daily Cash Transmittals to Office of Student Receivables.

Accounting Assistant for HRC reconciles monthly statement to Summary Reports.

Office of Student Receivables verifies HRC’s merchant account is cleared on a monthly basis.

Processing Refunds – Refunds must be credited to the same card account from which the transaction was made.

For Hosted payment gateway transactions (2A.), Office of Student Receivables processes refunds

For third party transactions such as Tix.com(2C.), refunds are processed through that organizations systems

For Card Swipe Terminals, the Billing Coordinator process refunds

Cardholder questions, discrepancies, or disputes concerning a card transaction should be directed to Billing Coordinator.

Billing Coordinator will immediately notify Office of Student Receivables. Questions concerning reconciliation

discrepancies by the Finance staff should be directed to Office of Student Receivables.

6. Credit card terminals must be maintained and inspected for possible tampering or substitution

A list of credit card terminals, including make and model of the device, physical location, and serial number, will be maintained

by Billing Coordinator. The list will be reviewed monthly and updated as terminals are added, relocated, disposed, etc.

Cashiers and other departmental personnel with access to the terminals will receive training so they are aware of procedures to

detect and report attempted device tampering and substitution. Personnel will be trained to verify the identity of any third-party

persons claiming to be repair or maintenance personnel prior to granting them access to modify or troubleshoot devices, not to

install, replace or return devices without verification, to be aware of suspicious behavior around devices, and to report suspicious

behavior and indications of device tampering or substitution to appropriate personnel.

Terminal surfaces will be inspected monthly by Billing Coordinator in order to detect possible tampering or substitution. In

addition, cashiers will be trained as to signs of tampering and substitution and will informally inspect terminals as they are used

during day-to-day operations.

7. Suspected Theft of Information Must Be Reported Immediately

If a University cardholder reports suspected fraudulent use of their credit card, the cardholder should be referred to the Billing

Coordinator in HRC. Billing Coordinator should immediately collect all the data and notify the Assistant Director of Cash

Receipting Operations in the Office of Student Receivables.

If a staff member knows or suspects that credit card receipts or other stored credit card data have been breached, the staff

member must notify the Associate Director for Finance immediately. Associate Director for Finance must notify the Executive

Director for HRC and the OIT Information Security Officer as quickly as possible. See following link for contact information

for OIT Information Security Officer: http://oit.ua.edu/oit/contact/

The University has an incident response team which will determine the appropriate course of action needed.

8. Information security policy

HRC will review and update the credit and debit card policy and associated procedures to address protection of credit card data

on an annual basis. Mandatory training for all employees (permanent or temporary) who have access to credit card data will be

provided annually. Employees will acknowledge in writing or by completing the Training Academy completion confirmation

that they have read and understood HRC’s security policy and procedures including data access limitation, data storage, data

retention, and data disposal. This acknowledgement must be reviewed and re-signed/re-confirmed annually. The signed

acknowledgments will be on file with the Associate Director for Finance in HRC or through Training Academy which may be

accessed by HR Learning and Development office.

Exceptions to Required Procedures

It is understood that a unique situation may require a short-term exception to one or more of the above procedures. Such an

exception must satisfy ALL of the following conditions:

must comply with all applicable PCI-DSS requirements, and

must be restricted to specific dates or events.

Employee acknowledgement

By selecting “Confirm” in the box that appears after the document is closed, I acknowledge that I have read, understand, and will

abide by the preceding Housing and Residential Communities Credit and Debit Card Transaction Policies and Procedures.

I commit to comply with the Policy and its documented procedure, and understand that failure to comply with the above

requirements may subject me to a loss of credit card handling privileges and other disciplinary measures. Non-compliance could

result in termination of employment.

PCI DSS Compliance Awareness Training – PCI 3.2 2016

General Information

• The Student Account Services Office is responsible for approval of all campus revenue generating activities, including those related to taking credit card payments. Approval by Student Account Services must be obtained prior to contract activity or the initiation of any revenue activity.

• Departments cannot negotiate their own contracts with credit card

processors or contract with companies accepting credit card payments on their behalf. Equipment such as terminals, etc. must be requested from Student Account Services.

• Departments wishing to establish new revenue activities or to

modify existing activities should review applicable policies and procedures found at: https://studentaccounts.ua.edu/information- for-departments/

Requirement for Merchants Accepting

Credit Cards • Departments must be compliant with Payment Card Industry Data

Security Standards (PCI DSS) version 3.2.

• Compliance involves participating in training, developing a

departmental policy for securing data, and training employees.

• An annual Self Assessment Questionnaire (SAQ) must be

completed. The types of SAQ’s will be discussed in greater detail later in this presentation.

• PCI DSS also applies to third party providers. Certain contract

language must be included in contracts with these vendors and they must demonstrate their compliance annually to UA.

So What is PCI?

• PCI DSS is a mandated set of security standards that were created by the major credit card companies to offer merchants and service providers a complete, unified approach to safeguarding cardholder data for all credit card brands.

• The PCI DSS requirements apply to all payment card network

members, merchants, and service providers that store, process or transmit cardholder data as well as methods of accepting credit card payments such as stand alone terminals or Point of Sale systems.

• The University and all departments that process credit card

payments have a contractual obligation to comply with PCI DSS standards.

What happens if I don’t comply?

• Failure to comply could result in a breach of credit card data. Costs of a breach can be very severe. Per an annual study conducted by Poneman Institute, in 2015:

– The average total cost of a data breach was over $6.5 million.

– The average cost per lost or stolen record was $217 per record. The average cost per record within the education industry tends to be a little higher at $225 per record.

– Included in these costs are breach investigation costs, victim notification costs, costs of providing credit monitoring for victims, bank fines and fees, Visa / MasterCard / Discover / American Express fines, lost customers, and costs of hiring an assessor as you will be classified as a Level 1 merchant.

• Failure to maintain PCI compliance, even without a breach, can result in monthly fines from our merchant service providers. Your ability to accept credit cards as a payment method can be revoked by the University and/or our merchant service providers.

Annual Obligations

University Departments/Responsible Persons

• Complete PCI DSS Compliance Awareness Training annually. This training will be made available via Skillport.

• Complete appropriate SAQ(s) certification and maintain PCI compliance annually.

• Review both University and departmental policies annually. Update departmental policy as needed to ensure security of Personally Identifiable Information (PII) at all times. The policy must address data access limitation, data storage, data retention, data disposal, and terminal security.

• Once your departmental policy has been reviewed and updated, all employees involved in credit card processing should review your departmental policy documents annually. The employee should sign and date a copy of your policy acknowledging their review. You should maintain these policy acknowledgments on file. Have new hires complete the acknowledgment as they come on board rather than waiting for your next department wide meeting.

• Update Inventory – Update list of devices (POS devices, terminals, websites, etc.). For terminals the list

should include the make and model of the device, location, and serial number. – Obtain Student Account Services authorization any time inventory is updated

• Remove access immediately when an employee leaves , changes roles, or any time access is no longer needed.

• Return equipment that is no longer needed.

Which SAQ should I complete? The different SAQ types are shown in the table below to help you identify which SAQ best applies to your organization. Depending on your business, you may need to complete more than one SAQ (ex: if you have a stand alone terminal and a point of sale system)

SAQ Description

A

Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.

A-EP

E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.

B

Merchants using only: • Imprint machines with no electronic cardholder data storage; and/or • Standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels.

B-IP

Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.

SAQ Table (Continued)

Key PCI Issues You Need to Address • Never store PII data. Such data would include:

– the full contents of any credit card number or track information after authorization. The track information is the information from the magnetic stripe located on the back of the card.

– card verification code (3 or 4 digit number printed on the back of the card) or PIN after authorization.

• Never send or request cardholder information via e-mail, instant messaging, chat, etc. Your written policy should explicitly state that such communications are not allowed. Discourage your customers from providing their information in any of these manners.

• Restrict access to credit card data and equipment to only authorized employees. Your written policy should state that access privileges are assigned based on job classification and function and that such privileges are assigned on a need to know basis.

• The physical location of equipment should not be accessible by the public.

• Only authorized employees should participate or have access to the credit card settlement processes.

• PII and other sensitive data should not be stored for time periods beyond what is required for business. Most departments have no need to store sensitive credit card data. Any data that is stored must be stored in a secured environment.

What if I need to store credit card information?

• All personal credit card information must be strictly controlled and protected and securely stored for as long as there is a business necessity. Most departments will not have a need to store this data. The PII storage location must be marked to identify it as having this data. We recommend marking it with the label “PII” so it is not readily identifiable as having sensitive data to someone not familiar with your area or process.

• Personal credit card data should never be moved from the

department. IF you must transport such data, you must establish secure transport methods and it must be transported in view of a responsible person at all times.

• When the data is no longer needed it must be destroyed with a

cross-cut shredder. Other types of shredders are not permitted to be used. These are relatively inexpensive to purchase.

What if I become aware of possible

lost or stolen credit card data? • If a UA customer notifies you of a suspected fraudulent use

of their credit card, the department should notify Student Account Services at 205-348-5350.

• If you know of or suspect a breach has occurred,

immediately report any suspected security incident to the OIT Information Security officer (Ashley Ewing – 205-348- 6524) as soon as possible.

• If you suspect a breach:

– Do NOT turn device(s) off, but unplug only the network cable. – Do NOT make any changes to device(s)!

Primary Causes of PCI Data Breach

• Malicious or Criminal Attacks

• System Glitches or Issues – Remote access

– Unpatched systems

• Human Error – Failure to maintain compliance with the PCI DSS requirements

– Unmanned or unattended POS devices

– Using vendor-supplied default passwords and settings

– PCI devices used for non-PCI tasks

Detecting a Suspected Data Breach The following is a list of things that might raise suspicion that a data breach has occurred:

• Unexpected system reboots or shutdowns • Suspicious after-hours file system activity, or after-hours activity on POS

devices • Anti-virus programs malfunctioning or becoming disabled for no apparent

reason

• Unknown files, software, and/or devices installed on PCI systems, including archived, compressed, or encrypted files in system directories

• Unexplained modification or deletion of data • Excessive failed login attempts • Unexplained user accounts • Unknown or unexpected network traffic

Again, if you know or suspect a data breach has occurred, immediately report any suspected security incident to the OIT Information Security officer (Ashley Ewing – 205-348-6524) as soon as possible.

Terminal Security Training

Credit Card Terminal Security –

Why is it important to you?

• It’s required under PCI 3.2. UA merchants have an obligation to ensure their respective payment systems and infrastructures are secure.

• You are the first line of defense for point of sale fraud and are

involved in the execution of the vast majority of controls suggested or required by PCI DSS.

Terminal Security • Terminals can be compromised by skimming processes or data-logging processes.

They may also be stolen or have data stolen when they are unsecured and unattended.

– Data-logging is the process of collecting and storing data over a period of time in order to analyze specific trends or record the data-based events/actions of a system, network or IT environment. It enables the tracking of all interactions through which data, files or applications are stored, accessed or modified on a storage device or application.

• What is Skimming? – The unauthorized capture and transfer of payment data to

another source for fraudulent purposes. Stolen data is encoded on counterfeit cards and used to purchase goods and make withdrawals without the knowledge or consent of the cardholder. Stolen data may also be used to purchase goods and services online or by phone.

• Simply put, skimming is stealing credit card information to use for fraudulent

purposes. • Types of skimming:

1. Capture cardholder payment data within payment infrastructure 2. Capture cardholder payment data using malicious software 3. Capture cardholder payment data by intercepting from wireless network,

near field communications, or mobile devices

Targets – Unattended Terminals

• Merchants that have unattended payment terminals are prime targets for intrusive-terminal and terminal- infrastructure attacks.

• Criminals will also target multi-lane retailers where, during

less busy periods, not all lanes are used and terminals are effectively left unattended.

• Criminals will steal terminals and compromise them, then

return them to their original location.

Targets – Unattended Terminals

There have been cases where criminals have:

• Stolen terminals from desks not in use

• Broken into a store and taken only terminals

• Broken into a store and compromised terminals

• Hidden in a store until closed and compromised terminals overnight

• Installed malware while posing as serviceman

• Shipped compromised terminals to merchants under the guise of terminal upgrade

• Added overlays with skimming and key-logging hardware

How to Protect Your Terminals • Verify the identity of any third-party persons claiming to be repair or maintenance

personnel prior to granting them access to modify or troubleshoot devices. Such persons should be cleared by Student Account Services and you should have prior notice from Student Account Services before you allow access to your devices.

• Mike Harris in Student Account Services will retrieve your terminal should it need

repairs. Contact Student Account Services IMMEDIATELY should anyone ask to perform maintenance on your terminals. Feel free to ask Mike for photo identification to verify his identity.

• Do not install, replace, or return terminals without verification from Student Account

Services. Mike Harris in Student Account Services will install or replace any terminals. • Be aware of ANY suspicious behavior around devices (for example, an unknown person

attempting to unplug or open devices).

• Report any suspicious behavior and indications of device tampering to Student Account

Services IMMEDIATELY. • Inspect your terminals for indications of tampering or substitution on a regular basis.

Terminal Inspections – Why Is It

Necessary and How Often Should I Do It? Why?

• The best way to detect either tampering with or substitution of your terminals

is through regular inspections.

• Regular inspections will help you to more quickly detect tampering or

replacement of a terminal, thereby minimizing the potential impact of fraudulent devices.

How Often?

• Review terminals for signs of tampering on a DAILY basis. A best practice

would be to quickly inspect at the beginning of the day, the beginning of each shift, etc.

• If your terminals are not used on a daily basis, perform inspection every day

that they are used.

Terminal Inspections • Terminals will have a sticker attached to

the underside, which provides details of the product and will include a serial number. Most terminals will also have a method of displaying the serial number electronically.

• BEST PRACTICE - As part of regular

checks, note the serial number on the back of the terminal and check this against the electronic serial number. Instructions as to this process for First Data terminals to be provided by Mike Harris.

• Additionally, run your finger along the

label to check that it is not hiding a compromise.

Terminal Inspections • Terminals often have security stickers, or

company stickers placed over screw holes or seams that will act as indicators if the case has been opened.

• Criminals often remove these labels when

compromising terminals and may replace them with their own printed versions.

• When you first receive a terminal, make

note of label position, color, and materials used. Taking a picture of the device is a good practice.

• Also look for any signs that the label may

have been removed or tampered with.

Terminal Inspections • Be aware of overlays. An

overlay can be a small sticker that forms to the device and covers the keyboard area.

• Overlays may hide damage due

to tampering or wires that allow keyboard logging. Overlays should not be used.

• In the picture to the right the

overlay is concealing a wire used to skim data.

Terminal Inspections

• Changes to terminal connections can be difficult to spot.

• In these images, the criminals

completely changed the cable used to connect to the base unit.

• This was to incorporate the

additional wires required to capture card data.

Terminal Inspections • Skimming devices hidden within

the terminal will not be visible, and neither you nor the cardholder will know that the card has been skimmed.

• The picture shows a skimming

device inserted into a terminal. This would have been hidden by the SIM card cover plate.

Best Practices for Protecting Your

Terminal(s) • If the terminal will not be used for an extended period of

time, store in a locked, secure location (example: a locked file drawer).

• Design your payment location with intent to control customer

access to payment technology and payment location.

• Be aware of any suspicious behavior of customers and report

tampering or substitution of devices IMMEDIATELY to Mike Harris (348-0628) or Charles Poole (348-5350) in Student Account Services.

Your Departmental Security Policy • In addition to UA’s overall Credit Card Policies, your department will need to develop, and disseminate, its

own security policy specific to your department’s business practices. Student Account Services can provide guidance when developing your policy. Please refer to this link http://fawp.ua.edu/policies/wp- content/uploads/sites/4/2015/08/PCI-Compliance-Policy-for-Credit-Card-Security.pdf to see a copy of the policy enforced within the Student Account Services Office.

• Every department must review their specific policy on at least an annual basis and update if there are

changes in their credit card environment. For example, if your original policy addressed credit cards that are processed via a standalone terminal, and then in the following year you added a website that takes credit cards, your policy would need to reflect both in-person and online credit card transactions.

• All employees involved in credit card processing should review your departmental policy documents

annually. The employee should sign and date a copy of your policy acknowledging their review. You should maintain these policy acknowledgments on file. Have new hires complete the acknowledgment as they come on board.

• Be sure to include terminal security documentation in your policy, as these requirements were added in

the most recent version of PCI DSS. Again, see the Student Account Services policy for an example as to wording.

• Departmental personnel should also review Student Account Services credit card policies documented on

the Student Account Services web page. All personnel involved in credit card processing should be aware of this policy and review it regularly.

• Please click on the following link to review UA’s Credit Card Policies. Once you’ve reviewed this website,

you will be ready to begin drafting your department’s own ‘Credit Card Policies and Procedures.’ https://studentaccounts.ua.edu/information-for-departments/

Training Verification

• For each merchant, every employee involved in the processing of cardholder data must complete PCI Compliance Awareness Training.

• Training will be made available via Skillport.

Student Account Services will inform you when the training is available.

• Please note, while you may have all of your

employees involved in credit card processing complete the awareness training at one time (for example during the month of March), be sure to have new hires involved in credit card processing complete the training soon after hire date, rather than waiting until your next training period.