PCI DSSPayment Card Industry

Data Security Standards

Why is PCI DSS Important to Me?

You are responsible for the security

of the credit card information you process.

■ PCI training must be completed annually by any employee with access to credit card information.

■ Failure to comply with WKU’s policies and procedures governing PCI compliance may result in disciplinary action, up to and including termination.

What is PCI DSS?

■ Payment Card Industry

Data Security Standards

■ PCI DSS gives companies a framework for processing credit card information in a secure environment.

Source: https://www.pcisecuritystandards.org/pci_security/

Impact of a Security Breach at WKU

■ Fraud losses

– WKU could be liable for funds stolen by criminals due to noncompliance with PCI standards.

■ Fines & penalties

– Fines of $10,000 to over $500,000 per incident may be charged for violations of PCI DSS.

■ Legal fees, settlements and judgments

■ Reputation Damage

– Possibly the most significant of all, reputation damage will affect the entire WKU campus and surrounding community.

“Most organizations never fully recover from data breaches because the loss is greater than the data itself.” QSR Magazine via https://www.pcisecuritystandards.org.

Failure to Comply with PCI Standards

Failure to comply with PCI standards may result in:

■ Disciplinary action for any person involved, up to and including termination.

■ Department’s loss of credit card acceptance privilege, which could lead to a loss in sales.

■ Departmental responsibility to pay fines of $10,000 to over $500,000 per incident for violations of PCI DSS.

“Smart Grid Cyber Security” by JacksonClerk licensed by CC

What is Sensitive Data?

■ Sensitive data includes any payment card information that may be used by criminals to steal a cardholder’s identity.

■ Sensitive payment card information that must be protected from criminals includes:

– Primary Account Number (PAN)

– Card expiration date

– 3- or 4- digit security number (known as CVV, CVC, CID or CAV)

– Full magnetic stripe data (also called Track 1 or Track 2 data)

– Card chip data

Sensitive Payment Card Data

Source: https://www.pcisecuritystandards.org/2015/images/cc-data.jpg

Card Data Use, Storage & Disposal

■ NEVER store credit card data electronically! This would require additional security measures for WKU merchants.

■ All credit card information temporarily recorded on paper should be processed and destroyed immediately after authorization.

■ Sensitive credit card information must be disposed of via immediate shredding or placement in a secure (locked) shred bin.

Paper Card Data Storage

■ Certain types of credit card data may be stored in paper form if a business purpose for keeping the document exists. However, the following security measures must be taken:

– Redact / mark out completely all but the last four digits of the primary card number immediately after authorization.

– Documentation should be kept in a locked location with access limited only to authorized personnel.

■ Certain types of data should never be stored, even in paper form.

– Full magnetic stripe data (also called Track 1 or Track 2 data)

– 3- or 4- digit security number (known as CVV, CVC, CID or CAV)

– Pin / pin block

Data Transmission

■ NEVER release credit card information for any reason.

■ NEVER transmit credit card data through electronic messaging technology, such as email or text messages.

■ If you receive sensitive information via email or text:

– Open a NEW email or text and respond to the sender to inform them that credit card information sent in this manner may lead to the information being compromised.

– Ask them to submit the card information using a secure method – in person, by mail, via phone, fax, etc.

– DELETE all records of the email or text.

Security of Card Processing Equipment

■ Only authorized WKU personnel should have access to the terminal and credit card machine.

■ NEVER allow access to the credit card machine or terminal to any individual claiming to be a repairman, bank representative, etc.

– Contact the WKU Information Security department to report the incident IMMEDIATELY.

■ Inspect the credit card machine daily and IMMEDIATELY report anything unusual about the device to the Information Security department.

– Criminals may attach a skimmer to a card reader to steal sensitive data.

– DO NOT USE the machine if it appears to have been altered in any way.

Reporting Requirements

■ Any incident which may have resulted in sensitive credit card information being compromised must be reported IMMEDIATELY to the WKU Information Security team, even if the incident happened after business hours or on the weekend.

■ TO REPORT AN INCIDENT:

– Visit https://www.wku.edu/it/security/

– Click on the “Report an Incident” button

– Select “Continue to Incident Reporting Form” button

– Input all required information

– Select “Suspected sensitive data exposure” as the incident type

– State the facts clearly in the message

– Submit form

Information Security Reporting Example

Dedicated Use of Machines

■ Any computer used to process credit card payments must be used for that purpose only. Connecting to the internet through other applications, such as Facebook or email, may place the machine at risk for a security breach.

■ New computer terminals must be reported to the WKU Information Technology Department for inspection and approval prior to installation.

■ Computers may be taken offline if noncompliant with PCI security standards.

Computer Software & Security Scans

■ Never download software on a computer dedicated to processing credit card transactions.

■ Do not use unauthorized software to process credit card transactions, such as Square, etc.

■ All computers are subject to a PCI quarterly scan by the WKU IT department.

"Cyber Security at MoD" by Defence Images licensed under CC

Additional Information

■ WKU PCI Website

■ WKU PCI Policy

■ WKU Merchant Policy

■ PCI DSS Website

■ PCI Self Assessment Questionnaires (SAQs)"Security" by Passione Moore licensed under CC