Training for individuals involved in the processing of merchant card payments ( card and transactions) on behalf of the campus.

Applies to: • Full and part-time employees • Temporaries • Consultants • Contractors • Volunteers

June 1, 2015 Training Objectives  What is PCI-DSS Standards  What is PCI Compliance?  What is Cardholder Data?  Applicability of PCI DSS  What’s the Importance of PCI Compliance?  Twelve Requirements of PCI DSS  Personal Responsibility  PCI Data Awareness Training  Best Practices - Dos and Don’ts  Behind the Scenes  Card Brands’ Identification Features  Chip and PIN  Next Steps What is PCI-DSS Standards?  The Data Security Standards (PCI-DSS) are requirements of the merchant card brands (Visa, MasterCard, Discover, , JCB)

 PCI-DSS were created on behalf of the brands by the PCI Security Standards Council

 The goal of PCI-DSS is to protect cardholder data What is Cardholder Data?  Cardholder data to be protected includes:  Cardholder’s name  Primary account number (PAN)  Expiration date (month/year)  Track data (On magnetic strip)  Security code / Card Verification Value (CVV)  PIN number (Debit cards only)

 Cardholder data can be in:  Paper form or  Electronic form Applicability of PCI-DSS  PCI-DSS apply to anyone who does any one of the following:  Stores  Processes, or  Transmits cardholder data  PCI-DSS apply to all forms of payment card acceptance:   Phone  Fax  Point-of-sale  Online (Web) What’s the Importance of PCI Compliance?  As a merchant accepting card payments, the campus must be in compliance with the PCI-DSS standards at all times

 The campus has to periodically attest its compliance to appropriate parties

 The campus’s failure to be compliant can result in:  Damage to campus’s reputation and adverse publicity  Potential fines – Up to $1 million per occurrence  Costs associated with forensic investigations and notifying customers  Inability for campus to continue to accept card payments  Employee disciplinary actions Twelve Requirements of PCI-DSS Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security Although some of the requirements apply to the campus’s IT staff, many of the requirements apply to the campus’s business staff. Personal Responsibility  As an employee, contractor, student, or volunteer who interacts with data, you are the first line of defense against fraud and security breaches

 You are expected to be aware of the campus’s policies and procedures and to be ever vigilant when interacting with payment card data and credit card transactions PCI Data Security Awareness Training  You are required to complete training and attest to the training:  Upon hire or initial engagement, and  Take annual refresher training

 Through your continued vigilance and implementation of PCI standards, you assist the campus in being PCI compliant Best Practices  Adhering to best practices by individuals will assist the campus in being PCI compliant

 The following slides contain practices that should be followed and practices that should be avoided Credit Card Receipts • Ensure credit card receipts are stored securely

• Ensure that card receipts are disposed of by shredding in accordance with campus policy Truncate PANs • Verify that both the campus and customer card receipts only bear truncated versions of the primary account number (PAN) • Only the last four digits should be displayed

Example: XXXX-XXXX-XXXX-9534 Physical Protection of Devices  A new requirement of PCI-DSS (Version 3.0) requires the campus to institute procedures to periodically physically inspect for fraudulent skimmers that may be attached to devices, and to check for fraudulent substitution by checking the serial numbers of the devices.  Devices include POS terminals, kiosks, PC’s used in processing card transactions • Training of employees include: • Verify the identity of any third- party persons claiming to be repair or maintenance personnel; • Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices); • Inspect POS terminals and devices at beginning of each shift for tampering Physical Security of Card Media • Do not leave any paper or electronic card media physically unsecured

• Restrict physical access to areas where cardholder data is handled and stored

• Only allow employees who have a legitimate business need to access cardholder information

• Do not have card receipts or related documents on display to the general public

• Visitors in areas where cardholder data is stored must be identified and escorted, with a visitor’s log being maintained Email Containing PANs • Do not send any unencrypted emails containing the full primary account number (PAN). The truncated last four digits are okay to send.

• Do not process a payment based on information received by email.

• Should you receive an email containing a PAN: • Delete the email immediately • Do not print or forward the email • Notify the customer you are unable to process the payment

• These restrictions apply to instant messaging and chats Two Types of Account Data There are two types of Account Data: • Cardholder Data • Sensitive Authentication Data

Note that the data elements designated as sensitive authentication data can never be stored by the campus Security ID Codes

• Each of the card brands assign a unique security code to each card issued • For Amex, it is a four-digit number located on the front of the card • For all other brands, it is a three digit number located on the back • The code is referred by different names and may be called the card verification value or ID (CVV) (CW2) (CID) • The Security ID Code is considered “sensitive authentication data”

• Never write down, store, or email the security ID code

• The code is a fraud tool to prove the customer is in physical possession of the card. Keeping a record of the code defeats the purpose of the code.

• If provided to you, the number is only to be retained until the authorization has been approved by the card processor

• The potential fine levied by Visa for storing sensitive authentication data after authorization, such as CVV or PIN (in case of a debit card), is $50,000 Passwords • Adhere to the campus’s policy regarding the creation of strong passwords and the frequent changing of passwords • Do not write down passwords for others to find, or share your password • Do not use vendor-supplied defaults for system passwords and other security parameters • Ensure that vendor default passwords are changed before a system goes live Social  Social Engineering is a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures  Adhere to the campus’s security procedures pertaining to the use of computers, responding to emails, and visiting inappropriate • Examples of social engineering include: • Phishing – Emails appearing to be from a known person or asking for confidential information • Shoulder surfing – Individuals looking over your shoulder to observe confidential information • Tailgating – Individuals seeking entry to a restricted area • Dumpster Diving –Individuals looking for confidential information in your trash (e.g., sticky note with password, discarded reports, etc.) • Remote access – Individuals seeking to control your computer remotely Providers  The campus may use third-party service providers to facilitate the processing of merchant cards  Campus management assumes the role of verifying that these providers are PCI compliant  Should you become aware that one of these service providers is not adhering to one of the PCI requirements, you should notify management • Service providers include the merchant card processor, as well as any gateway that processes online payments Payment Applications  The campus may use various payment applications to process card-present transactions, as well as mail orders and telephone orders (MOTO)  Examples include POS software and Virtual Terminals  Campus management assumes the role of verifying these applications are PCI compliant (validated) before purchasing

• You must also follow the vendor’s implementation guide when using these applications in order to maintain the PCI compliance status: • Do not use the default password • Do not deactivate anti-virus protection • All updates must be applied timely Security Incident Reporting  The campus has a security incident reporting plan  Your role in this plan may vary, but will include:  Notify your supervisor immediately of any suspected or real security breach or of stolen cardholder data  Document any information you know while waiting for a response to the incident, including date, time, and the nature of the incident • In case of a network environment: • Do not access or alter compromised systems • Do not turn the compromised machine off • Isolate compromised systems from the network • Preserve logs and electronic evidence • Log all actions taken  All incident reporting by the campus management is to be conducted through the Office of State Controller, not directly to any card brand Behind the Scenes  Various departments and staff within the campus have certain responsibilities pertaining to PCI compliance, in addition to you as an individual  Examples:  IT staff is involved with firewall management, encryption, penetration testing, vulnerability scanning, log management, antivirus software updates, etc.  The business office staff is involved in monitoring service providers’ PCI compliance, ensuring that all POS software acquired is PCI compliant, completing self-assessment questionnaires, etc.  The campus utilizes a PCI Qualified Security Assessor (QSA) firm, known as Coalfire, to assist in its PCI compliance efforts Card Brands’ Identification Features  In addition to PCI-DSS requirements, each card brand has certain card identification and fraud detection features which you should be aware of  Examples include:  Uniqueness of the brand’s 4-digit Identification Number (BIN)  Location of the brand’s security code (card id number)  Visa, MC, and Discover are 3-digit on the back; Amex is 4-digit on front  Location of card’s expiration date  Number to call for a suspicious card (Code 10 authorization)  The following four slides depict each brand’s features

Chip and PIN Technology  The campus may be acquiring new POS terminals that incorporate new security features – Chip & Pin (aka EMV)  New technology involves processing cards that bare an imbedded Chip instead of a magnetic stripe  The POS terminals will be able to process the new Chip and PIN cards as well as the old magnetic stripe cards  The POS terminals may be stand-alone, or they may have a reader device that is attached to the swipe POS terminal Next Steps

 You have completed the first step of your PCI Security Awareness Training  The second step is to complete a quiz to test your understanding of this training module  You must score a grade of 80 percent or better to pass  The third step is to obtain and read the campus’s PCI Data Security Policy for Business Users  You may be provided addition procedures that are specific to your job duties (e.g., telephone orders, POS terminals, online orders, etc.)  The fourth step is to obtain the certificate of completion of training:  Indicating you have passed the quiz  Acknowledging your receipt of the campus’s PCI Data Security Policy  This training is good for one calendar year after you pass the quiz