PCI/PII Awareness Training Ben Jordan Security Specialist
Credit Card Security: Chip Cards • The chip contains a cryptographic key for authentication • Downfall Online transactions do not require any authentication from the chip • Chip information is the same as the magnetic stripe information
Credit Card Security: Chip Cards • Vulnerabilities • Unencrypted data is sent between chip reader and processor • Credit card number, name and expiration date captured • People still using non-chip based cards • Skimmers being used to capture chip data
What is PC I-DSS? Payment Card Industry Data Security Standards • Launched in December, 2004 • Security standards designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment . • Adoption of consistent data security measures worldwide
Importance of PC I • The college has an obligation to students, vendors, alumni, faculty and staff to keep account information secure for credit card payments • Customer information can include: magnetic strip data, expiration date, pins, card security code, and other personal information • Departments handling card data should have policy and procedures in place to ensure security and compliance
Importance of C ompliance Continued due diligence is required with regard to PCI Compliance. Penalties for a breach: • Significant fines per incident • Increased audit requirements • Loss of business • Costs due to security investigations
C heck the security of the payment terminal • Only use authorized payment terminals • Look for skimmers and other signs of tampering • Report signs of tampering or damage immediately
Payment terminal security recommendations • Discontinue use of the terminal if an issue is found; report any issues found immediately • Look at the PIN Pad and verify that nothing looks abnormal (e.g. cover over terminal or skimmer unordinary sticking out of the reader • Store any handheld payment terminals in a locked area (e.g. desk, office) or lock facility where key access is managed
Always use strong passwords on applications that accept cards • Follow security policies at all times • Do not share or reuse passwords • Longer passwords are stronger • Only used approved payment processing applications • Never use vendor default username and passwords
Can you spot the skimmer?
Always keep the card where the customer can see it • Place the card on the counter or register if you need • Do not place the card in the cash drawer • Do not leave the payment terminal unattended during a transaction
• Only employees who have a legitimate business need to access cardholder information/systems • Access control/access reviews • Store no more than the last four numbers of the credit card number but if possible do not store at all • For any payment received over the phone it should be entered directly into the terminal or application and not written down
Do NOT ask the customer for their PIN
Always use authorized forms to take payments • Store forms and receipts in a secure location within retention policy • Only use approved forms to write down payment information • Documents with credit card numbers should be shredded after use or before storage or heavily redacted so it does not display the credit card number
If you can avoid it do not store any credit card information!
Destruction of card data Documents • Tear away the cardholder data • Shred the cardholder information IMMEDIATELY!
NEVER send credit card information in pictures, e- mail, text or other end user messaging technologies! If it is received, delete it IMMEDIATELY!!
Do NO T share credit card information outside of the college
• If writing down a credit card number it should be on an authorized form • All payment receipts should be securely stored • All credit card information must be destroyed after use
Report security concerns and potential incidents immediately!
Securely handling Personally Identifiable Information (PII) • PII is information to uniquely identify a person (Name and SSN, Name and Account Number) • PII should only be stored in approved applications and systems • PII should only be shared on a need-to-know basis • Do not use SSNs as a unique or account identifier • Do not share account access to applications containing PII
Securely handling Personally Identifiable Information (PII) • Do not send PII through email or other insecure means where possible encrypt data • Consider the risk of storing or downloading data outside of applications/systems • Protect hard copy information containing PII lock desks and cabinets restrict access • Be aware of emails or phone calls requesting PII or for data containing PII
• Federal laws apply to how higher education institutions collect and use data • FERPA protection of student education records • HIPAA protection of health records • GLBA protection of consumer financial information • Red Flags Rule awareness for signs of identity theft
Red Flags Rule • The FTC issued a set of rules and guidelines to detect and prevent identity theft • While not a financial institution, the college may be seen as a creditor • Could impact departments like Admissions, Financial Aid, Human Resources, Finance, etc.
Red Flags Rule • • Common Examples: • Bookstore accounts • Accounts Receivable • Employment accounts • Student accounts receivable • Keep in mind each Department is unique and has different accounts and may need different ways to deal with identity theft • Compliance is broken into a 4-step process
Red Flags Rule Step 1: Identify Red Flags • Notification and warnings from credit reporting agencies • Suspicious documents • Suspicious personal identifying information (PII) • Suspicious account activity or use of account • Alerts from others • The Rule does not require any specific practice to verify identity.
Red Flags Rule Step 2: Detect Red Flags • Verifying identity of individual opening an account (such as requesting photo ID) • Authenticating users of the account (verifying birth date or class schedule or phone number) Also monitoring and verifying validity of account changes
Red Flags Rule Step 3: Prevent and Mitigate • Any potential issues should be escalated immediately to your manager/supervisor • Further steps that can be taken: • Continue to monitor account for identity theft • Contact individual • Change authentication to accounts (username/passwords) • Provide new authentication (account code, username/password) • If computer system may be impacted contact IT for support • Ensure destruction of documentation with sensitive information
Red Flags Rule Step 3: Update The Program • As identity thieves change tactics and methods the Rule requires you make updates to any internal procedures to detect, prevent and mitigate identity theft.
Recommend
More recommend
