PCI/PII Awareness Training Ben Jordan Security Specialist Credit - - PowerPoint PPT Presentation

pci pii awareness training
SMART_READER_LITE
LIVE PREVIEW

PCI/PII Awareness Training Ben Jordan Security Specialist Credit - - PowerPoint PPT Presentation

Feb 01, 2023 478 likes •775 views

PCI/PII Awareness Training Ben Jordan Security Specialist Credit Card Security: Chip Cards The chip contains a cryptographic key for authentication Downfall Online transactions do not require any authentication from the chip Chip

slide-1
SLIDE 1

PCI/PII Awareness Training

Ben Jordan Security Specialist

slide-2
SLIDE 2

Credit Card Security: Chip Cards

  • The chip contains a cryptographic key for authentication
  • Downfall Online transactions do not require any authentication

from the chip

  • Chip information is the same as the magnetic stripe information
slide-3
SLIDE 3

Credit Card Security: Chip Cards

  • Vulnerabilities
  • Unencrypted data is sent between chip reader and processor
  • Credit card number, name and expiration date captured
  • People still using non-chip based cards
  • Skimmers being used to capture chip data
slide-4
SLIDE 4

What is PC I-DSS?

Payment Card Industry Data Security Standards

  • Launched in December, 2004
  • Security standards designed to ensure that ALL companies

that process, store or transmit credit card information maintain a secure environment.

  • Adoption of consistent data security measures worldwide
slide-5
SLIDE 5

Importance of PC I

  • The college has an obligation to students, vendors, alumni,

faculty and staff to keep account information secure for credit card payments

  • Customer information can include: magnetic strip data,

expiration date, pins, card security code, and other personal information

  • Departments handling card data should have policy and

procedures in place to ensure security and compliance

slide-6
SLIDE 6

Importance of C

  • mpliance

Continued due diligence is required with regard to PCI Compliance. Penalties for a breach:

  • Significant fines per incident
  • Increased audit requirements
  • Loss of business
  • Costs due to security investigations
slide-7
SLIDE 7

C heck the security of the payment terminal

  • Only use authorized payment terminals
  • Look for skimmers and other signs of tampering
  • Report signs of tampering or damage immediately
slide-8
SLIDE 8

Payment terminal security recommendations

  • Discontinue use of the terminal if an issue is found;

report any issues found immediately

  • Look at the PIN Pad and verify that nothing looks

abnormal (e.g. cover over terminal or skimmer unordinary sticking out of the reader

  • Store any handheld payment terminals in a locked

area (e.g. desk, office) or lock facility where key access is managed

slide-9
SLIDE 9

Always use strong passwords on applications that accept cards

  • Follow security policies at all times
  • Do not share or reuse passwords
  • Longer passwords are stronger
  • Only used approved payment processing

applications

  • Never use vendor default username and passwords
slide-10
SLIDE 10

Can you spot the skimmer?

slide-11
SLIDE 11

Always keep the card where the customer can see it

  • Place the card on the counter or register if you need
  • Do not place the card in the cash drawer
  • Do not leave the payment terminal unattended

during a transaction

slide-12
SLIDE 12
  • Only employees who have a legitimate business

need to access cardholder information/systems

  • Access control/access reviews
  • Store no more than the last four numbers of the

credit card number but if possible do not store at all

  • For any payment received over the phone it should

be entered directly into the terminal or application and not written down

slide-13
SLIDE 13

Do NOT ask the customer for their PIN

slide-14
SLIDE 14
  • Store forms and receipts in a secure location within retention policy
  • Only use approved forms to write down payment information
  • Documents with credit card numbers should be shredded after use
  • r before storage or heavily redacted so it does not display the

credit card number

Always use authorized forms to take payments

slide-15
SLIDE 15

If you can avoid it do not store any credit card information!

slide-16
SLIDE 16

Destruction of card data

Documents

  • Tear away the cardholder data
  • Shred the cardholder information IMMEDIATELY!
slide-17
SLIDE 17

NEVER send credit card information in pictures, e-

mail, text or other end user messaging technologies! If it is received, delete it

IMMEDIATELY!!

slide-18
SLIDE 18

Do NO T share credit card information

  • utside of the college
slide-19
SLIDE 19
  • If writing down a credit card

number it should be on an authorized form

  • All payment receipts should

be securely stored

  • All credit card information

must be destroyed after use

slide-20
SLIDE 20

Report security concerns and potential incidents immediately!

slide-21
SLIDE 21

Securely handling Personally Identifiable Information (PII)

  • PII is information to uniquely identify a person (Name and

SSN, Name and Account Number)

  • PII should only be stored in approved applications and

systems

  • PII should only be shared on a need-to-know basis
  • Do not use SSNs as a unique or account identifier
  • Do not share account access to applications containing PII
slide-22
SLIDE 22

Securely handling Personally Identifiable Information (PII)

  • Do not send PII through email or other insecure means

where possible encrypt data

  • Consider the risk of storing or downloading data outside of

applications/systems

  • Protect hard copy information containing PII lock desks

and cabinets restrict access

  • Be aware of emails or phone calls requesting PII or for data

containing PII

slide-23
SLIDE 23
  • Federal laws apply to how higher education

institutions collect and use data

  • FERPA protection of student education records
  • HIPAA protection of health records
  • GLBA protection of consumer financial

information

  • Red Flags Rule awareness for signs of identity

theft

slide-24
SLIDE 24

Red Flags Rule

  • The FTC issued a set of rules and guidelines to detect and prevent

identity theft

  • While not a financial institution, the college may be seen as a creditor
  • Could impact departments like Admissions, Financial Aid, Human

Resources, Finance, etc.

slide-25
SLIDE 25

Red Flags Rule

  • Common Examples:
  • Bookstore accounts
  • Accounts Receivable
  • Employment accounts
  • Student accounts receivable
  • Keep in mind each Department is unique and has different accounts

and may need different ways to deal with identity theft

  • Compliance is broken into a 4-step process
slide-26
SLIDE 26

Red Flags Rule

Step 1: Identify Red Flags

  • Notification and warnings from credit reporting agencies
  • Suspicious documents
  • Suspicious personal identifying information (PII)
  • Suspicious account activity or use of account
  • Alerts from others
  • The Rule does not require any specific practice to verify identity.
slide-27
SLIDE 27

Red Flags Rule

Step 2: Detect Red Flags

  • Verifying identity of individual opening an account (such as

requesting photo ID)

  • Authenticating users of the account (verifying birth date or class

schedule or phone number) Also monitoring and verifying validity of account changes

slide-28
SLIDE 28

Red Flags Rule

Step 3: Prevent and Mitigate

  • Any potential issues should be escalated immediately to your

manager/supervisor

  • Further steps that can be taken:
  • Continue to monitor account for identity theft
  • Contact individual
  • Change authentication to accounts (username/passwords)
  • Provide new authentication (account code, username/password)
  • If computer system may be impacted contact IT for support
  • Ensure destruction of documentation with sensitive information
slide-29
SLIDE 29

Red Flags Rule

Step 3: Update The Program

  • As identity thieves change tactics and methods the Rule requires you

make updates to any internal procedures to detect, prevent and mitigate identity theft.