PCI DDS: Payment Card Security Training

Payment Card Industry Compliance
PCI DDS: Payment Card Security Training 

Payment Card Industry Data Security Standards (PCI DSS) payment card security training is a self-directed training that is required for ALL employees/volunteers who accept payments via payment card (e.g., debit or credit) on behalf of RIT. This information is designed to provide you with a basic understanding of the PCI DSS as well as your role in ensuring that the University is in full compliance with the standards. The training and certification is required annually and must be retained by your manager for one year (complete quiz on page 2).

1.    PCI DSS Definition
  • Set of requirements to ensure cardholder data remains secure
    • Primary goal is to protect cardholder data
    • Compliance is mandatory per the payment brands (American Express, Visa, MasterCard, and Discover) in order for RIT to maintain our privileges to accept credit cards
    • Helps protect against fraud
    • RIT files a compliance questionnaire with M&T Merchant Services (our credit card processor) annually 
    • For more information visit:  www.pcisecuritystandards.org
2.    Anatomy of a Credit Card 
  • Cardholder Data vs. Sensitive Authentication Data
    • Cardholder Data – PAN (Primary Account Number), Cardholder Name, Expiration Date, & Brand Logo
    • Sensitive Authentication Data – 3 digit CVC (Card Verification Code), Signature, & Magnetic Stripe
3.    PCI DSS Compliance is Mandatory
  • In order to accept payment via credit card, PCI compliance is mandatory.
  • Risks to accepting credit cards and having a breach:
    • Loss of credit card permissions at RIT
    • Monetary fines assessed to your department and/or RIT and risk mitigation expenses
    • Reputation loss – donors and customers could think twice before spending at RIT 
  • Benefits of complying with PCI requirements:
    • Helps protect against fraud – best thing for customer and your business
    • Upholds RIT’s reputation
    • Keeps you and RIT safe and out of the headlines
4.    Approved Credit Card Methods
  • RIT business units may accept credit card payments through the following methods:
    • Face-to-face transactions at point-of-sale (POS) terminal
    • Over-the-phone transactions – enter the transaction in a POS device while the customer is on the phone; ask the customer to repeat the credit card number to verify it is correct
    • Website transactions conducted by customer
5.    Cashier Procedures
  • A “cashier” is defined as anyone who has access to/or processes payment card  data
    • Required to have unique log in for operating a POS device
    • Keep log in credentials confidential and do not share with others
    • Keep credit card environment secure from non-cashier personnel
    • Log off when stepping away from machine
    • Log off another cashier and log in with own credential when processing transaction
    • Turn off POS device at night and store in a secure area
    • Hand credit card back to customer with receipt after checking signature

~Important~
  • Never write down a payment card number – process all transactions live
  • No Faxing – the memories and hard drives in FAX and copy/scanning devices  pose too great a risk 
  • No Emails – gently remind patrons that email is not a safe way of sending credit card information

Direct questions and comments to Cash Management.


Complete the quiz below, sign, and return to your supervisor.

1.    Cardholder data consist of all of the following components except:
a)    Primary Account Number (PAN)
b)    Card Verification Code (CVC)
c)    Cardholder Name
d)    Expiration Date
 
2.    What is the primary goal of PCI DSS?
a)    To prevent theft of card
b)    To stop hackers
c)    To cause chaos
d)    To protect cardholder data
 
3.    Is PCI mandatory?        YES       or       NO
 
4.    Which of the following is a benefit of compliancy to PCI?
a)    Loss of merchant status for RIT
b)    Large monetary fines assessed to RIT
c)    Helps protect against fraud
d)    Loss of confidence in RIT’s brand name

5.    Should you share your log in with a co-worker?         YES        or    NO
 
6.    Can RIT employees write down credit card information for the customer?     YES   or    NO
 

I certify that I have read and understand the information presented in the credit card security training.


Name: ___________________________________________________

Signature: ________________________________________________    Date: ______________

Department: _________________________________  Supervisor: _____________________________