PCI DDS: Payment Card Security Training

Payment Card Industry Compliance
PCI DDS: Payment Card Security Training 

Payment Card Industry Data Security Standards (PCI DSS) payment card security training is a self-directed training that is required for ALL employees/volunteers who accept payments via payment card (e.g., debit or credit) on behalf of RIT. This information is designed to provide you with a basic understanding of the PCI DSS as well as your role in ensuring that the University is in full compliance with the standards. The training and certification is required annually and must be retained by your manager for one year (complete quiz on page 2).

1.    PCI DSS Definition
  • Set of requirements to ensure cardholder data remains secure
    • Primary goal is to protect cardholder data
    • Compliance is mandatory per the payment brands (American Express, Visa, MasterCard, and Discover) in order for RIT to maintain our privileges to accept credit cards
    • Helps protect against fraud
    • RIT files a compliance questionnaire with M&T Merchant Services (our credit card processor) annually 
    • For more information visit:  www.pcisecuritystandards.org
2.    PCI DSS Compliance is Mandatory
  • In order to accept payment via credit card, PCI compliance is mandatory.
  • Risks to accepting credit cards and having a breach:
    • Loss of credit card permissions at RIT
    • Monetary fines assessed to your department and/or RIT and risk mitigation expenses
    • Reputation loss – donors and customers could think twice before spending at RIT 
  • Benefits of complying with PCI requirements:
    • Helps protect against fraud – best thing for customer and your business
    • Upholds RIT’s reputation
    • Keeps you and RIT safe and out of the headlines
3.    Approved Credit Card Methods
  • RIT business units may accept credit card payments through the following methods:
    • Face-to-face transactions at point-of-sale (POS) terminal
    • Over-the-phone transactions – enter the transaction in a POS device while the customer is on the phone; ask the customer to repeat the credit card number to verify it is correct
    • Website transaction conducted by customer; RIT Staff are prohibited from entering credit card numbers using a computer keyboard or mobile device on behalf of a customer.
    • Mailed or Faxed forms – enter transaction in an approved POS device and cross-cut shred paper after processing transaction and when credit card number is no longer needed. If storage of paper forms with payment account number is required, secure physical paper forms in a safe or lockbox and keep safe or lockbox in a locked room. Avoid moving paper forms from one office/department to another unnecessarily. Any movement of stored paper forms with payment account information from one location to another requires logged managerial approval (e.g. A saved email from a manager to an employee authorizing the movement of the paper forms is sufficient; retain emails for annual PCI reviews).
4.    Cashier Procedures
  • A “cashier” is defined as anyone who has access to/or processes payment card data
    • Cashiers must keep payment card environment and data secure from non-cashier personnel.
    • Cashiers must work with managers to ensure point-of-sale devices are stored in a secure area when not in use.
    • If handling a payment card, cashiers must hand payment card back to customer with receipt after checking signature.
    • Cashiers should use the chip-reader when customers present cards with a chip.
    • Cashiers should swipe cards only when customers present cards that have no chip.
    • Manual entry of payment account numbers should be reserved for card-not-present transactions such as mail and telephone orders.

  • If a credit card number needs to be written down on a piece of paper, secure the paper in a locked location and destroy by cross-cut shredding when no longer needed for transaction processing
  • If you receive payment forms with credit card numbers via fax, ensure the memory cache on the fax machine is cleared regularly (either after each fax is received or at end of each business day in higher volume areas).
  • No Emails – Do not use any payment card numbers received via email, and never send cardholder data in email. Gently remind patrons that email is not a safe way of sending payment card information and ask them to submit payment in as secure way. Work with ITS or your department’s IT team to ensure email containing cardholder data is deleted from all RIT systems, including backups.
  • Validate all visiting device technicians – technicians will either be accompanied by an RIT employee or your supervisor will inform you of an upcoming visit. If you were not aware of a visit from a technician, ask your supervisor before permitting access to a payment device.
  • Regularly inspect payment devices for signs of tampering such as scratches, cards going deeper into chip reader than normal, peeled labels or number plates, discoloration of device or cords, new or different cords, or unexpected hardware connected to device, the device cords, or on the wall where the device connects. See Physical Device Security for more information.
  • If you suspect a data breach has occurred, or if you are unsure about anything, report it to your supervisor, ITS, or SAS Tech at the time of discovery. Please review RIT's Emergency Procedure for handling a credit card security incident.
  • Information Security Policies and Standards – RIT maintains information and security policies which are requirements that all members of the RIT community must follow when using RIT information resources. Detailed information is located on the RIT Information Security website.
  • A unique login with a password that meets RIT's Password Requirements is required for any employee with access to system components that impact the cardholder environment. Examples include content management systems (Drupal, Wordpress, etc.) that connect to Nelnet or CyberSource and the associated operating system running under the content management system.This login requirement also applies to employees with access to alter redirect settings in third party service provider applications that connect to a payment gateway such as Nelnet or CyberSource, and to employees who have access to alter manual entry settings in point-to-point encrypted payment applications (e.g. Telefund, Oracle Opera, Audience View).
  • All RIT staff must adhere to the RIT Third Party Service Provider Policy and follow the RIT Third Party Service Provider Engagement Procedure when engaging with a third party that will process payment cards, or a third party that could impact the security of the payment process.
  • All RIT staff must adhere to the RIT e-commerce Policy and follow the RIT e-commerce Procedure in order to establish an e-commerce website for RIT business.

Contact Mary Beth Nally, Executive Director of Student Financial Services (585-475-5305), Ken Buckley, Director Endowment Accounting & Cash Management (585-475-2374), or Terence Costello, Sr. PCI Application Administrator, if you have questions about this information.

Complete the quiz below, sign, and return to your supervisor.

1.     RIT Staff are prohibited from taking customer payment information and using the staff computer          or mobile device keyboard to enter the payment card number to help a customer make a payment          on an RIT website, TRUE or FALSE

2.     What is the primary goal of PCI DSS?
a)    To prevent theft of card
b)    To stop hackers
c)    To cause chaos
d)    To protect cardholder data
3.    Is PCI mandatory?        YES       or       NO
4.    Which of the following is a benefit of compliancy to PCI?
a)    Loss of merchant status for RIT
b)    Large monetary fines assessed to RIT
c)    Helps protect against fraud
d)    Loss of confidence in RIT’s brand name

5.    Should you share your log in with a co-worker?         YES        or    NO
6.    Can RIT employees write down credit card information for the customer?     YES   or    NO
7.    Visiting point-of-sale technicians can access the point-of-sale devices only when they are                              accompanied by an RIT employee, TRUE or FALSE
8.     Cashiers should keep an eye out for signs of device tampering such as, new pieces of hardware                connected to the payment device, scratches or discolorations, different color cords from the day              before, an noticeable increase in weight of the device, peeled labels, and dipped cards going                      deeper into chip reader than normal, TRUE or FALSE

I certify that I have read and understand the information presented in the RIT PCI Training, the RIT IT Policies and Procedures, and the Physical Security and Skimming Prevention of Point of Sale Devices.

Name: ___________________________________________________

Signature: ________________________________________________    Date: ______________

Department: _________________________________  Supervisor: _____________________________