October 28, 2013
GVSU PCI COMPLIANCE
(CREDIT CARD PAYMENT SECURITY STANDARDS)
GVSU PCI COMPLIANCE – THE BEGINNING
Who?
 What?
 When?
 Why?

WHAT IS GVSU’S RESPONSIBILITY?
Comply with PCI compliance policies set forth
by industry
 Create internal policies and procedures to
protect cardholder data
 Inform and train GVSU personnel who process
cardholder data
 Perform annual review
 Report suspected or confirmed breach
incidents

GVSU PCI PROCESSING PROCEDURES
www.gvsu.edu/pci Compliance Documents
 Prohibited Practices:
 Storing CVV codes, pin numbers, track data or
card numbers


These must be destroyed immediately after processing.
 Sending
credit card information via mobile or
end-user messaging technologies (email, fax)
 Requesting for credit card information to be
sent to GVSU street address
 Sending credit card information via intercampus
mail
GVSU PCI PROCESSING PROCEDURES

Prohibited Practices:
 Accepting/entering
credit card information on
GVSU website on behalf of a customer
 Using a laptop for entering credit card
information
 Instructing customers to enter their own credit
card information on a GVSU public computer
 Directly passing credit card fees to customers
who pay via credit cards
GVSU PCI PROCESSING PROCEDURES

Prohibited Practices:
 Using
non-designated PCI compliant shredding
devices or services
 Using non-designated PCI compliant hardware
 Most
mobile terminal options, such as the Square
that connects to the IPhone/IPad are NOT
acceptable.
 Using
non-approved third party service providers
to process credit card transactions
GVSU PCI PROCESSING PROCEDURES

So, then what is allowed?
GVSU PCI PROCESSING PROCEDURES

Accepted Processing Procedures:
 Approved
secure websites for ongoing, frequent
processes
 Ben
Rapin, Institutional Marketing , 18014
 www.gvsu.edu/webteam/ecommerce.htm E-Commerce Request Form
 Approved
 Jennifer
secure terminal – wired or wireless
Schick, Accounting Business Office, 12231
 www.gvsu.edu/pci - Credit Card Processing Assistance
 Most mobile terminal options, such as the Square that
connects to the IPhone/IPad are NOT acceptable.
GVSU PCI PROCESSING PROCEDURES

Accepted Processing Procedures:
 Low
volume options
 Take
directly to cashier window on same business day .
Must be taken by GVSU employee (not a student).
 See www.gvsu.edu/pci Credit Card Processing Assistance for
Departmental Deposit Form.
 Can keep the last 4 digits of a card number for reference.

 Call
one of the following offices, provide the FOAP where
the money should be deposited, and transfer the call:
16806 for gift deposits (Gift Processing/Development Office) OR
 12209 for other credit card payments (Student Accounts
Hotline).

GVSU PCI PROCESSING PROCEDURES

Accepted Processing Procedures:
Dedicated PO Box for US Mail
 Approved PCI compliant shredders or shredding
services

 Coordinate
shredding services/bins through Kip Smalligan.
 Shredders must be cross-cut or diamond cut.

Approved PCI compliant vendors
 If
using or considering a third party service provider to accept
credit cards, the vendor must be PCI compliant.
 Notify Sue Korzinek of process to allow for proper
documentation to be acquired from third party vendor BEFORE
signing a contract.
GVSU PCI PROCESSING PROCEDURES

A scenario that works for many events:
 Set
up online registration with Institutional
Marketing.
 Prepare mailing and give registrants these options:
Register online for credit card payments or
Register via mail for check payments.
 For day of the event registrations, allow check
payments or request the use of a loaner terminal to
accept credit card payments.
CONSIDERING MAKING A CHANGE?
Any new contract/relationship that relates to
credit card payments MUST be approved by the
PCI Committee.
 Contact Sue Korzinek and Jennifer Schick.
 WARNING: Just because a vendor or
salesperson says that they are PCI Compliant, it
does not mean that they are!

SECURITY BREACH PROCESS
Notify immediately
 Assess situation
 Corrective measures
 Prepare message
 Evaluate processes for improvement

UPDATES

EMV – September 2015
 EMV
(Europay/MasterCard/Visa) /a.k.a Pin & Chip
 Instead of a magnetic stripe, EMV cards contain an
embedded microprocessor.
 “EMV chip technology reduces card fraud in a faceto-face card-present environment; provides global
interoperability; and enables safer and smarter
transactions across cards and contactless
channels.” – “U.S. EMV Migration Efforts Continue Despite Debit Regulatory Challenges”,
www.cnbc.com 10/3/13
UPDATES

EMV – September 2015
 As
new credit card terminals are ordered or current
terminals need to be replaced, GVSU will order
terminals that are EMV capable.
 By September 2015, GVSU will order new EMV
capable credit card terminals to replace terminals
with the old technology.
UPDATES

Mobile technology
 Reminder:
Most mobile terminal options, such as
the Square that connects to the IPhone/IPad are
NOT acceptable.
 Reminder: Using a laptop for entering credit card
information is NOT acceptable.
 We are in the process of testing/evaluating new
wireless/cellular terminals and a mobile payment
bundle that would connect to an IPad.
UPDATES

Fees

Reminder: At GVSU, departments are NOT allowed to
directly passing credit card fees to customers who pay
via credit cards.
 Recent
headlines discussed changes in rules regarding
surcharges/convenience fees.
 Few companies are actually proceeding down this path due to
various “hoops” that they would need to jump through.

Departments are able to set their rates for all forms of
payment knowing that credit card processing fees are
2-3%.
QUESTIONS?
Contact information:
Sue Korzinek
Jennifer Schick
X12035
X12231