Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Structures

Best Practices for Payment Card Activities

advertisement 
Longwood University
Best Practices for Payment Card Activities
Understand Policies and Procedures
Merchants must understand Longwood University’s payment card security policy #1015 and
applicable procedures. Compliance with the PCI standards at www.pcisecuritystandards.org is
mandatory.
Protect Cardholder Data










In order to mitigate the risks of accepting credit cards as a method of payment,
departments should consider using TouchNet Marketplace when practical.
Do not store credit card data unless required to conduct departmental business. Never
store credit card numbers electronically in a database or spreadsheet, on portable media
or on share drives.
Never store sensitive authentication data - magnetic stripe data, chip data, the
CAV2/CVC2/CVV2/CID, or the PIN/PIN block - under any circumstances.
Do not store the full cardholder account number (PAN) with expiration date. Mask all
but the last 4 digits of the credit card number.
Crossing through the primary account number (PAN) is not an acceptable means of
securing the data on paper. Instead, remove the portion of the document containing
cardholder data and shred.
Maintain up-to-date policies and procedures, including departmental desktop procedures.
Ensure computers handling credit card data possess updated versions of University
recommended antivirus and spyware detection software.
Do not request, send or accept payment card information by email. If you receive
cardholder data via email, do not process the transaction. Make the sender aware that, for
their safety, they should never email credit card information. Remove the cardholder
data when responding and direct them to an approved processing method. Delete the
email containing cardholder data completely from your email account.
Complete annual credit card security training upon hire and at least annually.
Any confirmed or suspected breach should be reported immediately to the Information
Security Office.
Implement Strong Access Control Measures

Departments may not negotiate contracts with credit card processing companies or
companies accepting credit card payments. All merchant accounts for accepting credit
cards must be approved by Financial Operations.





Permit only those employees with a legitimate “need to know” access to cardholder data.
Limit user access to specified privileges.
Each employee with access to payment card information via computer should have a
unique login or password. Log out of computer when unattended. Never share
passwords or user IDs.
Never use vendor supplied default passwords.
Passwords should be changed regularly – at least every 90 days.
Restrict Physical Access to Cardholder Data




Always protect cardholder data against unauthorized access. Keep credit card
information locked in a secure location (locked drawer, file cabinet, office or safe).
Do not allow unauthorized persons access to areas where credit card data is stored.
Restrict physical access to computer workstations and other equipment used in credit card
payment processing. Physical space can be secured through the use of employee badges,
swipe card or key access, or video camera monitoring.
Destroy documentation containing credit card information when no longer needed for
business or legal reasons. Approved destruction methods for hard-copy materials include
shredding (via cross-cut shredder), incinerating or pulping.
Best Practices for a “Card Present” Transaction




Swipe and retain the card only until the transaction is authorized.
The credit card number should be masked – only the last 4 digits of the credit card
number should be printed on the receipt.
Give the customer their receipt to sign, if applicable. Compare the signature on the
receipt to the one on the card.
The university does not recommend accepting unsigned cards. Departments accepting
unsigned cards must require a second form of picture ID prior to completing the
transaction.
Best Practices for a “Card Not Present” Transaction





Direct cardholder to complete transaction through the department’s online payment
system.
Do not offer to enter payment card data into a third party website on behalf of a customer.
The act of entering a payment on another’s behalf increases risks associated with credit
card acceptance. Instead, direct customers to any internet enabled computer to complete
their transaction.
If departmental procedures permit the entering of payment card data on behalf of a
customer, transactions must be conducted on a separate, secured payment terminal.
If your department accepts credit cards in paper format (via mail), we recommend that
you structure the form so that the credit card data can be removed (i.e. perforation at
bottom of page) and shredded immediately following processing. This allows you to
retain other information needed for business purposes without storing cardholder data.
If card data is accepted by phone, develop a standard form (preferably on color paper)
that is easily identifiable as containing credit card data and which can be shredded after
the transaction is authorized.
Related documents
patient_info - Amarillo Family Physicians Clinic
patient_info - Amarillo Family Physicians Clinic
Electronic Commerce Transactions CUSTOMER acknowledges and
Electronic Commerce Transactions CUSTOMER acknowledges and
Corporate Credit Card Policy and Procedures
Corporate Credit Card Policy and Procedures
Procedures for Processing Credit Card Transactions
Procedures for Processing Credit Card Transactions
Credit Card Policy - Presbyterian College
Credit Card Policy - Presbyterian College
Exam Style Questions
Exam Style Questions
Regulation Z, 12 CFR § 226.12
Regulation Z, 12 CFR § 226.12
Application For Issue Of A Certified Statement / Academic
Application For Issue Of A Certified Statement / Academic
Cardholder and Reviewer Training and understanding of the P
Cardholder and Reviewer Training and understanding of the P
fp-36 credit card processing and security policy
fp-36 credit card processing and security policy
FORM - Additional Clean Up Collection
FORM - Additional Clean Up Collection
Donations - Australian-German Welfare Society Inc
Donations - Australian-German Welfare Society Inc
you” “your” “ - State Employees' Credit Union
you” “your” “ - State Employees' Credit Union
driver maintenance form for plastics
driver maintenance form for plastics
Online Statements & Email Approval
Online Statements & Email Approval
Commercial Card Expense Reporting (CCER)
Commercial Card Expense Reporting (CCER)
via transaction ZMTRR_TRAVEL_WORK_LI
via transaction ZMTRR_TRAVEL_WORK_LI
User Guide for WEB ADMIN SYSTEM
User Guide for WEB ADMIN SYSTEM
Information Securiy Policy – Offline Merchants
Information Securiy Policy – Offline Merchants
Reconciling Your P-Card Statement Online
Reconciling Your P-Card Statement Online
Microsoft Word - Offline Merchant Security Policy.doc
Microsoft Word - Offline Merchant Security Policy.doc
VISA CORPORATE CREDIT CARD
VISA CORPORATE CREDIT CARD
Download
advertisement