Best Practices for Payment Card Activities

advertisement
Longwood University
Best Practices for Payment Card Activities
Understand Policies and Procedures
Merchants must understand Longwood University’s payment card security policy #1015 and
applicable procedures. Compliance with the PCI standards at www.pcisecuritystandards.org is
mandatory.
Protect Cardholder Data










In order to mitigate the risks of accepting credit cards as a method of payment,
departments should consider using TouchNet Marketplace when practical.
Do not store credit card data unless required to conduct departmental business. Never
store credit card numbers electronically in a database or spreadsheet, on portable media
or on share drives.
Never store sensitive authentication data - magnetic stripe data, chip data, the
CAV2/CVC2/CVV2/CID, or the PIN/PIN block - under any circumstances.
Do not store the full cardholder account number (PAN) with expiration date. Mask all
but the last 4 digits of the credit card number.
Crossing through the primary account number (PAN) is not an acceptable means of
securing the data on paper. Instead, remove the portion of the document containing
cardholder data and shred.
Maintain up-to-date policies and procedures, including departmental desktop procedures.
Ensure computers handling credit card data possess updated versions of University
recommended antivirus and spyware detection software.
Do not request, send or accept payment card information by email. If you receive
cardholder data via email, do not process the transaction. Make the sender aware that, for
their safety, they should never email credit card information. Remove the cardholder
data when responding and direct them to an approved processing method. Delete the
email containing cardholder data completely from your email account.
Complete annual credit card security training upon hire and at least annually.
Any confirmed or suspected breach should be reported immediately to the Information
Security Office.
Implement Strong Access Control Measures

Departments may not negotiate contracts with credit card processing companies or
companies accepting credit card payments. All merchant accounts for accepting credit
cards must be approved by Financial Operations.





Permit only those employees with a legitimate “need to know” access to cardholder data.
Limit user access to specified privileges.
Each employee with access to payment card information via computer should have a
unique login or password. Log out of computer when unattended. Never share
passwords or user IDs.
Never use vendor supplied default passwords.
Passwords should be changed regularly – at least every 90 days.
Restrict Physical Access to Cardholder Data




Always protect cardholder data against unauthorized access. Keep credit card
information locked in a secure location (locked drawer, file cabinet, office or safe).
Do not allow unauthorized persons access to areas where credit card data is stored.
Restrict physical access to computer workstations and other equipment used in credit card
payment processing. Physical space can be secured through the use of employee badges,
swipe card or key access, or video camera monitoring.
Destroy documentation containing credit card information when no longer needed for
business or legal reasons. Approved destruction methods for hard-copy materials include
shredding (via cross-cut shredder), incinerating or pulping.
Best Practices for a “Card Present” Transaction




Swipe and retain the card only until the transaction is authorized.
The credit card number should be masked – only the last 4 digits of the credit card
number should be printed on the receipt.
Give the customer their receipt to sign, if applicable. Compare the signature on the
receipt to the one on the card.
The university does not recommend accepting unsigned cards. Departments accepting
unsigned cards must require a second form of picture ID prior to completing the
transaction.
Best Practices for a “Card Not Present” Transaction





Direct cardholder to complete transaction through the department’s online payment
system.
Do not offer to enter payment card data into a third party website on behalf of a customer.
The act of entering a payment on another’s behalf increases risks associated with credit
card acceptance. Instead, direct customers to any internet enabled computer to complete
their transaction.
If departmental procedures permit the entering of payment card data on behalf of a
customer, transactions must be conducted on a separate, secured payment terminal.
If your department accepts credit cards in paper format (via mail), we recommend that
you structure the form so that the credit card data can be removed (i.e. perforation at
bottom of page) and shredded immediately following processing. This allows you to
retain other information needed for business purposes without storing cardholder data.
If card data is accepted by phone, develop a standard form (preferably on color paper)
that is easily identifiable as containing credit card data and which can be shredded after
the transaction is authorized.
Download