UCR's Clarifications to Coalfire Training

advertisement
Coalfire Training 2014
Specific Responses
During the actual training, and as can be seen on several of the slides, information that was shared by
Coalfire was more general in nature, and does not necessarily reflect the policies and procedures in
place at UC Riverside. Please find below an initial list of responses, based on the page number in the
available PDF slide deck.





Pg. 10 – EMV
UCOP and UCR have made announcements regarding EMV readiness by October 2015. For more
information, review the announcement on the SBS site (or see Appendix A here).
Pg. 17 – Merchant Levels
Currently, UCR is a level 4 merchant, but is moving closer to becoming a level 2 merchant. Level
determination is made semi-annually by the Card Brands. When or if UCR were to become a
level 2 merchant, all campus merchants would be notified appropriately.
Pp. 29-30 – Responsibilities
o UCR’s validation reporting (SAQ) deadline is June, annually, or at the point of a change
in the Merchant’s environment.
o Any significant changes to a merchant environment should be communicated and
discussed with the campus credit card coordinator before making any change, per the
UCR Annual Credit Card Merchant Agreement.
Pg. 42 – Requirement 12
o Vendor Management
UCR’s Campus Credit Card Coordinator must approve any contracts for services,
software or equipment involved in processing credit cards. Additionally, in 2012 UC
policy began requiring the UC confidentiality/Security addendum be added to all
contracts for credit card services/processing. This should be considered when contracts
are initiated or renewed.
o Security Awareness
UCR has contracted with Coalfire to provide Security Awareness Training (S.A.T.) for all
those involved in the merchant process.
Pg. 64 – Mobile Payments
Based on UC policy, UCR made an announcement regarding Mobile Payment platforms and their
use. For more information, review the announcement on the UCR Accounting site (or see
Appendix B below).
For any further questions or clarifications, please email cashandmerchant@ucr.edu.
Appendix A
EMV Campus Announcement
Date: Tue, 9/16/2014
RE: PCI - EMV Readiness Cutoff for UCR Merchants
Dear Campus Merchants,
To reduce fraud associated with credit card payments, all payment brands have established October
2015 as the deadline for merchants to comply with EMV chip cards (EMV = Europay MasterCard Visa).
These chip-based cards reduce the risk of fraud specifically with face-to-face, card-present transactions.
From guidance released from all payment brands (Visa, MasterCard, Amex, Discover), any merchant that
is not EMV ready by October 2015 will assume greater liability for fraudulent charges that could have
been prevented by EMV. Currently, most fraud liability is carried by the issuing bank, not the merchant
or merchant bank. EMV will not change the merchant’s liability related to a credit card data breach.
Please refer to the attached guidance from UCOP regarding EMV. Additionally, Vice Chancellor of
Business and Administrative Services, Ron Coley, has endorsed that all UCR merchants become EMV
ready by the October 2015 cutoff.
Please note that all BAMS-issued terminals are already EMV ready; however, a PIN pad add-on will be
required. Details and training for merchants using these terminals will be announced in the coming
months. Merchants with non-BAMS issued terminals must reach out to their respective hardware
vendors for their vendor’s EMV-readiness plans. This specifically would encompass any Point-of-Sale
(POS) system, dispenser with a card swipe, etc. In such cases, merchants need to request the vendor’s
EMV-readiness plans in writing, including when and how implementation of new hardware, if required,
will take place by October 2015.
If you have any questions, please e-mail us at cashandmerchant@ucr.edu.
Sincerely,
Josh Hoerger | Project Specialist
On Behalf of Asirra Suguitan, Campus Credit Card Coordinator
EMV discussion
EMV Compliance
document for VCAs 8-27-14.pdf
Guidelines 8-27-14.pptx
Appendix B
Third Party Merchant Services and Mobile Pay Devices
From: Bobbi McCracken, Associate Vice Chancellor of Financial Services & Controller
To: Msoadm list & CFAOs
Date: September 30, 2013, 4:19pm
Subject: Third Party Merchant Services and Mobile Pay Devices
There have been a number of inquiries regarding the use of third party merchant services and mobile
pay devices, such as PayPal, Square and Stripe. Per Office of the President, at this time due to credit card
security concerns and UC exclusive merchant services agreement with Bank of America, these credit
card payment processing services CANNOT be utilized by any UC Entity. It is my understanding that no
other UC campus merchants have been authorized to utilize these services. The UC policy covering
credit card usage is available in the Business and Finance Bulletin BUS-49 and our local procedures UCR
policy 200-17 Credit/Debit Card Acceptance.
UC does recognize that there is a potential benefit to the University due to the ease-of-setup, minimal
startup fees, and convenience of these types of merchant services. Third party merchant service
providers are making progress to improve the security concerns associated with accepting credit card
payments on phones, tablets, and mobile devices, and UC is currently exploring options with our
Payment Card Industry (PCI) Qualified Security Assessor, Coalfire, which may address the current
security concerns over the protection of customer credit card information. As more information
becomes available on the outcome of these assessments, it will be disseminated to the campus. In the
meantime, please note that Bank of America Merchant Services (BAMS) does offer similar functionality
via their PCI compliant wireless terminals.
If any third party merchant services, such as PayPal, Square, or Stripe, have already been implemented
by your unit, please suspend all credit card processing immediately and contact our campus credit card
coordinator and Director of Student Business Services/Cashiers, Asirra Suguitan, at
asirra.suguitan@ucr.edu. Your cooperation with complying with UC policy and protecting customer
credit card information is appreciated.
Download