PCI DSS Online Education

Overview | Payments | Operations | Quiz

---

Below are guidelines for protecting cardholder data when managing payment operations.

• Check Devices for Tampering
• Monitor for Fraud and Security Breaches
• Maintain a Security Policy
• Report Security Incidents

Check Devices for Tampering

All personnel connected in any way with cardholder data must be trained to protect devices which capture payment card data through physical interaction (i.e. swipe, dip, key in, or wave) with a payment card.

Personnel must be trained to be aware of attempted tampering or replacement of devices, and terminals must periodically be inspected to look for tampering and substitution.

1. Take photos of current terminals and power and ethernet connection cords.
2. Use the photos to reference and train your team on how your device should look so they can identify any changes.
3. Schedule periodic physical inspections of devices and take new photos. In the new photos, look for:
   • Overlay or added devices, connections, or wires
   • Missing or stripped screws
   • Scratch or tool marks
   • Tampered seals
   • Equipment that has been moved
4. Maintain a collection of equipment photos to facilitate the discovery and dating of changes.

Include in your training equipment tampering risks and personnel verification procedures, such as what to do if someone says they’re here to update or repair equipment.

These quick periodic checks are an easy way to keep your devices and data safe. Resources available from Treasury Operations can help you create a checklist that works with your devices at your department. Contact Treasury Operations or Arrow Payments with any questions or help to integrate this protocol into your staff training.

Back to top

Monitor for Fraud and Security Breaches

As someone involved in payment card transactions, you should learn to monitor for and recognize fraud attempts and other suspicious activity.

Refunds

To help prevent fraud, a manager or supervisor must approve refunds. Refunds can be applied to only the credit or debit card originally charged, and the amount of the refund must be less than or equal to the original charge. Although the University and our merchant card processors monitor for refund fraud, you may have an even better chance of catching this type of fraud. If you notice that someone issued a refund without manager approval, that a refund was made to a different card or in cash, or that the amount refunded was greater than the original purchase amount, report this activity to a supervisor or Treasury Operations.

Suspicious Card Activity

Other suspicious card activity includes extremely large or extremely small transactions, which may also indicate refund fraud. If transactions do not pass address verification or card security code validations (that are automatically run by payment systems) that may be a sign that card information has been stolen.

Immediately report any fraud, fraud attempts, or suspicious activity to your supervisor or Treasury Operations.

Back to top

Maintain a Security Policy

Each merchant location must maintain a policy that addresses payment card security for all personnel. The policy should cover topics such as usage policies for the payment system, steps for compliance with PCI DSS, penalties for noncompliance, and steps to respond to a security breach.

Managers

Managers should create and regularly update the security policy, which can be based on the University’s PCI DSS security policy. Managers should also review the payment processing environment and policy at least annually or when changes in technology, process, or personnel occur. Managers are responsible for training team members at least annually on the department’s security policy.

IT Staff

IT staff should help managers create an appropriate security policy for their payment systems.

Everyone

As someone involved in payment card transactions, you need to follow the security policies for the University and your merchant location. Alert a supervisor or Treasury Operations if you notice any issues with a security policy, for example, if something seems to be missing or no longer applicable to your current system.

Back to top

 

Report Security Incidents

The prevention of data breaches is a campus-wide effort and we need your help to keep the University safe. Notify a supervisor immediately if:

• Someone seems to be using a stolen card;
• You suspect that someone is using cardholder data inappropriately;
• You see cardholder data or payment equipment somewhere it shouldn’t be, like in an area accessible to unauthorized personnel or the public.

After you talk to a supervisor, you or the supervisor should also report fraud and security incidents to Treasury Operations immediately.

Back to top

Next