GVSU PCI Compliance (Credit card payment security standards )

1. October 28, 2013 GVSU PCI Compliance(Credit card payment security standards)

2. Who? What? When? Why? Gvsu pci compliance – The Beginning

3. Comply with PCI compliance policies set forth by industry Create internal policies and procedures to protect cardholder data Inform and train GVSU personnel who process cardholder data Perform annual review Report suspected or confirmed breach incidents What is gvsu’s responsibility?

4. www.gvsu.edu/pci Compliance Documents • Prohibited Practices: • Storing CVV codes, pin numbers, track data or card numbers • These must be destroyed immediately after processing. • Sending credit card information via mobile or end-user messaging technologies (email, fax) • Requesting for credit card information to be sent to GVSU street address • Sending credit card information via intercampus mail GVSU PCI Processing procedures

5. Prohibited Practices: • Accepting/entering credit card information on GVSU website on behalf of a customer • Using a laptop for entering credit card information • Instructing customers to enter their own credit card information on a GVSU public computer • Directly passing credit card fees to customers who pay via credit cards GVSU PCI Processing procedures

6. Prohibited Practices: • Using non-designated PCI compliant shredding devices or services • Using non-designated PCI compliant hardware • Most mobile terminal options, such as the Square that connects to the IPhone/IPad are NOT acceptable. • Using non-approved third party service providers to process credit card transactions GVSU PCI Processing procedures

7. So, then what is allowed? GVSU PCI Processing procedures

8. Accepted Processing Procedures: • Approved secure websites for ongoing, frequent processes • Ben Rapin, Institutional Marketing , 18014 • www.gvsu.edu/webteam/ecommerce.htm - E-Commerce Request Form • Approved secure terminal – wired or wireless • Jennifer Schick, Accounting Business Office, 12231 • www.gvsu.edu/pci - Credit Card Processing Assistance • Most mobile terminal options, such as the Square that connects to the IPhone/IPad are NOT acceptable. GVSU PCI Processing procedures

9. Accepted Processing Procedures: • Low volume options • Take directly to cashier window on same business day . • Must be taken by GVSU employee (not a student). • See www.gvsu.edu/pci Credit Card Processing Assistance for Departmental Deposit Form. • Can keep the last 4 digits of a card number for reference. • Call one of the following offices, provide the FOAP where the money should be deposited, and transfer the call: • 16806 for gift deposits (Gift Processing/Development Office) OR • 12209 for other credit card payments (Student Accounts Hotline). GVSU PCI Processing procedures

10. Accepted Processing Procedures: • Dedicated PO Box for US Mail • Approved PCI compliant shredders or shredding services • Coordinate shredding services/bins through Kip Smalligan. • Shredders must be cross-cut or diamond cut. • Approved PCI compliant vendors • If using or considering a third party service provider to accept credit cards, the vendor must be PCI compliant. • Notify Sue Korzinek of process to allow for proper documentation to be acquired from third party vendor BEFORE signing a contract. GVSU PCI Processing procedures

11. A scenario that works for many events: • Set up online registration with Institutional Marketing. • Prepare mailing and give registrants these options: • Register online for credit card payments or • Register via mail for check payments. • For day of the event registrations, allow check payments or request the use of a loaner terminal to accept credit card payments. GVSU PCI Processing procedures

12. Any new contract/relationship that relates to credit card payments MUST be approved by the PCI Committee. Contact Sue Korzinek and Jennifer Schick. WARNING: Just because a vendor or salesperson says that they are PCI Compliant, it does not mean that they are! CONSIDERING MAKING A CHANGE?

13. Notify immediately Assess situation Corrective measures Prepare message Evaluate processes for improvement Security breach process

14. EMV – September 2015 • EMV (Europay/MasterCard/Visa) /a.k.a Pin & Chip • Instead of a magnetic stripe, EMV cards contain an embedded microprocessor. • “EMV chip technology reduces card fraud in a face-to-face card-present environment; provides global interoperability; and enables safer and smarter transactions across cards and contactless channels.” – “U.S. EMV Migration Efforts Continue Despite Debit Regulatory Challenges”, www.cnbc.com 10/3/13 Updates

15. EMV – September 2015 • As new credit card terminals are ordered or current terminals need to be replaced, GVSU will order terminals that are EMV capable. • By September 2015, GVSU will order new EMV capable credit card terminals to replace terminals with the old technology. Updates

16. Mobile technology • Reminder: Most mobile terminal options, such as the Square that connects to the IPhone/IPad are NOT acceptable. • Reminder: Using a laptop for entering credit card information is NOT acceptable. • We are in the process of testing/evaluating new wireless/cellular terminals and a mobile payment bundle that would connect to an IPad. Updates

17. Fees • Reminder: At GVSU, departments are NOT allowed to directly passing credit card fees to customers who pay via credit cards. • Recent headlines discussed changes in rules regarding surcharges/convenience fees. • Few companies are actually proceeding down this path due to various “hoops” that they would need to jump through. • Departments are able to set their rates for all forms of payment knowing that credit card processing fees are 2-3%. Updates

18. Contact information: Sue Korzinek X12035 Jennifer Schick X12231 QUESTIONS?