Policies and Procedures

Similar documents
PCI Requirements Office of Business and Finance Issued July 2015

PCI Requirements Office of Business and Finance Issued July 2015

Payment Card Industry Data Security Standard Self-Assessment Questionnaire B Guide

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD SELF-ASSESSMENT QUESTIONNAIRE (SAQ) A GUIDE

Completing Self Assessment Questionnaire B

Attestation of Compliance, SAQ A, Version 3.1

Liverpool Hope University

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

Payment Card Industry Compliance. May 12, 2011

Self-Assessment Questionnaire (SAQ) A and Attestation of Compliance Guidance Document. Self-Assessment Questionnaire A

EMV Chip Cards. Table of Contents GENERAL BACKGROUND GENERAL FAQ FREQUENTLY ASKED QUESTIONS GENERAL BACKGROUND...1 GENERAL FAQ MERCHANT FAQ...

CCV s self-service payment solutions drive PCI-DSS-compliant security

EMV, PCI, Tokenization, Encryption What You Should Know for Presented by: The Bryan Cave Payments Team

Getting Out of PA-DSS Scope and Eliminating the High Cost of EMV: What you need to know

COLUMBIA UNIVERSITY CREDIT CARD ACCEPTANCE AND PROCESSING POLICY

PCI DSS SECURITY AWARENESS

Security enhancement on HSBC India Debit Card

PCI DSS Security Awareness Training. The University of Tennessee and The University of Tennessee Foundation. for Credit Card Merchants at

Attachment 2: Merchant Card Services

First Data Merchant Solutions EFTPOS. 8006L2-3CR Integrated PIN Pad. User Guide

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 04/29/2016

Wirecard CEE Integration Documentation

UNIVERSITY OF OKLAHOMA Campus Payment Card Security Standard Norman Campus

Merchant Trading Name: Merchant Identification Number: Terminal Identification Number: ANZ CONTACTLESS EFTPOS MERCHANT OPERATING GUIDE

Protecting Your Swipe Devices from Illegal Tampering. Point of Sale Device Protection. Physical Security

CardConnect P2PE Merchant Instruction Manual

EMV: Frequently Asked Questions for Merchants

Merchant Services What You Need to Know. Agenda 6/5/2017. Overview of Merchant Services. EMV, Tokenization/Encryption, and PCI (Oh My!

Card Payment acceptance at Common Use positions at airports

Crash Course: What are EMV and the EMV Liability Shift?

A TECHNICAL SPECIFICATIONS LOCK BOX PAYMENTS

Verifone MX 915/925 Payment Devices. with KWI 6.x POS Registers: What s New?

Point-Of-Sale Device Tampering Training COMPLIANCE MANAGEMENT FINANCIAL SERVICES EAST CAROLINA UNIVERSITY

Risk-based Approach to PCI DSS Validation

Credit and Debit Card Fraud

FI0311 Credit Card Processing

EMV THE DEFINITIVE GUIDE FOR US MERCHANTS AND POS RESELLERS

PCI Point-to-Point Encryption (P2PE)

First Data EFTPOS. User Guide. 8006L2-3CR Integrated PIN Pad

PAYMENT CARD STANDARDS

SMALL BUSINESS FRAUD ASSESSMENT INTERNAL CONTROL QUESTIONNAIRE Download your risk assessment form at

Business Administrator Forum

SAMPLE DATA FLOW DIAGRAMS for MERCHANT ENVIRONMENTS

3.17 Payment Card Industry (PCI) Compliance Policy

Virtual Terminal User Guide

EMV and Educational Institutions:

esocket POS Integrated POS solution Knet

North America Terminal Brochure Guide

EMV Frequently Asked Questions for Merchants May, 2015

Dear Valued Member, Sincerely, Jerry Jordan President & CEO CGR Credit Union

PROTECT AGAINST A DATA BREACH & ADDRESS PCI DSS COMPLIANCE WITH TRUSTCOMMERCE

PCI COMPLIANCE PCI COMPLIANCE RESPONSE BREACH VULNERABLE SECURITY TECHNOLOGY INTERNET ISSUES STRATEGY APPS INFRASTRUCTURE LOGS

VX675 VERIFONE TERMINAL REMEMBER TO LOG ON DAILY HERE IS HOW GUIDE TO A PERFECT SALE DEBIT CARD AND CREDIT CARD TRANSACTIONS

Visa and MasterCard Drive Adoption of EMV Payment Technologies in the United States

POS User Guide Ingenico ict/iwl

EMV Implementation Guide

Data Protection/ Information Security Policy

QUICK REFERENCE GUIDE Online POS Terminal. Thank you for choosing the Online POS Terminal. Chase is pleased to announce an

Frequently Asked Questions for Merchants May, 2015

EMV & Fraud POS Fraud Mitigation Tips for Merchants First Data Corporation. All Rights Reserved.

PERSONAL DATA SECURITY GUIDANCE FOR MICROENTERPRISES UNDER THE GDPR

C&H Financial Services. PCI and Tin Compliance Basics

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

THE UNIVERSITY OF GEORGIA INTERNAL AUDITING DIVISION INTERNAL CONTROL QUESTIONNAIRE GENERAL

QUICK REFERENCE GUIDE Online POS Terminal. Thank you for choosing the Online POS Terminal. Chase is pleased to announce an

EMV Terminology Guide

EMV A Chip Off the New Block

POS User Guide Optimum T42xx/M42xx

Greater Giving Terminal User Start Guide

International Operators Seminar. Bem-vindo! Bienvenidos! Bonjour! Croeso! Foon ying! Hujambo! Velkomen! Welkom! Welcome!

Frequently Asked Questions

Version 7.4 & higher is Critical for all Customers Processing Credit Cards!

Chip and PIN Programme. Using chip and PIN

What is DTMF Masking?...1. How does it work for credit card payment processing?...2. PCI DSS Compliance for Contact Centres...3

Frequently Asked Questions

INFORMATION WITH REGARD TO THE PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH REGULATION (EU) 2016/679 AND THE RELEVANT GREEK LEGISLATION

PCI DSS COMPLIANCE: A BEST PRACTICES CHECKLIST

PCI Information Session. May NCSU PCI Team

NAB EFTPOS MOBILE. Terminal Guide

Aldyalaldelo. Aldelo EDC 6.2 User Manual

Aldyalaldelo. Aldelo EDC 6.2 User Manual

Heartland Payment Systems

DOWNINGTOWN AREA SCHOOL DISTRICT SCHOOL BOARD POLICY SECTION: SUPPORT EMPLOYEES

NCR Silver & Miura 010. Monday, August 08, 2016

The Future of Payment Security in Canada

Frequently Asked Questions

ATM Webinar Questions and Answers May, 2014

Let s Talk about EMV. getnationwide.com

Receivables and Secure Payment Processing

Cyber Security in Retail

IRP Audit Exchange. User Manual

Semi-Integrated EMV Payment Solution

EMV Basics and the market

Provider Operations Manual Hoosier Works for Child Care

KNOW YOUR RUPAY DEBIT CARD

Tokenization April Tokenization. Gregory H. Soule, CPA, CISA, CISSP, CFE Senior Manager. Andrews Hooper Pavlik PLC

PIN Issuance & Management

Proxama PIN Manager. Bringing PIN handling into the 21 st Century

Government-wide: Controls Over Disposal of IT Assets

Putting Card Fraud to the Fire. Diana Kern, AAP senior trainer

Transcription:

Policies and Procedures Provided by PROGuard The following are policies and procedures which need to be enforced to ensure PCI DSS compliance. In order to answer yes to the questions and pass the SAQ, it is imperative that you review, understand, and enforce the policies and procedures outlined below. Certain policies require a corresponding Form to be completed to become compliant. These Forms can be downloaded from www.petropci.com on the Forms Web page. If you have any questions, please contact ProGuard at 1-866-427-7297 x295. I. Ensure that all employees have been trained and educated on the policies and procedures. Each employee is to sign the Employee Acknowledgement. (Employee Compliance Form) II. PCI DSS Requirement 3.2 All systems must adhere to the following requirements regarding storage of sensitive authentication data after authorization (even if encrypted). A. POS systems are to be updated with the most current version of software that is provided by the manufacturer which does not store the full contents of any track from the magnetic stripe (located on the back of a card, contained in a chip, or elsewhere). Document all software upgrades on the Processing Equipment Maintenance Form. B. Do not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions and do not store the personal identification number (PIN) or the encrypted PIN block. III. PCI DSS Requirement 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). A. Truncation is performed by the POS system. B. If using a paper imprinter slip for telephone orders and mail orders and the document is to be stored, then all digits except the last four must be blacked out. 1

IV. PCI DSS Requirement 4.2 Never send unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat). A. When absolutely necessary to send cardholder data, other personally identifiable information, or other sensitive information via messaging technologies (including text or email), appropriate measures are taken to block out or remove the cardholder information, other personally identifiable information, or that the communicated sensitive information is rendered useless. V. PCI DSS Requirement 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. A. Each employee is given their own unique access code for POS or stand alone terminals which are to restrict the fields in which they have access. B. Employees are instructed not to share cardholder information with other employees unless deemed necessary by a supervisor. VI. PCI DSS Requirement 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. (POS Maintenance Form, POS and Terminal Inspection Form); (Additional For Gas Stations: Pump and Site Inspection Form, Pump Key Form, and Pump Maintenance Form, POS and Terminal Inspection Form) A. Restricted areas are appropriately identified by signage (i.e. authorized personnel only). B. All keys are to be unique to your site. C. A POS/Counter top Maintenance Form is to be completed when maintenance is done to any POS/Counter top terminal. D. Inspect terminals/pos to ensure no unauthorized cables have been attached or the terminal/pos has not been tampered with. For Gas Stations: E. If you accept cards at the pump, a daily pump and site inspection is to be done to ensure pump security. F. Use the Pump Key Form and the Pump Maintenance Form when pumps are accessed or serviced. 2

VII. PCI DSS Requirement 9.6 Physically secure all paper and electronic media that contain cardholder data. (Cardholder Data Form) A. Locate all paper documents (including receipts, notes, reports and faxes) and all electronic storage data such as cds, backup tapes, thumb drives, hard drives and credit/debit card processing machines which contain your customers full credit/debit card numbers. B. Determine if it is necessary to keep any paper or electronic data that contains your customers full credit/debit card numbers. We strongly recommend you do not keep any documents with the 16 digit number unless absolutely necessary. If you do have any on file, please ask yourself, Why do I need to keep this? C. If necessary for business purposes to store this data, the following rules apply: o If it is portable, electronic storage, it must be stored in a locked cabinet. o Any electronically stored data must be password secured. o A Form must be kept documenting how the cardholder data is stored and secured. VIII. PCI DSS Requirement 9.7 Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data. (Media Removal Form) A. All material moved from the secure area is marked confidential, documented on the Media Removal Data Form and transported by a document service such as Fed Ex or U.S. Post Office with a tracking number. IX. PCI DSS Requirement 9.8 Ensure management approves any and all media containing cardholder data that is moved from a secured area (especially when media is distributed to individuals). A. No material containing cardholder data is to leave the premises without the permission of management. X. PCI DSS Requirement 9.9 Maintain strict control over the storage and accessibility of media that contains cardholder data. A. All sensitive data is to be kept in a file or secured area which is accessible by management only. B. The file cabinet or safe containing confidential information is to be locked during business hours as well as after hours. 3

XI. PCI DSS Requirement 9.10 Destroy media containing cardholder data when it is no longer needed for business or legal reasons. (Media Destruction Form) A. Requirement 9.10.1 Shred, incinerate, or pulp hard copy materials so that cardholder data cannot be reconstructed. B. Document the description of the storage data you are destroying, the date and method of destruction on the Media Destruction Form. C. Management is to sign and date the Form and it is to be kept in the Compliance Binder. XII. PCI DSS Requirement 12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers. (Service Provider Form and Service Agreement) A. Maintain a list of service providers who would have access to any POS system or to any credit card data. This also includes those individuals or companies which maintain gas pumps. B. Determine with whom you share your customers cardholder data. Be sure to include all other companies or individuals who are not your employees on the Service Provider Form. C. Maintain a written agreement that includes an acknowledgement that the service provider is responsible for the security of cardholder data the service provider s posses. D. Monitor service providers PCI DSS compliance status by requesting a copy of their annual SAQ. XIII. PCI DSS Requirement 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement. A. Only engage contracted work with industry-approved vendors and check references of such vendors. XIV. PCI DSS Requirement 12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach. A. If a breach occurs, please notify the Petroleum Card Services PROGuard compliance department at 1-866-427-7297 x295. If PROGuard is unavailable, please contact Visa Fraud Investigations and Incident Management group immediately at (650) 432-2978. 4

Once you have read and agree to these policies please print and initial the Policy Acknowledgement SAQ B Form and return the form to PCS. You now have all the policies necessary to continue and take the SAQ. Please keep these policies and forms in a compliance binder at your location for easy access. 5

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback