College / Program Center>

wanderooswarrenAI and Robotics

Nov 21, 2013 (3 years and 10 months ago)

64 views



PCI Compliance


1

Confidential data, destroy when discarding



PCI Procedure <
College

/ Program Center>

<
College

/ Program Center>

accepts Visa, MasterCard, Discover and One Card, Cash, Check and Money Order as valid
payment methods. <
College

/ Program Center>
has adopted the following
procedures to meet the PCI compliance
standard
s
.

Roles and Responsibilities

Role

Responsibilities

<Dean / Program Center>

<Assumes the credit card processing agreement and risks associated with
PCI compliance.>

<Manager>

<Oversees day to day credit card

processing operations, maintaining the
user and inventory logs, and reviews / updates procedure. >

<Supervisor >

<Oversees day to day credit card processing operations, training of staff,
perform refunds, and disposal of cardholder data. >

<Staff>

<
Process credit cards>


User Provisioning and De
-
Provisioning:

<
College

/ Program Center>

ha
s

completed the necessary documents for User Provisioning and De
-
Provisioning into the
( Application ). The following documents have been completed using the steps
form
Information Security Office User
Provisioning and De
-
Provision
ing

training site for documentation and templates.

http://www.csus.edu/security/training&awarenes
s/userprovisioning/index.html

User Provisioning Analysis

User Provisioning Procedures

Account access Request

User Provisioning Access Log

User Provisioning Audit Report



Patch Management
:

<
College

/ Program Center>

has completed the necessary documents for
Patch Management

on workstation, server and
credit card application.

The following documents have been completed using the steps form Patch Management
training site for documentation and templates.

http://www.csus.edu/irt/is/training&awareness/patchmanagement/index.html


Patch Procedures

Patch Management Log

Technical Hardening Work Sheet



Processing Credit Cards:

<
College

/ Program Center> uses
<Terminal Type / Point of sale system / web
-
software application > to process credit
cards. For face to face transaction a terminal is used to gather the customer’s payment information. These terminals are
batched out at the end of
the according to the terminal processing procedures. For transactions by phone or by mail we


PCI Compliance


2

Confidential data, destroy when discarding



PCI Procedure <
College

/ Program Center>

use a workstation assigned to dedicated payment staff. These staff members follow the workstation processing
procured as outlined below.

Terminal processing proced
ure:

1)

The staff member provides the customer with the total amount due.

2)

Inquires on the payment method.

3)

Once the customer informs the staff member they intend to pay with credit card, the staff member verifies the
name on the credit card matches the name on

their personal identification card (Sac State One Card, CA DMV ID,
or Driver’s License).

4)

The staff member uses the terminal they have been assigned to swipe the customer’s credit card information to
be transmitted to <processor>. The terminal prompts for

the following information: <amount due, the last four
of the credit card number, and verification to check that the total to be charged is accurate before pressing
enter to complete the transaction.>

a.

The terminal prints two receipts, one for the customer
’s record and one for signature.

b.

The cashier keeps the signed receipt in his/her drawer until the end of the work shift. He/she keeps her
cash drawer locked at all times when away from their assigned work space.

c.

At the end of the day, the cashier prints a
nd uses the financial reconciliation report to balance out of
their credit card terminal.

d.

The cashier checks that the Master Card and Visa total on the systems financial reconciliation report
matches the totals on the credit card terminal balancing report.


i.

If both totals match, the cashier prompts the credit card terminal to settle the batch. This last
step communicates all the financial transactions to <Merchant Services> and in doing so,
removes all financial transactions from the credit card terminal.

e.

The cashier then staples all their credit card receipts to the settlement batch and balancing report and
submits it along with their deposit.

5)

The cashier verifies with the <Supervisor/Manager> that the batch out process for their terminal has been
compl
ete.

6)

Cashiers lock their deposit, which includes their credit card receipts, in the <Department

safe / SECURE room>.

7)

This safe is locked at the end of the day by the <Supervisor / assigned staff> and the secure room log updated.

Workstation or Point of
Sale:

1)

Cashiers are assigned a < work station for the day and the corresponding credit card terminal located at that
particular work station>.

2)

Cashiers are instructed to place a sign at their workstation that identifies the workstation is available for use

by
any other cashiers not assigned a workstation.

a.

This prevents two users from using the same workstation In addition.

3)

Cashiers are instructed to maintain their credit card receipts in their cash drawers at all times.

4)

Cashiers are instructed to lock thei
r workstations and their drawers anytime they leave their workstation.

5)

Cashiers are instructed to only use appropriate applications for credit card processing while on the assigned
workstation. Internet use is strictly prohibited while using an assigned cr
edit card processing workstation.

6)

End of the day batch process sheets are updated with totals taken by the cashier and submitted to their
<Supervisors / Manager> to verify the totals.



PCI Compliance


3

Confidential data, destroy when discarding



PCI Procedure <
College

/ Program Center>

7)

Cashiers lock their deposit, which includes their credit card receipts,
in the <Department

safe / SECURE room>.

8)

This safe is locked at the end of the day by the <Supervisor / assigned staff> and the secure room log updated.

Data Retention
1

Physical Retention



Any and all documents that contain cardholder data in a physical
non encrypted state must
be destroyed within 90 days of the transaction.
Non
-
electronic media must be cross
-
cut shredded, incinerated,
or pulped.

Only those roles identified above are authorized to physically destroy cardholder data. All activity
must be

logged in the Data Disposal log located at <file location>.

Electronic Retention



Any and all systems that use or access stored cardholder data must be encrypted using
appropriate standards.
Strong cryptography (e.g., Triple
-
DES, AES, etc.,) must be used
. The cryptography must
be certified by NIST or a similar organization. Documented procedures and responsibilities for key management
must be established. The procedures must address key rotation, key storage, key selection, key escrow, and key
handling. T
hese records may be stored for up to three years using the encrypted status.
Only those roles
identified above are authorized to electronically destroy cardholder data. All activity must be logged in the Data
Disposal log located at <file location>.



Disposal of PCI data

PCI data is classified as Level 1 data as defined
at

California State University Sacramento.

As such, when disposing of PCI
data department staff follows the procedures outlined at
http://www.csus.edu/irt/is/services/datadestruction.html
. A
log of disposal activates must be maintained by <supervisor / manager>. The log of disposal activities at minimum must
include Name / Title of the disposing party, a description

of the items disposed, Date of disposal, and the method of
disposal.


Incident Reporting

In the event you experience a data breach,

mis
use or the theft of cardholder data

you must contact your supervisor /
manager. The supervisor is required to send a notification of the breach to the Information Security Office and Student
Financials Office. In the event your supervisor / manager is not accessible, contact the Information

Security Office and
Student Financials Office directly. Once a request has been sent all activities that may delete, modify or corrupt logs and
audit records should be immediately terminated. The Information Security Office will follow up with the investi
gation of
the incident.

<Supervisor / Manager (s)>

<title>

<Contact Phone>

<Contact Email>

<Other>

Information Security Office

916
-
278
-
1999

iso@csus.edu

Student Financial Services Center

Caryl

Vickers
-
Harper




1

As defined by PCI Standards 1.2 and CSU Information Security Standards



PCI Compliance


4

Confidential data, destroy when discarding



PCI Procedure <
College

/ Program Center>

Assistant D
irector & Cashier

916
-
278
-
6559

vickersca@csus.edu


Log Review and Audit

There are a variety of logs generated as part of the PCI compliance process. These logs are reviewed according to the
schedule listed below by

the position listed in associated log type. After each log or document has been reviewed an
entry will be made into the review log which is maintained by the <Manager / Supervisor>.
The log of reviewing
activities at minimum must include Name / Title of
the reviewing party, a description of the items reviewed, Date of
review, and the actions taken.

Log

Review Period

Reviewer By Title

Access

Weekly

<Manager / Supervisor>

Data Disposal

Quarterly

<Manager / Supervisor>

Patch Management

Monthly

<Manager
/ Supervisor>

User Management

Monthly

<Manager / Supervisor>

Policy and Procedures

Annually

ALL


Document Change Log:

The
Information Security
Office

i
s responsibl
e for maintaining this document template.

Name

Date

Brief Description

Jon Smith

1/28/09

Created Document

Jane Doe

2/15/09

Meeting with staff to update procedures document

Jane Doe

2/24/09

Meeting with technical staff to review patch management process

Jane Doe

2/25/09

Updated data retaining procedure with new service and technical
contacts for data
storage.


Name: _________________________________________________

Sign: ___________________________________________________

Date: ___________________________________________________

Supervisor Signature:
______________________________________