UA Information Security
Campus Banking & Merchant Services works with UA Information Security(UA Information Security) to provide guidelines and resources for our banking and merchant departments. The University of Arizona seeks to ensure that all individuals using, accessing, storing, transmitting, controlling, or managing University information assets understand their responsibility in reducing the risk of compromise, and take appropriate security measures to protect those assets. For information security resources, go to: http://security.arizona.edu
All merchants that utilize bank/credit cards to collect funds for goods and services must meet Payment Card Industry Data Security Standards (PCI-DSS) set by the banks and payment card brands such as Visa, MasterCard, Discover and American Express. The PCI standards can be found at https://www.pcisecuritystandards.org/. The mandatory standards are set to prevent or reduce risk of credit card information being stolen. If card numbers are taken without authorization through the merchant systems or processes, it is considered a breach and the Merchant department is held responsible and accountable.
Reputational impact and financial ramifications of a breach include damaged public trust, forensic costs, fines from card brands, replacement of breached customer credit cards, payment of credit monitoring for each customer for a year, and annual report of compliance assessments by a qualified security assessor. It has been reported that a minimal breach event would cost $250,000.
PCI-DSS compliance is taken very seriously at the UA. Each merchant must assign a merchant responsible person (MRP) to monitor, document and manage credit card processes and security. All systems and processes that "touch," control, or have the potential to affect the credit card customer experience are within compliance guidelines.
Compliance documentation is essential. Campus and Merchant Services have developed documentation guidelines and templates to assist each merchant department. The following PCI-DSS compliance documents are to be available for auditor/assessor review at all times:
- Annual Merchant Agreement
- Merchant Department- Self Assessment Questionnaire (SAQ)
- Third Party PCI and Security Validations
- Visa Global Registry of Service Providers
- PCI SSC List of PA-DSS Validated Payment Applications
- Vendor Qualified Security Assessor validation reports
- Department Merchant Credit Card Policy
- Department Incidence Response Procedure/Plan
- Credit Card Handling Procedures
- Credit Card Process Flow Chart
- System/Network Map/ Firewall Rules (if applicable)
- Department Security Awareness Training and Training Log
- Staff Signed Credit Card Security Awareness Acknowledgements
- Quarterly ASV External Scans and Internal Application and Server Scan Information (if applicable)
Campus Banking & Merchant Services is available to assist in developing and maintaining PCI-DSS compliance.
Please contact firstname.lastname@example.org for further information or assistance.
UA Information Security PCI Compliance and Incident Reporting
UA Information Security and campus stakeholders have established policies, standards, procedures and guidelines to assist departments in meeting their security obligations.
Suspected incidents must be reported to both UA Information Security and Campus Banking and Merchant Services.
Credit Card Fraud Prevention
The best fraud prevention is the individual. Awareness is the key to preventing fraud from occurring. The following steps will help stop credit card fraud:
- Make sure the name that prints on the receipt matches the card member name on the front of the card.
- Match the embossed card number on the front of the card to the last four (4) credit card numbers printed on the merchant receipt.
- Always credit or refund to the original card used in the transaction. If the card has been lost or replaced, the credit card company will insure that the customer will receive the credit. Do not refund to another card even if requested by the customer, as this is a common practice with stolen cards.
- In case of an "Authorization required", or "Code 10" prompt at authorization, do not allow the customer to contact the bank. The merchant must always contact the bank directly or ask the customer for another form of payment.
- In a face to face transaction, do not accept a customer’s verbally furnished credit card number. A credit card must be presented for swipe.
- If you suspect that the customer is attempting a fraudulent transaction, alert your management and follow the security policy established by your department.
A card may have been altered if you see one or several of the following things on a card:
- Painted or taped over signature panel
- A "halo" of previous name or number can be seen where the card may have been re-embossed
- Card surface looks dull or lacks detail
- Card surface is bumpy or bent around the edges
- Magnetic stripe is deliberately scratched or destroyed