160 likes | 164 Views
PCI Team. Tuesday May 21 st 2019. Agenda. Card Activity Trend Merchant compliance status 2019 Payment Card Acceptance policy and procedures QSA Services A nnual Treasury Institute PCI meeting Talech /iPad Point of Sale AmEx Acceptance
E N D
PCI Team Tuesday May 21st 2019
Agenda • Card Activity Trend • Merchant compliance status 2019 • Payment Card Acceptance policy and procedures • QSA Services • Annual Treasury Institute PCI meeting • Talech/iPadPoint of Sale • AmEx Acceptance • Elavon Level 3 and Small Ticket Program Savings • PCI Program Audit Baker Tilly • Tagging PCI devices on the network • Security awareness training
3. Policy and Procedures • Review policy • Review procedures
4. QSA Services • Campus Guard • Services: portal, scanning, consulting, annual visit (May 29) • Cost $16,800/year, $4200/quarter shared by (BAO, IS, Athletics, Housing/Dining, Parking, Student Life)
5. Annual Treasury Institute PCI meeting • 133 Colleges and Universities • 3G cellular terminals losing connectivity, 4G terminals coming • Strategy: P2PE, dedicated hw, SP that is MOR, anything from acquirer • Ohio State ourtsources their PCI program admin for $95K • HECVAT cloud vendor assessment tool • Common Point of Purchase CPP • Create One Drive folder for list of SPs, unit procedures… • RudolpheSimonetti Verizon Payment Security Report, Requirements 10 logging (outsource) and 11 scan and pen testing have lowest compliance. Is PCI still relevant ? • Card transaction volumes rising • Easiest data to turn to cash • P2PE and EMV help secure card present but not ecommerce
5. Annual Treasury Institute PCI meeting… • UW notified level 2 and told to be compliant by year end. Created new four person merchant services office. • U Central Florida meets with GC and PCS annually to review PCI data security addendum • Cornell 6% annual increase in card spend, PCI tabletop facilitated by Campus Guard • Bluefin does mobile P2PE w/o EMV. Have many partners certified on their gateway. • FBI, Business Email Fraud losses $1.3B in 2018 (doubled each of last 3 years). Property related losses huge in Florida. • UNC analog phone lines being replaced with VOIP so switching from dedicated hw to P2PE with NFC • Apple Card no number, uses chip and name and generates single use numbers • Princeton using Venmo (Peer2Peer) with Braintree account for alumni donations • NJ, Philly, MA ban cashless, NY and San Fran considering same
6. Talech/iPad Point of Sale • Jaqua Café • JSMA Gift Shop
7. AmEx Acceptance • Elavon made a change that made reconciling AmEx easier • Asked Elavon about cost of accepting AmEx relative to Visa/MCard • Public Sector Education interchange category lower cost • Enabled all ecommerce channels and payment card terminals mid April, Micros/FreedomPay end April 2019
8. ElavonInterchange Savings Programs • Executed two addendums to our contract with US Bank/Elavon in Dec 2018, enrolling us in Elavon’s small ticket and level 3 interchange reduction programs. • Elavon negotiated small ticket program directly with Visa and Mcard • Applies only to our parking merchant accounts, unfortunately food and beverage merchants not eligible. • Savings of $1500/month split between University Parking and Elavon
8. ElavonInterchange Savings Programs • The Level 3 program is available to all processors. Elavon enrolls any of our merchants it is able to provide level 3 three data for.
9. PCI Program Audit Baker Tilly • Audit conducted in April • Report being finalized • Will share with team • Anticipate incorporating PCI program in some way into new IS Information Security Framework
10. Tagging PCI devices • IS security team created a process for merchants to tag their devices • This gives IS visibility of card data flow on network • Helps us segment and document our Card Data Environment (CDE)
11. PCI Security Awareness Training • Merchant requirement 12.6 • Two online classes in My Track • Short version for payment processors • Longer version for business/management/IT • If SANS cyber security awareness training becomes required for all employees we could shorten the PCI versions