160 likes | 170 Views
Stay informed on trends, compliance status, acceptance policies, and audit updates at the May 21st PCI team meeting. Learn about QSA services, annual treasury meeting insights, AmEx acceptance, Elavon programs, and security training.
E N D
PCI Team Tuesday May 21st 2019
Agenda • Card Activity Trend • Merchant compliance status 2019 • Payment Card Acceptance policy and procedures • QSA Services • Annual Treasury Institute PCI meeting • Talech/iPadPoint of Sale • AmEx Acceptance • Elavon Level 3 and Small Ticket Program Savings • PCI Program Audit Baker Tilly • Tagging PCI devices on the network • Security awareness training
3. Policy and Procedures • Review policy • Review procedures
4. QSA Services • Campus Guard • Services: portal, scanning, consulting, annual visit (May 29) • Cost $16,800/year, $4200/quarter shared by (BAO, IS, Athletics, Housing/Dining, Parking, Student Life)
5. Annual Treasury Institute PCI meeting • 133 Colleges and Universities • 3G cellular terminals losing connectivity, 4G terminals coming • Strategy: P2PE, dedicated hw, SP that is MOR, anything from acquirer • Ohio State ourtsources their PCI program admin for $95K • HECVAT cloud vendor assessment tool • Common Point of Purchase CPP • Create One Drive folder for list of SPs, unit procedures… • RudolpheSimonetti Verizon Payment Security Report, Requirements 10 logging (outsource) and 11 scan and pen testing have lowest compliance. Is PCI still relevant ? • Card transaction volumes rising • Easiest data to turn to cash • P2PE and EMV help secure card present but not ecommerce
5. Annual Treasury Institute PCI meeting… • UW notified level 2 and told to be compliant by year end. Created new four person merchant services office. • U Central Florida meets with GC and PCS annually to review PCI data security addendum • Cornell 6% annual increase in card spend, PCI tabletop facilitated by Campus Guard • Bluefin does mobile P2PE w/o EMV. Have many partners certified on their gateway. • FBI, Business Email Fraud losses $1.3B in 2018 (doubled each of last 3 years). Property related losses huge in Florida. • UNC analog phone lines being replaced with VOIP so switching from dedicated hw to P2PE with NFC • Apple Card no number, uses chip and name and generates single use numbers • Princeton using Venmo (Peer2Peer) with Braintree account for alumni donations • NJ, Philly, MA ban cashless, NY and San Fran considering same
6. Talech/iPad Point of Sale • Jaqua Café • JSMA Gift Shop
7. AmEx Acceptance • Elavon made a change that made reconciling AmEx easier • Asked Elavon about cost of accepting AmEx relative to Visa/MCard • Public Sector Education interchange category lower cost • Enabled all ecommerce channels and payment card terminals mid April, Micros/FreedomPay end April 2019
8. ElavonInterchange Savings Programs • Executed two addendums to our contract with US Bank/Elavon in Dec 2018, enrolling us in Elavon’s small ticket and level 3 interchange reduction programs. • Elavon negotiated small ticket program directly with Visa and Mcard • Applies only to our parking merchant accounts, unfortunately food and beverage merchants not eligible. • Savings of $1500/month split between University Parking and Elavon
8. ElavonInterchange Savings Programs • The Level 3 program is available to all processors. Elavon enrolls any of our merchants it is able to provide level 3 three data for.
9. PCI Program Audit Baker Tilly • Audit conducted in April • Report being finalized • Will share with team • Anticipate incorporating PCI program in some way into new IS Information Security Framework
10. Tagging PCI devices • IS security team created a process for merchants to tag their devices • This gives IS visibility of card data flow on network • Helps us segment and document our Card Data Environment (CDE)
11. PCI Security Awareness Training • Merchant requirement 12.6 • Two online classes in My Track • Short version for payment processors • Longer version for business/management/IT • If SANS cyber security awareness training becomes required for all employees we could shorten the PCI versions