Credit Card Merchants, both in person and through e-commerce, have a significant responsibility when it comes to handling credit card payments safely. Ensuring the security of customer credit card information is not only essential for protecting the customers but also for maintaining the trust and reputation of the University. Failure to meet these responsibilities can lead to data breaches, financial penalties, and damage to the reputation of the business.
Here are key responsibilities merchants have in handling credit card payments safely. It is crucial for merchants to prioritize the security of credit card data to protect both their customers and UCSF. Failure to adhere to the Merchant Services agreement can result in termination of credit card payment acceptance privileges.
PCI DSS Compliance: Merchants must comply with the Payment Card Industry Data Security Standard (PCI DSS). This set of security standards outlines requirements for the secure processing, storage, and transmission of cardholder data. Compliance will involve regular assessments, scans, and audits to maintain the security of cardholder information.
Secure Payment Processing: Merchants should use secure payment processing systems that have been approved by UCSF, whether in-store, online, or through mobile devices. The implementation additional payment gateways without prior approval by IT and Merchant Services after completion of a complete Risk Assessment is prohibited.
Data Encryption: Approved credit card equipment and processing services ensure that all credit card data is encrypted when stored, processed, or transmitted. Utilizing any payment processing equipment or services in a manner in which it was not configured and approved by IT and Merchant Services is prohibited.
Access Control: Restricted access to cardholder data to only authorized personnel is required. Limit access on a need-to-know basis and assign unique user IDs to individuals with access. Regular review and update access controls and be prepared to submit updated logs of authorized personnel at all times; listing staff that have been added or terminated including dates and systems.
Secure Network: Data Security maintains a secure network by using firewalls and intrusion detection systems to protect against data breaches. Change default passwords on network devices and keep software and firmware up to date only according to UCSF operational policies and guidelines.
Regular Software Updates: Keep all software, especially as related to point-of-sale systems, payment processing software, and operating systems, up to date with security patches to protect against vulnerabilities. To do this you must ensure that payment terminals are batched and rebooted regularly to allow updates to be picked up and installed. Please follow user guides for instructions on terminals in your department.
Physical Security: Implement physical security measures to prevent unauthorized access to cardholder data. This includes safeguarding point-of-sale terminals and ensuring secure storage of any physical records that contain credit card information.
Inspection of Physical Point of Sale Terminals for Tampering or “Skimming” Devices: User guides are available for each terminal engaged for use within the UCSF system. Current inspection guides should be posted or available to staff at all times for daily inspection of terminals.
Employee Training: Train employees on best practices for handling credit card data securely. This includes educating them about the importance of secure practices, how to recognize phishing attempts, altered terminals and how to respond to security incidents.
Incident Response Plan: UCSF has established incident response plans to address any security breaches or suspected breaches promptly. This plan includes procedures for notifying affected parties and the relevant authorities. Employees should be trained on how to respond to breach incidents and procedure guides should be posted or readily available to staff at all times.
Regular Audits and Monitoring: Continuously monitor transactions and perform regular security audits to detect and respond to any suspicious activities. This can help identify and address potential threats and vulnerabilities.
Data Retention Policy: UCSF limits the retention of credit card data to only what is necessary for business purposes. Securely dispose of any cardholder data that is no longer needed per UCSF policy and ensure that staff is current on training of policy and guidelines.
Third-Party Vendors: Third-party vendors for payment processing must be submitted to Merchant Services for a formal Risk Assessment review and approval prior to engagement or disclosure of any confidential UCSF information. This process will ensure they are also PCI DSS compliant and have strong security measures in place.
Customer Data Protection: Communicate clearly with customers about the security measures in place to protect their credit card information and how their data will be used.