Campus Banking & Merchant Services works with University Information Security to provide guidelines and resources for our banking and merchant departments. The University of Arizona seeks to ensure that all individuals using, accessing, storing, transmitting, controlling, or managing University information assets understand their responsibility in reducing the risk of compromise, and take appropriate security measures to protect those assets. Refer to University Information Security for resources.
All merchants that utilize bank/credit cards to collect funds for goods and services must meet Payment Card Industry Data Security Standards (PCI-DSS) set by the banks and payment card brands such as Visa, MasterCard, Discover and American Express. The mandatory standards are set to prevent or reduce risk of credit card information being stolen. If card numbers are taken without authorization through the merchant systems or processes, it is considered a breach and the merchant department is held responsible and accountable.
The reputational and financial ramifications of a breach include damaged public trust, forensic costs, fines from card brands, replacement of breached customer credit cards, payment of credit monitoring for each customer for a year, and annual report of compliance assessments by a qualified security assessor. It has been reported that a minimal breach event would cost $250,000.
PCI-DSS compliance is taken very seriously at the University. Each merchant must assign a merchant responsible person (MRP) to monitor, document and manage credit card processes and security. All systems and processes that touch, control, or have the potential to affect the credit card customer experience are within compliance guidelines.
Compliance documentation is essential. Campus Banking & Merchant Services have developed documentation guidelines and templates to assist each merchant department. The following PCI-DSS compliance documents are to be available for auditor/assessor review at all times:
- Current Merchant Agreement establishing Merchant Responsible Person (MRP)
- Credit Card Handling Procedures
- Credit Card Process Flow Chart
- Department Incidence Response Procedure/Plan
- Department Merchant Credit Card Policy
- Department Security Awareness Training and Training Log
- Merchant Department- Self Assessment Questionnaire (SAQ)
- Quarterly ASV External Scans and Internal Application and Server Scan Information (if applicable)
- Staff Signed Credit Card Security Awareness Acknowledgements
- System/Network Map/ Firewall Rules (if applicable)
- Third Party PCI and Security Validations
- PCI SSC List of PA-DSS Validated Payment Applications
- Point-to-Point Encryption Solution Validation (if using a point-to-point device)
- Vendor SAQ D for Service Providers and Attestation of Compliance
Campus Banking & Merchant Services is available to assist in developing and maintaining PCI-DSS compliance.
Please contact FNSV-Banking-And-Merchant-Services@arizona.edu for further information or assistance.
Information Security PCI Compliance and Incident Reporting
Information Security and campus stakeholders have established policies, standards, procedures and guidelines to assist departments in meeting their security obligations.
Suspected incidents must be reported to both Information Security and Campus Banking and Merchant Services.
Credit Card Fraud Prevention
The best fraud prevention is the individual. Awareness is the key to preventing fraud from occurring. The following steps will help stop credit card fraud:
- Make sure that the card is inserted first. If the card is not accepted, ask for another card.
- Make sure the name that prints on the receipt matches the card member name on the front of the card.
- Match the embossed card number on the front of the card to the last four (4) credit card numbers printed on the merchant receipt.
- Always credit or refund to the original card used in the transaction. If the card has been lost or replaced, the credit card company will insure that the customer will receive the credit. Do not refund to another card even if requested by the customer, as this is a common practice with stolen cards.
- In case of an Authorization Required, or Code 10 prompt at authorization, do not allow the customer to contact the bank. The merchant must always contact the bank directly or ask the customer for another form of payment.
- In a face-to-face transaction, do not accept a customer’s verbally furnished credit card number. A credit card must be presented for swipe/insert.
- If you suspect that the customer is attempting a fraudulent transaction, alert your management and follow the security policy established by your department.
A card may have been altered if you see one or several of the following things on a card:
- Painted or taped over signature panel
- A halo of previous name or number can be seen where the card may have been re-embossed
- Card surface looks dull or lacks detail
- Card surface is bumpy or bent around the edges
- Magnetic stripe is deliberately scratched or destroyed