Settings
Language
Color Theme
Secure Credit Card Handling
When handling credit cards, it is crucial to adhere to stringent protocols and employ robust security measures to keep credit card information safe and secure.
Is the following statement True or False:
It's ok to store credit card information on a Post-it note as long as you throw it away after.
Where possible, avoid writing or documenting credit card information in a physical format. These documents can be easily viewed or stolen, and the information on them can be abused. If writing the information down is unavoidable, ensure the document is securely disposed of (e.g., shredded) when no longer needed. Avoid simply throwing it in the bin.
View Options Again
True
False
Understanding the Risks
Handling credit cards without proper security measures can expose both the cardholder and the receiving business to financial losses and fines! It can also impact customer trust and increase the risk of fraud or identity theft.
Protecting Credit Cards
There is no silver bullet to protecting credit cards. A mixture of secure processes, technologies, and trusted individuals is needed. Over the next few pages, we'll delve into all aspects of compliance, privacy, and security.
Compliance Obligations
Let's understand what the Payment Card Industry Data Security Standards (PCI-DSS) are and why they're important.
Purpose and Origin
Enforcement and Compliance
Repercussions of Non-Compliance
PCI-DSS was developed to establish a standardized security framework for organizations handling credit card information. It was introduced by major credit card brands, including Visa, Mastercard, American Express, Discover, and JCB (known as the PCI Security Standards Council). Its primary goal is to prevent data breaches and reduce fraud.
PCI-DSS compliance is enforced by credit card brands and banks, which require organizations to comply with the standard as a condition for accepting credit cards. The volume of annual credit card transactions a business processes dictates whether compliance is assessed through self-assessment questionnaires or by Qualified Security Assessors.
Non-compliance with PCI-DSS can have significant consequences for businesses, including financial penalties from credit card providers, increased transaction fees by banks, and potential loss of the ability to process credit card payments. Additionally, banks may terminate their relationship with non-compliant businesses due to the risk they pose.
What is the Cardholder Data Environment (CDE)?
In the context of PCI-DSS, the CDE is a critical component. Any person, process or technology that interacts with credit cards is considered part of the CDE and must adhere to PCI-DSS requirements.
What is PCI-DSS and what is its goal?
The Payment Card Industry Data Security Standards (PCI-DSS) are a security framework for organizations handling credit card information. Its primary goal is to prevent data breaches and reduce credit card fraud.
View Options Again
A regulator made up of major credit card brands. Its primary goal is to determine who can process credit card transactions.
A security framework for organizations that handle credit card information. Its primary goal is to prevent data breaches and reduce fraud.
A type of encryption protocol designed specifically to protect credit card data.
An international policing task force. Its primary goal is to find and prosecute individuals performing credit card fraud.
What's a potential impact of PCI-DSS non-compliance?
Non-compliance with PCI-DSS can have significant consequences for businesses, including financial penalties from credit card providers, increased transaction fees by banks, and potential loss of the ability to process credit card payments. Additionally, banks may terminate their relationship with non-compliant businesses due to the risk they pose.
View Options Again
Banks may increase their transaction fees.
All options are correct.
Credit card providers may impose financial penalties and fines.
Banks may terminate their relationship with non-compliant businesses.
Employee Roles & Responsibilities
Understanding who has what responsibility when it comes to handling credit cards is a crucial part of keeping them safe and secure! Let’s delve into a few key roles and the responsibilities they each have.
Data Custodians
IT Security Administrators
Compliance Officer
Data Custodians handle and maintain cardholder data on a day-to-day basis. They must follow strict data handling procedures such as ensuring encryption is used where possible, limiting access to authorized personnel, using secure storage, and following secure disposal practices.
The IT Security Administrator is responsible for implementing and managing technical security controls, such as firewalls, intrusion detection systems, and encryption. They monitor network activity, conduct vulnerability assessments, and ensure that systems are properly configured and updated to protect cardholder data.
The Compliance Officer is responsible for overseeing the organization's adherence to the PCI-DSS requirements. They ensure that policies and procedures are in place, perform regular audits and assessments, and coordinate with internal teams and external auditors to maintain compliance.
Is the following statement True or False:
A Data Custodian is responsible for handling cardholder data on a day-to-day basis.
Data Custodians handle and maintain cardholder data on a day-to-day basis. They must follow strict data handling procedures such as ensuring encryption is used where possible, limiting access to authorized personnel only, using secure storage, and following secure disposal practices.
View Options Again
True
False
Data Custodian Best Practices
Let's go through some general best practices you can follow as a Data Custodian to ensure you're accepting, storing, and disposing of credit cards securely.
Secure Card Acceptance
Secure Card Storage
Secure Card Disposal
When accepting credit cards, it's crucial to ensure that the method of transmission is secure from interception and that there isn't unnecessary logging, which may inadvertently record credit card information. Examples of this include call recordings, email logging, network logging, and more.
Ensure any stored credit cards are secured using appropriate security controls. This includes keeping credit cards within the defined cardholder data environment (CDE) and the use of systems designed to store credit cards. Do not store credit card information on personal USBs, unencrypted removable hard drives, or on unauthorized cloud storage.
When a credit card is no longer required, it's crucial to ensure it's securely disposed of. This could include shredding any printed documents or receipts or using a secure digital deletion method that's relevant to the type of digital storage used (e.g., Cryptographic erasure, data wiping, degaussing, or physical destruction).
Is the following statement True or False:
It's ok for a Data Custodian to store credit card information on a personal computer or USB.
Credit card information should never leave the cardholder data environment (CDE) as defined by the business. Storing credit cards on personal devices can be considered a potential data breach and unnecessarily exposes customer information to potentially less secure processes or technologies.
View Options Again
True
False
Wrapping up
Secure credit card handling is a team effort. Compliance Officers need to implement effective policies, Security Administrators need to implement effective controls, and Data Custodians need to follow defined policies, procedures, and processes.
Back
Next
Color Theme And Background Selector
×
Colorful Theme
Select Theme
Blue Theme
Select Theme
Light Theme
Select Theme
Purple Theme
Select Theme
Green Theme
Select Theme
Dark Theme
Select Theme
