Payment Card Processing Newsletter
April, 2016 issue
University of Nebraska—Lincoln
PCI Compliance Team
The PCI Compliance Team is a collaboration between Information Technology Services (ITS) and the Office of the Bursar. It is a cross-functional team responsible for administering the University of Nebraska-Lincoln payment card policies and procedures, monitoring payment card activity, and educating merchants.
Contact Information
Information Technology Services (ITS)
Office of the Bursar
Download the printable PDF version of this newsletter here.
Newsletter Contents
Conversion from TSYS to Elavon is Nearing Completion
We are excited to have 43 merchant accounts active under Elavon. We have another 18 in the process of converting. This leaves just 4 more MIDs to go.
We understand the conversion has been a very time-consuming process for all involved. We’ve appreciated everyone’s patience and understanding throughout. We hope to be completely converted very soon.
Skimming Devices
Take a look at these YouTube videos showing a criminal placing a skimmer over a terminal. It’s that easy!
Annual Training Requirements for Card Handling
All parties handling cardholder data must adhere to specific training requirements in PCI V3.1. Since only your department knows which individuals are involved in card processing, the monitoring of this training is the department’s responsibility.
Cash Handling Training
All personnel connected in any way with cash handling, including payment card transactions, must review cash handling policies & procedures on a regular basis. A review should occur at least annually and documentation of this review should be retained within the department. The Cash Handling Policies & Procedures training is available here.
Security Awareness Training –Requirement 12.6
All personnel connected in any way with cardholder data need to annually complete security awareness training here.
Departments can contact Cheryl O’Dell with a listing of employees who need to complete the training if you’d like to request access for several instead of individual requests. Cheryl can also provide reporting so departments can ensure all employees have complied with this requirement.
Device Tampering Training –Requirement 9.9
All personnel must be trained to protect devices which capture payment card data through physical interaction (i.e. swipe, dip, or wave) with a payment card. Personnel must be trained to be aware of attempted tampering or replacement of devices, and terminals must periodically be inspected to look for tampering and substitution.
Two resources that we’ve found to be helpful are:
- PCI Security Skimming Prevention: Best Practices for Merchants
- Visa: Protect Your Merchant Terminals from Illegal Tampering
Either of these could be used for training within departments and, again, the department must document all who need training have received it.
Still Experiencing Terminal Issues? Please Report Them
Update IPs for QualysGuard Scans
Be Aware of Phishing Attempts
Phishing attempts seem to be on the rise everywhere. Do not click on any links that appear in emails unless you are certain the sender is legitimate. Here’s some great information on what to look for and how to report any incidents you see.
Merchant Connect Inactivity Will Cause Account to be Locked
We’ve had a few Merchant Connect users get locked out of their accounts for inactivity. Per Elavon, your account is locked after 90 days of inactivity. If you are locked out, proceed with “forgot password?” on the login page for assistance.
Use Firefox to View Monthly Statement in Merchant Connect
This past month, a user discovered Internet Explorer does not work to view your Monthly Statement in Merchant Connect. The result was gibberish. Firefox is able to view the statement without issue.