October is Cybersecurity Awareness Month
Anyone at Case Western Reserve University who accepts payment for goods, services or events should be aware of safe credit card transaction practices, also known as PCI (Payment Card Industry) compliance. Payment Account Number (PAN) or Credit Card Number (CCN) data is considered restricted data, requiring the most stringent controls to maintain confidentiality.
Authorized payment processes
Only those payment processes approved by the Office of the Treasurer are authorized. Contact firstname.lastname@example.org to initiate a request for approval.
Most people rely on credit card point-of-purchase terminals like the Square or Verifone card swipe readers, which encrypt the card data both at rest and in transit when the transaction processes, and keep it from spreading to the user’s local workstation or the campus network.
Over the phone
Some approved phone collection processes involve entering the CCN from a phone conversation directly into the payment portal, or using the card terminal equipment. Never write down the numbers for later key entry or store them in an online file.
Face-to-face transactions should use a point-of-sale device that encrypts the CCN both at rest and in transmission to the payment clearinghouse.
Websites handling credit card transactions should not record or store the credit card data. Confirm with the software developer that the data is not stored after the transaction is completed.
On computers/in emails
CCNs should never be stored in plain text on the user’s workstation or laptop, and should never be transmitted via email.
Those who have conducted transactions via email should obtain the Spirion application from the [U]Tech Software Center. Use Spirion to scan both hard drive and email to cleanly remove any confidential data such as CCNs or Social Security Numbers that may be stored "in the clear" on a workstation.
Visit [U]Tech’s Information Security Office website for security tips and news.