Coalfire Training 2014

Coalfire Training 2014

Specific Responses

During the actual training, and as can be seen on several of the slides, information that was shared by Coalfire was more general in nature, and does not necessarily reflect the policies and procedures in place at UC Riverside. Please find below an initial list of responses, based on the page number in the available PDF slide deck.

• Pg. 10 – EMV
  UCOP and UCR have made announcements regarding EMV readiness by October 2015. For more information, review the announcement on the SBS site(or see Appendix A here).
• Pg. 17 – Merchant Levels
  Currently, UCR is a level 4 merchant, but is moving closer to becoming a level 2 merchant. Level determination is made semi-annually by the Card Brands. When or if UCR were to become a level 2 merchant, all campus merchants would be notified appropriately.
• Pp. 29-30 – Responsibilities
• UCR’s validation reporting (SAQ) deadline is June, annually, or at the point of a change in the Merchant’s environment.
• Any significant changes to a merchant environment should be communicated and discussed with the campus credit card coordinator before making any change, per the UCR Annual Credit Card Merchant Agreement.
• Pg. 42 – Requirement 12
• VendorManagement
  UCR’s Campus Credit Card Coordinator must approve any contracts for services, software or equipment involved in processing credit cards.Additionally, in 2012 UC policy began requiring the UC confidentiality/Security addendum be added to all contracts for credit card services/processing.This should be considered when contracts are initiated or renewed.
• Security Awareness
  UCR has contracted with Coalfire to provide Security Awareness Training (S.A.T.)for all those involved in the merchant process.
• Pg. 64 – Mobile Payments
  Based on UC policy, UCR made an announcement regarding Mobile Payment platforms and their use. For more information, review the announcement on the UCR Accounting site (or see Appendix B below).

For any further questions or clarifications, please email .

Appendix A

EMV Campus Announcement

Date: Tue, 9/16/2014

RE: PCI - EMV Readiness Cutoff for UCR Merchants

Dear Campus Merchants,

To reduce fraud associated with credit card payments, all payment brands have established October 2015 as the deadline for merchants to comply with EMV chip cards (EMV = Europay MasterCard Visa). These chip-based cards reduce the risk of fraud specifically with face-to-face, card-present transactions.

From guidance released from all payment brands (Visa, MasterCard, Amex, Discover), any merchant that is not EMV ready by October 2015 will assume greater liability for fraudulent charges that could have been prevented by EMV. Currently, most fraud liability is carried by the issuing bank, not the merchant or merchant bank. EMV will not change the merchant’s liability related to a credit card data breach.

Please refer to the attached guidance from UCOP regarding EMV. Additionally, Vice Chancellor of Business and Administrative Services, Ron Coley, has endorsed that all UCR merchants become EMV ready by the October 2015 cutoff.

Please note that all BAMS-issued terminals are already EMV ready; however, a PIN pad add-on will be required. Details and training for merchants using these terminals will be announced in the coming months. Merchants with non-BAMS issued terminals must reach out to their respective hardware vendors for their vendor’s EMV-readiness plans. This specifically would encompass any Point-of-Sale (POS) system, dispenser with a card swipe, etc. In such cases, merchants need to request the vendor’s EMV-readiness plans in writing, including when and how implementation of new hardware, if required, will take place by October 2015.

If you have any questions, please e-mail us at .

Sincerely,

Josh Hoerger| Project Specialist
On Behalf of Asirra Suguitan, Campus Credit Card Coordinator

Appendix B

Third Party Merchant Services and Mobile Pay Devices

From: Bobbi McCracken, Associate Vice Chancellor of Financial Services & Controller
To: Msoadm list & CFAOs
Date: September 30, 2013, 4:19pm
Subject: Third Party Merchant Services and Mobile Pay Devices

There have been a number of inquiries regarding the use of third party merchant services and mobile pay devices, such as PayPal, Square and Stripe. Per Office of the President, at this time due to credit card security concerns and UC exclusive merchant services agreement with Bank of America, these credit card payment processing services CANNOT be utilized by any UC Entity. It is my understanding that no other UC campus merchants have been authorized to utilize these services. The UC policy covering credit card usage is available in the Business and Finance Bulletin BUS-49 and our local procedures UCR policy 200-17 Credit/Debit Card Acceptance.

UC does recognize that there is a potential benefit to the University due to the ease-of-setup, minimal startup fees, and convenience of these types of merchant services. Third party merchant service providers are making progress to improve the security concerns associated with accepting credit card payments on phones, tablets, and mobile devices, and UC is currently exploring options with our Payment Card Industry (PCI) Qualified Security Assessor, Coalfire, which may address the current security concerns over the protection of customer credit card information. As more information becomes available on the outcome of these assessments, it will be disseminated to the campus. In the meantime, please note that Bank of America Merchant Services (BAMS) does offer similar functionality via their PCI compliant wireless terminals.

If any third party merchant services, such as PayPal, Square, or Stripe, have already been implemented by your unit, please suspend all credit card processing immediately and contact our campus credit card coordinator and Director of Student Business Services/Cashiers, Asirra Suguitan, at . Your cooperation with complying with UC policy and protecting customer credit card information is appreciated.