Procedures for WKU Merchants

---

The following is a list of procedures that must be followed by employees that use, or oversee the use of, credit card readers. This information was obtained from the PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 3.2 document, produced by the PCI Security Standards Council.

1. (9.1) Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
2. (9.2) Develop procedures to easily distinguish between onsite personnel and visitors, such as assigning ID badges.
3. (9.3) Control physical access for onsite personnel to the sensitive areas. Access must be authorized and based on individual job function; access must be revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc. returned or disabled.
4. (9.4) Ensure all visitors are authorized before entering areas where cardholder data is processed or maintained, given a physical badge or other identification that expires and identifies visitors as not onsite personnel, and are asked to surrender the physical badge before leaving the facility or at the date of expiration. Use a visitor log to maintain a physical audit trail of visitor information and activity, including visitor name, company, and the onsite personnel authorizing physical access. Retain the log for at least three months unless otherwise restricted by law.
5. (9.9) Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. This includes periodic inspections of POS device surfaces to detect tampering, and training personnel to be aware of suspicious activity.
6. (9.10) Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.