| Questions | Tips and Tricks |
Is the store properly handling credit card numbers, per PCI standards?
| |
Are application server(s) in a locked PCI cabinet secured with a keyed lock? *The server cabinet may only have a combination lock if the room in which the server cabinet is located is secured with a key lock or badge reader lock for entry into the room. Is a sign posted on the door of the rack with the server that states, "Door Must be Locked at All Times - Only Authorized Personnel Allowed?" Is the key for the server cabinet in a secure location? Is the server visitor log present and up to date?
| Server cabinet should be locked at all times. Lock should be keyed and secured in the safe. (If the server is in a locked room, the server may have a combination lock – the door to the room must have a key lock or badge reader). Door Must be Locked At All Times sign must be posted on the server. Server visitor log must be posted and up to date.
|
Has the store reviewed and purged all prepaid/online orders for pickup within a maximum of 45 days from the start of classes or order date, whichever is later?
| Purge abandoned orders no later than 45 days from the start of class. Make 1 attempt to contact the customer. To remind them their order is ready for pickup. Use this script, "Hello, my name is (insert name). I am contacting you from(insert bookstore name) regarding the order you placed with us. Please get in touch with us at(insert phone number), no later than(insert date 45 days after the first day of classes)."
|
Is the tamper-proof tape installed on all MX915 PIN Pads (tape must not be damaged or peeled)? Has the store completed a monthly audit of each credit card terminal connected to the POS to detect signs of tampering?
| Inspect every Pin pad in the store. Does each pin pad have the tamper-proof tape. Ensure it is correctly placed and there is no evidence of tampering. Complete monthly audit of all pin pads.
|
Are RJ45 plugs installed in all the wall jacks, not in use?
| |
All passwords must be treated as sensitive and confidential - no sharing of passwords and not written passwords in a readily decipherable form. Is the store adhering to/meeting PCI standards as it relates to password usage?
| All passwords are sensitive and confidential. Passwords should not be written in places accessible to others Other team members should not use your credentials to access store systems.
|
Have all terminated team members been locally removed from CORE POS, Course Tracks, and if applicable, has a SAR been submitted to remove SODA access?
| |
Are terminal pin pads mounted and properly secured cradles or with tethers?
| |
No non-Follett external devices can be connected to Follett computers (USB, phones, tablets, etc.). Is the store compliant?
| |
Have all new hires completed the Information Security Awareness training within 90 days of employment?
| |
