PCI Compliance Policy
1. Policy Statement
All card processing activities and related technologies must comply with the Payment Card Industry Data Security Standard (PCI-DSS) in its entirety. Card processing activities must be conducted as described in this policy and the company aims to comply with all legal, statutory and regulatory compliance requirements regarding PCI-DSS.
This policy is to be used in accordance with the standards and our own procedures listed in the Related Documents section of this Policy. No activity may be conducted, nor any technology employed that might obstruct compliance with any portion of the PCI-DSS. This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.
2. Purpose
The company has created this PCI Compliance Policy to show its commitment to the standards and security for processing, storing, using and destroying credit and debit card transactions and the associated personal details.
We understand that compliance with data security standards can bring major benefits to our business and aim to avoid the long-term negative consequences of failing to comply. We adhere to and ensure that all the systems used in association with PCI-DSS are secure and that customers can trust us fully with their sensitive payment card information.
The standards are designed to protect the cardholder information of customers and clients as well as any individual or entity that utilizes a credit card to transact business with [Your Company Name. This policy is intended to be used in conjunction with the complete PCI-DSS requirements as established and revised by the PCI Security Standards Council.
In accordance with the PCI-DSS requirements, the company confirms that it has a current and valid PCI Compliance Certificate and has completed any mandatory self-assessments questionnaires.
3. Scope
The policy relates to all staff (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the company in the UK or overseas) within the organisation and has been created to ensure that staff deal with the area that this policy relates to in accordance with legal, regulatory, contractual and business expectations and requirements.
4. Definitions
Credit Card Data – Full magnetic strip or the PAN (Primary Account Number) plus any of the following:
- Cardholder name
- Expiration date
- Service Code (CVS)
PCI-DSS – Payment Card Industry Data Security Standard
PCI Security Standards Council – The security standards council defines credentials and qualifications for assessors and vendors as well as maintaining the PCI-DSS.
Self-Assessment – The PCI Self-Assessment Questionnaire (SAQ) is a validation tool that is primarily used by merchants to demonstrate compliance to the PCI DSS.
PAN – Primary Account Number is the payment card number (credit or debit) that identifies the issuer and the particular cardholder account. It is also called Account Number.
5. What Is PCI-DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organisations who handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.
It was initially set up to help reduce card fraud and increase the security of processing payments by debit and credit card. PCI DSS includes technical and operational requirements for security management, policies, procedures, network architecture, software design and other critical protective measures to prevent credit card fraud, hacking and various other security vulnerabilities and threats. The standards apply to all organizations that store, process or transmit cardholder data.
There are 12 high level requirements which come under the six categories below: –
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
- Protect stored data (use encryption)
- Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses Information Security
6. Objectives
With regard to PCI compliance, the company’s aim is to meet the below policy objectives, which have been created in accordance with the actual PCI standards as set out for vendors.
The company’s is responsible for: –
- Creating PA-DSS compliant Payment Applications that facilitate and do not prevent our customers PCI DSS compliance
- Following the best practices of the PCI DSS Requirements whenever we process or transmits cardholder
- Educating staff, customers, integrators, and resellers on how to install and configure the Payment Applications in a PCI DSS-compliant manner
- Ensuring that our Payment Applications meet PA-DSS Requirements by successfully passing a PADSS
- Assessment as specified in PCI PA-DSS Requirements and Security Assessment Procedures
- Complying with the Vendor Release Agreement (ROV) including the adoption and implementation of Vulnerability Handling Policies consistent with industry best practices
- Creating a PA-DSS Implementation Guide, specific to each application, in accordance with the requirements in the PA-DSS
- Adhering to our own defined software versioning methodology as validated and documented in the ROV
The company’s business objectives for PCI compliance are: –
- Ensuring that all payments transactions are compliant and that any stored personal or card details are done so in accordance with the PCI-DSS
- Ensuring that all staff are fully trained on the PCI requirements and using any PCI compliant payment software and/or systems
- Ensuring that staff have regular training on PCI compliance to ensure adherence to the standards and our own business objectives
- Ensuring that all customers are informed of any rights that they have under the PCI compliance standards.
7. Card Storage & Disposal
The company complies with all PCI-DSS requirements when it comes to the storage and disposal of any personal and/or card information. We ensure that each of the below objectives are achieved through our PCI compliance, secure waste disposal, retention and information security procedures: –
- Credit card information is not entered onto or stored on any of the company network servers, workstations, or laptops
- Credit card information is never transmitted via email and we advise all customers and clients to adhere to this rule as well
- Web payments are always processed using a PCI-compliant service provider and credit/debit card numbers are not entered into a web page of a server hosted on our own personal network
- Electronic storage of credit/debit card data is prohibited by this policy and our Compliance Officer carries our regular and routine checks and audits to ensure that these policy objectives is not being violated
- All hard-copy, paper documents containing credit/debit card information are limited to instances specifically required by the transactions and if there is a need to retain such information, it is kept in a secure and safe location, only accessible by authorised staff.
- Where hard-copy card details have been retained, the company follows it secure waste disposal policy and procedures for destroying the documents via approved methods once business needs no longer require retention
8. Responsibilities
The company will ensure that all staff are provided with the time, training and support to learn, understand and implement the PCI compliance objectives and standards.
Management are responsible for a top down approach and in ensuring that all staff are included and have the support needed to meet the regulatory requirements in this area.