29/10/09
Card Holder Data Security –
Important Notice
Re - Payment
Card Industry (PCI) Data Security Standard
Following on from Odette
Shocklidge’s email dated 29/10/09, please refer
to additional information below. Further guidance to follow
via internal mail, and subsequently in the Company Handbook.
Re- Card payment transactions
A data security standard in now in force and we must demonstrate
we are compliant with these standards by self assessment.
(This can be randomly audited)
As we use stand alone dial out terminals (Cardnet Machines)
or imprint machines (for emergencies), we do not hold
cardholder details in an electronic format, however we
do hold and store paper card receipts. These receipts
contain the PAN number (Primary Account Number) in other
words, the card number.
WITH IMMEDIATE EFFECT PLEASE FOLLOW THE GUIDELINES
BELOW:-
We must protect all cardholder data and keep them safe
and secure at all times.
Therefore once customer
cards are processed, all point of sale staff MUST ensure
all receipts are stored in a safe and secure environment
and are not left on desks or counters.
For accounts department filing, once banking is reconciled
please do not leave slips attached to the invoice showing
the customers name and address. For security reasons please
file separately and keep in a secure place. Treat this
information as confidential.
Only allow access to
cardholder data to those individuals whose jobs require
such access.
Avoid sending Cardholder
details in the internal post i.e. our copy of customer
receipt, as these may get lost.
For customer not present
transactions, only send on to the customer their own top
copy of the receipt where the PAN is encrypted (some numbers
are masked)
DO NOT send unencrypted card data in the external post.
Storage of sensitive authentication data is prohibited.
This means we must NOT store in any way the 3 digit (or
4 digit) numbers used to verify card not present transactions.
Therefore please ensure if this code is used and written
down, the code is destroyed by shredding so card data
cannot be retrieved.
We must not electronically send (i.e. e-mail) any unencrypted
card data information.
All hardcopy cardholder
data is to be destroyed responsibly when it is no longer
required for business or legal reasons.
All hardcopy data is
to be cross cut shredded, or incinerated so that data
cannot be reconstructed.
Can you please
ensure all appropriate staff are made aware of these security
measures.
|