Platinum Info Central

29/10/09

Card Holder Data Security – Important Notice

Re - Payment Card Industry (PCI) Data Security Standard

Following on from Odette Shocklidge’s email dated 29/10/09, please refer to additional information below. Further guidance to follow via internal mail, and subsequently in the Company Handbook.

Re- Card payment transactions

A data security standard in now in force and we must demonstrate we are compliant with these standards by self assessment. (This can be randomly audited)

As we use stand alone dial out terminals (Cardnet Machines) or imprint machines (for emergencies), we do not hold cardholder details in an electronic format, however we do hold and store paper card receipts. These receipts contain the PAN number (Primary Account Number) in other words, the card number.

WITH IMMEDIATE EFFECT PLEASE FOLLOW THE GUIDELINES BELOW:-

We must protect all cardholder data and keep them safe and secure at all times.

Therefore once customer cards are processed, all point of sale staff MUST ensure all receipts are stored in a safe and secure environment and are not left on desks or counters.

For accounts department filing, once banking is reconciled please do not leave slips attached to the invoice showing the customers name and address. For security reasons please file separately and keep in a secure place. Treat this information as confidential.

Only allow access to cardholder data to those individuals whose jobs require such access.

Avoid sending Cardholder details in the internal post i.e. our copy of customer receipt, as these may get lost.

For customer not present transactions, only send on to the customer their own top copy of the receipt where the PAN is encrypted (some numbers are masked)
DO NOT send unencrypted card data in the external post.

Storage of sensitive authentication data is prohibited. This means we must NOT store in any way the 3 digit (or 4 digit) numbers used to verify card not present transactions. Therefore please ensure if this code is used and written down, the code is destroyed by shredding so card data cannot be retrieved.

We must not electronically send (i.e. e-mail) any unencrypted card data information.

All hardcopy cardholder data is to be destroyed responsibly when it is no longer required for business or legal reasons.

All hardcopy data is to be cross cut shredded, or incinerated so that data cannot be reconstructed.

Can you please ensure all appropriate staff are made aware of these security measures.