Credit Card Security and Compliance
In an effort to increase security in the processing of credit card transactions, representatives from the five major card brands (Visa, MasterCard, JCB Cards, Discover, and American Express) created a set of security guidelines for all businesses that accept credit card payments; these are known as the Payment Card Industry Data Security Standards (PCI DSS).
The PCI DSS is broken down into 12 standards with various sub-requirements and updated every 3 years. Most employees will not be required to have knowledge of all standards and requirements, but a general understanding is necessary. Each office/unit DOES need to know the requirements that pertain to your specific business processes and understand how those requirements are to be applied.
Due to the fact that Extension relies on third parties for transmission and processing of credit card transactions, we are focused on the standards that pertain to the following areas:
- Protection of cardholder data
- Implementation of strong access controls
- Regular monitoring of controls and processes
- Creation and maintenance of an information security policy
Based on this focus, the following are some key notes to remember with regard to PCI DSS compliance:
- Visitors must be accompanied at all times in areas where credit card information is stored
- All offices are required to use a payment form for all credit card transactions with the credit card information on the bottom of the page that can be removed for shredding after the transaction is complete; a template can be found below
- Credit card information MUST be stored in a locked drawer or filing cabinet with limited access while awaiting processing
- Storing of primary account number (PAN) or card verification code (CVC) information is strictly prohibited
- All documents containing credit card information must be shredded using a cross-cut shredder
- It is forbidden to transfer credit card information via email or instant messaging
- Credit card information may be sent to a fax machine ONLY if the connection to the machine is a phone line dedicated to the machine and no other connections exist. Networked fax machines are not approved for the transmission of this information.
- All offices must provide to Extension’s fiscal administration team a copy of the credit card operations guide that details office-specific processes and controls
- In terms of training, all employees with credit card handling duties must take security training at time of hire and are subject to annual training requirements
Any questions may be directed to Shelly DeJaynes in the Extension Fiscal office.
The following resources are available to assist you in understanding the PCI standards that apply to your office.