Asq lehigh Valley Section Credit Card / Debit Card Security Policy

Yüklə 10.02 Kb.
ölçüsü10.02 Kb.

ASQ Lehigh Valley Section

Credit Card / Debit Card Security Policy
All ASQ Lehigh Valley section members associated with payment processing shall protect all cardholders credit card information received from any source by using processes that receive, transmit and store credit card information with the appropriate securities and precautions described below.
All LVASQ Board Members shall acknowledge this policy and their responsibilities within it by affirming it with their signature. All section members authorized to handle credit/debit card information on behalf of ASQ Lehigh Valley shall also acknowledge this policy and their responsibilities within it by affirming it with their signature.
Only those members that have acknowledged this policy with a signature shall be permitted and authorized to receive, transmit, transport and store credit and debit card transactions.
This policy shall be reviewed annually by the Board to promote awareness and to determine if it remains suitable for the section's credit card processing needs and methods.
The key security issues of this policy are outlined below. Other more detailed procedures may be developed to support these requirements.

  1. Receiving Cardholder Data

    1. The preferred method of credit/debit card payment is via on-line payments and electronic invoicing through ASQ Lehigh Valley authorized providers. Preferred and secure methods include:

      1. Payment links on LVASQ website

      2. PayPal, EventBrite or other similar services used by LVASQ

      3. PayPal invoices issued via e-mail

    2. Point of Sale terminals are the only electronic devices to be used in transmitting cardholder data.

    3. Cardholder security information shall NEVER be recorded, copied, or stored, including PINs and three digit security codes.

    4. Physical copies (paper or other tangible media) of cardholder data shall be strongly discouraged and only used when absolutely necessary, and in those cases, the cardholder data shall be protected and then destroyed in a timely manner thereafter.

    5. No computers are to be connected to Point of Sale terminals via cables, wireless, or any other mode.

    6. No computers are to be used to store or read cardholder data other than the last four digits of a card number.

    7. Sign up notices on websites and paper forms shall expressly state credit card security concerns and identify the credit card data that cardholders are NOT to provide.

  2. Transmitting Cardholder Data

    1. Transmitting cardholder data shall only be done through authorized devices that briefly RETAIN cardholder data for processing, but do not STORE cardholder data.

    2. E-mail, instant messages, text messages and any other non-secure electronic transmission shall NEVER be used to transmit any part of cardholder data.

  1. Transporting and Storing Physical Copies of Cardholder Data

    1. When instances occur of LVASQ having physical copies (paper or other tangible media) of cardholder data, such as when electronic systems are down, the following shall apply:

      1. Upon acquiring cardholder information, physical copies of cardholder information shall be kept secured by the holder thereof at all times, and in a containing system that has a positive closure that cannot permit loose papers or objects to escape from the containing system.

      2. Physical copies of cardholder information shall be transported only when absolutely necessary and when being transported, they shall be maintained in a containing system that has a positive closure.

      3. After transportation of physical copies is completed, they shall be stored in a secure location and marked as confidential. The intention is that physical copies of cardholder information is captured and placed immediately in a secure container, transported securely, and stored in a secured location ( such as in LVASQ member's home or office) prior to the final disposal of the physical copies.

      4. If the cardholder data is removed from from the secure location, a log shall be kept of such movement and reasons for doing so.

      5. Physical information shall only be stored until it is no longer needed, such as verification of payment, etc., but never more than 30 days.

  2. Disposal of Cardholder Data

    1. In the case where cardholder data is in a physical form and needs to be destroyed, the following methods shall be used to assure that discarded cardholder data cannot be reconstructed.

      1. Shredded in a cross shredding device

      2. Incinerated

      3. Pulped

  3. Response to Security Incidents

    1. In the event of a significant security incident, such as a deliberate attack on credit card processing systems, the following responses shall be taken.

      1. Immediate investigation to determine what harm has been done and if attack is still in process.

      2. Take immediate action to limit the damage.

      3. Notify the affected parties, cardholder and processor, of the incident and actions taken.

      4. Identify improvements needed to security systems; advise Board of recommendations for change; implement Board approved changes.

  4. Correction of Past Security Lapses

    1. LVASQ shall review all currently held order processing documents to determine if cardholder data is contained.

    2. If so, then those documents which contain the card holder data shall be disposed of in accordance with this policy.


policy version 1.0

Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur © 2016
rəhbərliyinə müraciət

    Ana səhifə