Credit Card / Debit Card Security Policy All ASQ Lehigh Valley section members associated with payment processing shall protect all cardholders credit card information received from any source by using processes that receive, transmit and store credit card information with the appropriate securities and precautions described below.
All LVASQ Board Members shall acknowledge this policy and their responsibilities within it by affirming it with their signature. All section members authorized to handle credit/debit card information on behalf of ASQ Lehigh Valley shall also acknowledge this policy and their responsibilities within it by affirming it with their signature.
Only those members that have acknowledged this policy with a signature shall be permitted and authorized to receive, transmit, transport and store credit and debit card transactions.
This policy shall be reviewed annually by the Board to promote awareness and to determine if it remains suitable for the section's credit card processing needs and methods.
The key security issues of this policy are outlined below. Other more detailed procedures may be developed to support these requirements.
PayPal, EventBrite or other similar services used by LVASQ
PayPal invoices issued via e-mail
Point of Sale terminals are the only electronic devices to be used in transmitting cardholder data.
Cardholder security information shall NEVER be recorded, copied, or stored, including PINs and three digit security codes.
Physical copies (paper or other tangible media) of cardholder data shall be strongly discouraged and only used when absolutely necessary, and in those cases, the cardholder data shall be protected and then destroyed in a timely manner thereafter.
No computers are to be connected to Point of Sale terminals via cables, wireless, or any other mode.
No computers are to be used to store or read cardholder data other than the last four digits of a card number.
Sign up notices on websites and paper forms shall expressly state credit card security concerns and identify the credit card data that cardholders are NOT to provide.
Transmitting Cardholder Data
Transmitting cardholder data shall only be done through authorized devices that briefly RETAIN cardholder data for processing, but do not STORE cardholder data.
E-mail, instant messages, text messages and any other non-secure electronic transmission shall NEVER be used to transmit any part of cardholder data.
When instances occur of LVASQ having physical copies (paper or other tangible media) of cardholder data, such as when electronic systems are down, the following shall apply:
Upon acquiring cardholder information, physical copies of cardholder information shall be kept secured by the holder thereof at all times, and in a containing system that has a positive closure that cannot permit loose papers or objects to escape from the containing system.
Physical copies of cardholder information shall be transported only when absolutely necessary and when being transported, they shall be maintained in a containing system that has a positive closure.
After transportation of physical copies is completed, they shall be stored in a secure location and marked as confidential. The intention is that physical copies of cardholder information is captured and placed immediately in a secure container, transported securely, and stored in a secured location ( such as in LVASQ member's home or office) prior to the final disposal of the physical copies.