Credit Card Policy

1. Purpose

1.1. This policy is written to ensure the proper controls are in place to protect the security of our customers and business by enforcing internal and external controls on processing of credit, debit and stored value transactions.

2. Scope and Responsibility

2.1. The following devices are covered:

2.1.1. No devices are permitted to store, process, receive, transmit or store credit card information from the business premises.

2.2. All employees are responsible for following the requirements of Section 3.1.

2.3. Managers are responsible for implementing the requirements of section 3.3.

3. Policy

3.1. All employees must

3.1.1. Ensure all credit card transactions are processed by the customer, using only our Internet service.

3.1.2. Observe the Security Awareness Training and Program.

3.1.3. Keep passwords secret.

3.1.4. Access to Credit Card Information files shall be restricted to only those employees who need to use them as part of their job functions.

3.1.4.1. A list of authorized individuals shall be maintained in Appendix B.

3.1.5. This policy shall be reviewed annually and revised as needed.

3.1.6. Appendix A to this policy shall be completed and updated as changes occur. The information is as follows:

3.1.6.1. Merchant Service Provider name and telephone number.

3.1.6.2. Manufacturer Name, Model Number and Serial number of all terminals.

3.2. Record Retention and Destruction

3.2.1. Records should be retained for no more than 2 years.

3.2.2. Orders may be destroyed immediately after the transaction is completed unless they are the only transaction record. In that case, they must be retained for 2 years. The PAN may be obliterated leaving no more than the last 4 digits of the card number to increase security.

3.2.3. All paper records containing credit card information must be clearly identified as Classified.

3.2.4. Records sent to long-term storage shall be shipped in a sealed and locked container and inventoried as to their location and destruction date. See Appendix A: Inventory of Storage Locations. All movements of records shall be logged.

3.2.5. Records held for destruction shall be in locked, sealed containers and clearly marked “To Be Destroyed.”

3.2.6. Destruction shall be performed securely by either an employee or a secure destruction service.

3.2.6.1. Destruction must be through shredding, incinerating or pulping.

3.3. Managers shall implement the following requirements:

3.3.1. Ensure agreements with service providers who have access to credit card information clearly state that the service provider shall remain compliant with all Payment Card Industry Data Security Standards provisions at all times.

3.3.2. Appendix A to this policy shall be completed and updated as changes occur. The information is as follows:

3.3.2.1. Merchant Service Provider name and telephone number.

3.3.2.2. A list of all service providers per Section 6.

3.3.3. Verification of third party PCI DSS compliance shall be by one of the following methods:

3.3.3.1. Ensure the processing software is listed on PCI Security Standards Council’s list of validated payment applications found at https://www.pcisecuritystandards.org/security_standards/vpa/ OR;

3.3.3.2. Ensure third party providers are listed on Visa’s list of approved payment applications found at http://www.visa.com/pabp OR;

3.3.3.3. Receipt of a vendor’s PCI DSS compliance certification.

3.3.4. A list of third party providers shall be maintained.

3.3.5. Vendor PCI compliance shall be verified at least annually.

3.3.6. Background checks shall be performed on all employees whose job functions allow access to credit card information files.

3.3.7. In the event a service provider is compromised or breached:

3.3.7.1. It is to be reported the merchant service provider immediately; see Appendix A for contact information.

3.3.7.2. Immediately change all passwords including the master or administrator password and ALL user passwords.

3.3.7.3. The compromise is to be reported to any entity directed by the merchant service provider.

3.3.8. This policy shall be reviewed annually and revised as needed.

4. References and Cites

4.1. PCI Data Security Standard v2.0

5. Records

5.1. Appendix A:

5.2. Appendix B: List of Authorized Users

6. Definitions

6.1. Service Provider – Any vendor who has access to credit card information

Appendix A:

Merchant Service Provider:: Authorize.net

Appendix B: List of Authorized Users

Heather Robbins

Cliff Robbins