PURPOSE
The purpose of this policy is to define the guidelines for accepting and processing credit cards and storing personal cardholder information. The policy will help to ensure that cardholder information supplied to Metropark Communications, Inc. is secure and protected. Metropark is complying with credit card company requirements and the Payment Card Industry Data Security Standard.
SCOPE
This policy applies to all Metropark Communications, Inc. employees. The policy pertains to all departments that process, transmit, or handle cardholder information. The cardholder information may be in a physical or an electronic format. The card holder upon non-cash payments will lose cash discounts.
POLICY
All transactions that Metropark processes must meet the standards outlined in the policy and are PCI Compliant.
A. Electronic credit card numbers should not be transmitted or stored on a personal computer or e-mail account. Electronic lists of customer’s credit card numbers should not be retained. Credit card information should only be accepted online, by telephone, mail, or in person. This information should not be accepted via e-mail and departments should not e-mail credit card information.
B. Physical cardholder data must be locked in a secure area. Access should be limited to individuals that require the use of the data. Access should also be restricted on a ‘need to know’ basis.
C. Only essential information should be stored. Do not store the Card Validation Code (also known as the Security Digits, V Code, or CID). Do not store users PIN’s or the full data from a cards magnetic stripe.
D. Credit card information should only be retained for the time needed to process, or if retained for reconciliation, for as long as one-year maximum if necessary.
E. Credit card information, if it does not need to be retained, should be destroyed. Information should be destroyed by shredding (cross-cut) immediately after processing, or immediately after they no longer need to be retained.
F. Credit card receipts may only show the up to the last five digits of the credit card number. If receipts show more than the last five digits, the receipts must be shredded or retained in a secure area.
G. Credit card payments will not qualify for cash discounts and will have a 4% credit card processing surcharge on amounts larger than $3,999.00.
SECURITY PROCEDURES
All credit card and debit card transaction acceptance, including web based transactions, must be initiated and controlled through the Metropark Accounting Department.
Departments, who need to accept credit/debit cards and obtain a physical terminal to either swipe or key transactions, need to contact Metropark’s Accounting Manager to execute the required paper work, obtain a Merchant Number, and be given direction as how to process those transactions for accounting purposes.
All or most Metropark departments will typically engage in electronic transactions by using Metropark’s Authorize.Net or PayTrace credit card processing systems. Authorize.Net and PayTrace are safe and secure electronic payment mechanisms. All servers and computers used for electronic transactions will be secure and Payment Card Industry compliant.
Under no circumstance will it be permissible to obtain or send credit card information, or transmit credit card information by e-mail.
The only approved payment mechanism for electronic transactions on the web at the Metropark Secure Payment portal using PayTrace or Authorize.Net systems. Exceptions to this procedure may be granted only after a request from the department has been reviewed and approved by the Metropark Accounting Manager.