PCI DSS Policy

Information Security Awareness Program

All employees authorised to accept payment cards (debit and credit cards) securely process, store and dispose of payment card data (paper and electronic media) in order to adhere to the Payment Card Industry Data Security Standards (PCI DSS).

In order to protect cardholder data and ensure PCI DSS compliance at Thomas Leach Colour, the following procedures are followed:

  • Authorised employees comply with the PCI DSS.
  • All e-commerce transactions use PayPal’s secure online site. Manual transactions use PayPal’s secure virtual terminal.
  • Payment card data is not transmitted or stored in any other system, server, personal computer or e-mail account. Under no circumstance is credit card information obtained, or transmitted, by e-mail.
  • Physical (paper) cardholder data is locked in a safe with access limited to only authorised employees. These printed materials may include, but are not limited to, customer order forms and paper receipts.
  • All media used for credit cards is destroyed once the transaction is completed. All hardcopy (paper) is crosscut shred prior to disposal.

PCI DSS Compliance Guidelines

  • It is against Thomas Leach Colour Policy to store credit card numbers on any computer, server, database or spreadsheet.
  • Restrict access to card data by business need to know.
  • Paper documents containing cardholder data must be locked in a safe.
  • Restrict physical access to cardholder data.
  • Email is not an approved way to transmit credit card numbers.
  • Paper receipts must be destroyed so that account information is unreadable and cannot be reconstructed.
  • Any new systems/software that process payment cards are required to be approved by the Directors prior to being purchased.
  • Maintain a firewall and router configuration to protect cardholder data.
  • Use and regularly update anti-virus software.
  • Do not use vendor-supplied defaults for systems passwords and other security parameters.
  • Computer systems using “Virtual Terminal” must be connected to the proprietary sub-domain with no network access.
  • Report all suspected or known security breaches to Management.

Payment Card Industry Data Security Standards (PCI DSS) for Accepting Credit Cards

PCI compliance is required of all merchants and service providers that store, process, or transmit cardholder data. The requirements apply to all payment channels, including retail (in person), mail/telephone order, and e-commerce.

Thomas Leach Colour is required by the payment card associations to be compliant with the Payment Card Industry (PCI) Data Security Standards, and is committed to providing a secure environment for our customers to protect against both loss and fraud. Thomas Leach Colour must comply with Payment Card Industry (PCI) requirements for securely processing, storing, transmitting and disposing of cardholder data.

The PCI DSS is a result of collaboration among the major payment card companies to create common industry security requirements, aiming to protect against both cardholder data exposure and compromise. The following programs incorporate PCI DSS:

VISA Cardholder Information Security Program (CISP)
MasterCard Site Data Protection (SDP) Program
American Express Data Security Requirements
Discover Discover Information Security and Compliance (DISC) Program

The PCI DSS offers a single approach to safeguarding sensitive data for all payment card companies. Other card companies have also endorsed the PCI DSS within their respective programs.

The PCI DSS consists of twelve basic requirements;

PCI Security Standard
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security

For More Information – Please visit https://www.pcisecuritystandards.org/

Date of this Last Policy Update: June 2019