The Retro Cave Ltd POLICY

Policy Statement

The Retro Cave Ltd must protect cardholder information of customers and any individual or entity that utilises a credit or debit card to transact business with The Retro Cave Ltd. This policy is intended to be used in conjunction with the complete PCI-DSS requirements as established and revised by the PCI Security Standards Council.

Rationale

Credit and debit card transactions have become the preferred method for making payments to The Retro Cave Ltd. Every business that accepts credit and debit card payments is required to comply with the Payment Card Industry Data Security Standards (PCI‐DSS). Additionally, The Retro Cave Ltd’s reputation would be seriously damaged by the exposure of credit or debit card numbers. To comply with the PCI‐DSS, employees who work directly with credit and debit card processing and documentation are required to review and sign this policy on an annual basis.

Applicability of the Policy

This policy applies to all staff at The Retro Cave Ltd with responsibilities for managing credit or debit card transactions and to those employees entrusted with handling cards and card information.

Definitions

CARDHOLDER DATA

The full magnetic stripe of the card or the entire card number plus any of the following; cardholder name, expiration date, service code.

PCI DSS

The Payment Card Industry Data Security Standard was adopted to assure the protection of customer data and credit card numbers.

PCI ENVIRONMENT

Includes computers and network hardware configured to meet the PCI standards for electronic submission, processing or storage of cardholder data.

Procedures for Access to Customer Credit & Debit Card Data

• Access is authorised only for The Retro Cave Ltd staff who are responsible for processing or facilitating credit and debit card transactions.
• Only authorised The Retro Cave Ltd staff may process credit or debit card transactions or have access to documentation related to credit and debit card transactions.
• A copy of this policy must be read and signed by authorised personnel on initial employment and annually thereafter.

Telephone Payments

• The Retro Cave Ltd do not accept card payments over the telephone.  This ensures that The Retro Cave Ltd staff never know a customers credit card details and we are therefore not required to store any sensitive information.

Card Present Transactions (Point of Sale)

• Picture ID is required if the card is not signed. Provide receipt to customer.
• Store transaction documentation and merchant receipt in a secure (locked) area.

Receipt of Credit or Debit Card Information in Email

• Under no circumstances will credit card numbers received in email be processed.
• The recipient of the credit or debit card number will respond to the sender with a standard template advising that the transaction cannot be processed and offering an acceptable method for transmitting card information. Credit and debit card numbers will be deleted from the response.

Processing Credit and Debit Card Transactions and Storage of Cardholder data on Company Computers

• Card numbers must not be entered on any computer that is not expressly designated as belonging to the PCI environment.
• Cardholder data should not be stored electronically. If there is a documented requirement for such storage, appropriate encryption must be used and data must be stored on a computer belonging to the PCI environment.
• Any documents or receipts that include a credit or debit card Personal Account Number (PAN) must have the PAN masked in accordance with current PCI standards.

Retention and Destruction of Cardholder Data

• Cardholder data should be retained in a secure location only as long as is necessary for business purposes. It is not permissible to store the three‐digit security code (CVV2).
• Cardholder data will be destroyed when no longer needed. Paper will either be shredded using a cross cut shredding device, incinerated or pulped. Electronic files will be destroyed in a manner appropriate to the media on which they are stored

Contacts

Questions related to this policy can be emailed to the following address: support@retrocollective.co.uk

Related Documents & Policies

PCI DSS – The Payment Card Industry Data Security Standard

Template Response* for Credit or Debit Card Number Received in Email

Thank you for your recent communication regarding payment for item or event . For your protection, we cannot accept credit or debit card information via email. Email is an insecure means of transmitting information and you should never use it to send your credit or debit card number or other sensitive personal information.Please contact us at support@retrocollective.co.uk to arrange for an electronic invoice to be sent. Thank you.

*Delete the cardholder data from your response and delete the original message after replying.