PURPOSE
The purpose of this policy is to define the guidelines for accepting and processing credit cards and storing personal cardholder information. The policy will help to ensure that cardholder information supplied to Metropark Communications, Inc. is secure and protected. Metropark is complying with credit card company requirements and the Payment Card Industry Data Security Standard.
SCOPE
This policy applies to all Metropark Communications, Inc. employees. The policy pertains to all departments that process, transmit, or handle cardholder information. The cardholder information may be in a physical or an electronic format. The card holder upon non-cash payments will lose cash discounts.
POLICY
All transactions that Metropark processes must meet the standards outlined in the policy and are PCI Compliant
A. Electronic credit card numbers should not be transmitted or stored on a personal computer or e-mail account. Electronic lists of customer’s credit card numbers should not be retained. Credit card information should only be accepted online, by telephone, mail, or in person. This information should not be accepted via e-mail and departments should not e-mail credit card information.
B. Physical cardholder data must be locked in a secure area. Access should be limited to individuals that require the use of the data. Access should also be restricted on a ‘need to know’ basis.
C. Only essential information should be stored. Do not store the Card Validation Code (also known as the Security Digits, V Code, or CID). Do not store users PIN’s or the full data from a cards magnetic stripe.
D. Credit card information should only be retained for the time needed to process, or if retained for reconciliation, for as long as one-year maximum if necessary.
E. Credit card information, if it does not need to be retained, should be destroyed. Information should be destroyed by shredding (cross-cut) immediately after processing, or immediately after they no longer need to be retained.
F. Credit card receipts may only show the up to the last five digits of the credit card number. If receipts show more than the last five digits, the receipts must be shredded or retained in a secure area.
G. Credit card payments will not qualify for cash discounts.
SECURITY PROCEDURES
All credit card and debit card transaction acceptance, including web based transactions, must be initiated and controlled through the Metropark Accounting Department.
Departments, who need to accept credit/debit cards and obtain a physical terminal to either swipe or key transactions, need to contact Metropark’s Accounting Manager to execute the required paper work, obtain a Merchant Number, and be given direction as how to process those transactions for accounting purposes.
All or most Metropark departments will typically engage in electronic transactions by using Metropark’s Authorize.Net credit card processing system. Authorize.Net is a safe and secure electronic payment mechanism. All servers and computers used for electronic transactions will be secure and Payment Card Industry compliant.
Under no circumstance will it be permissible to obtain or send credit card information, or transmit credit card information by e-mail.
The only approved payment mechanism for electronic transactions on the web at the Metropark Authorize.Net system. Exceptions to this procedure may be granted only after a request from the department has been reviewed and approved by the Metropark Accounting Manager.
NON-QUALIFYING CASH DISCOUNTS
Metropark Communications, Inc. delivers invoices for provided goods or services via email, mail, and or fax. Each invoice assumes that a customer will be paying the invoice utilizing cash or company check methods, thus a 3.62% cash discount is affixed to each submitted invoice. If customer pays by credit or other non-cash methods, the cash discount will be removed upon remittance of non-cash payment. A non-cash payment overage will be assessed on the next billing cycle or statement period.