The purpose of this document is to list procedures that ensure the safe handling and processing of credit cards for security and compliance with the Payment Card Industry Data Security Standard (PCI-DSS).    Unless otherwise decided by the VP of Finance or CFO of the Company, Picarro will endeavor to use a third party to process all credit card transactions with limited exceptions noted below.

This policy recognizes credit card data as restricted data.  This data needs to be protected.  Card holder data includes:

·      The Primary Account Number (PAN) is the unique payment card number and identifies who issued the card as well as the particular cardholder account

·      The Cardholder name, card expiration date and/or service code

• Security-related information, including card validation codes/values.  This refers to the magnetic-stripe data and printed security features such as the CAV, CVC, CVV or CSC code, (the name depends on the payment card brand), as well as PINs, and PIN blocks used to authenticate cardholders and/or authorize payment card transactions

Storage of Credit Card Data

Under no circumstances should card holder data be maintained in an electronic format by Picarro or by any employees.  This includes saved on a computer, CD, removable drive, or any other form of electronic media.

The storage of paper records containing credit card information should be limited to that needed to conduct business.  Under no circumstances should the CVV code be stored, and if recorded on the same paper as the credit card number will be redacted after processing.  These records will be stored in a locked filing cabinet or safe.  The portion of the paper containing the credit card number will be destroyed after the transaction is processed. 

All paper transactions containing credit card numbers should be processed as soon as possible after an order has shipped.

Processing Credit Card Data

Online Payments (optional)

·      Company resources (computers and staff) will not be used to process credit card data.

·      Company employees will not type customer credit card data into computers.

·      Customers will use their own computer to initiate orders.

By E-Mail 

·      Any request received via email must be processed as follows:

• Requests which contain credit card data can be received by a member of the Finance team. 
• Requests must be charged the same day as the order is shipped by typing the information into the Merchant eSolutions website (or equivalent).

o   Credit card information is then immediately cut out of the form; Delete the sender’s email and attachment, and purge the deleted email to remove the deleted message permanently

By eFax (credit card information accepted subject to special processing)

• Do not process any request received via efax which includes card holder data unless you are able to complete these 4 steps:

• Requests which contain credit card data can be received via eFax by a member of the Finance team. 
• eFax should be printed on Finance team printer only -- sender’s email and attachment should be deleted, and the deleted email purged to remove the deleted message permanently;
• Requests must be charged the same day as the order is shipped by typing the information into the Merchant eSolutions website (or equivalent).

o   If an eFax transmission cannot be processed the day it is received, the form must be locked in a filing drawer or cabinet of a person of Finance member (with PCI operator training or above, as applicable).   That person’s filing cabinet must be locked when the person is not present. 

Information Security Policy and Technology Access:

Picarro does not currently use credit card readers onsite and instead relies upon Merchant e-Solutions for processing credit card transactions.  In the event Picarro starts to use credit card readers onsite, employees with access to authorized credit card readers are required to take PCI Operator Training once per year.  A certificate of compliance is to be maintained in their personnel file. 

Staff who use this equipment are also required to review the Picarro Incidence Response Policy.    A form indicating each person’s review of these policies will be kept in his/her personnel folder.