Credit Card Processing Policy
purpose of this document is to list procedures that ensure the safe handling
and processing of credit cards for security and compliance with the Payment
Card Industry Data Security Standard (PCI-DSS).
Unless otherwise decided by the VP of Finance
or CFO of the Company, Picarro will endeavor to use a third party to process
all credit card transactions with limited exceptions noted below.
policy recognizes credit card data as restricted data. This data needs to be protected. Card holder data includes:
The Primary Account Number (PAN) is the unique payment
card number and identifies who issued the card as well as the particular
The Cardholder name, card expiration date and/or service
information, including card validation codes/values. This refers to the magnetic-stripe data
and printed security features such as the CAV, CVC, CVV or CSC code, (the
name depends on the payment card brand), as well as PINs, and PIN blocks
used to authenticate cardholders and/or authorize payment card
of Credit Card Data
Under no circumstances should card holder data be
maintained in an electronic format by Picarro or by any employees. This includes saved on a computer, CD,
removable drive, or any other form of electronic media.
The storage of paper records containing credit card
information should be limited to that needed to conduct business. Under no circumstances should the CVV code be
stored, and if recorded on the same paper as the credit card number will be
redacted after processing. These records
will be stored in a locked filing cabinet or safe. The portion of the paper containing the
credit card number will be destroyed after the transaction is processed.
All paper transactions containing credit card
numbers should be processed as soon as possible after an order has shipped.
Credit Card Data
Online Payments (optional)
· Company resources (computers and staff) will not be
used to process credit card data.
· Company employees will not type customer credit card
data into computers.
· Customers will use their own computer to initiate
· Any request received via email must be processed as
- Requests which contain credit
card data can be received by a member of the Finance team.
- Requests must be charged the
same day as the order is shipped by typing the information into the
Merchant eSolutions website (or equivalent).
o Credit card information is then immediately cut out of
the form; Delete the sender’s email and attachment, and purge the deleted email
to remove the deleted message permanently
By eFax (credit card
information accepted subject to special processing)
- Do not process any request
received via efax which includes card holder data unless you are able to complete
these 4 steps:
- Requests which contain credit card data can be
received via eFax by a member of the Finance team.
- eFax should be printed on Finance team printer
only -- sender’s email and attachment should be deleted, and the deleted
email purged to remove the deleted message permanently;
- Requests must be charged the same day as the
order is shipped by typing the information into the Merchant eSolutions
website (or equivalent).
If an eFax
transmission cannot be processed the day it is received, the form must be
locked in a filing drawer or cabinet of a person of Finance member (with PCI
operator training or above, as applicable).
That person’s filing cabinet must be locked when the person is not
Security Policy and Technology Access:
does not currently use credit card readers onsite and instead relies upon Merchant
e-Solutions for processing credit card transactions. In the event Picarro starts to use credit
card readers onsite, employees with access to authorized credit card readers
are required to take PCI Operator Training once per year. A certificate of compliance is to be
maintained in their personnel file.
who use this equipment are also required to review the Picarro Incidence
Response Policy. A form indicating
each person’s review of these policies will be kept in his/her personnel
No credit card information is ever stored or entered
in software (other than the Merchant eSolutions website or equivalent) using
any desktop computer, laptop, PDA, remote access technology, wireless
technology, removable electronic media, tablets, on internet, on internet via
Cashnet, routed by email, etc. Credit
card data within Picarro will be handled according to the policies above and
will only be entered using approved credit card vendor processing websites by
members of the Finance team. The credit
card data will then be destroyed immediately.