The URL can be used to link to this page

Home My WebLink AboutF19.0 Credit Card Processing Security �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT: CREDIT CARD SECTION. F NUMBER: 19.0 PROCESSING SECURITY PREPARED BY: Information Technology EFFECTIVE DATE: 02/01/2014 PAGE: 1 of 2 PURPOSE 19.1 The purpose of the Credit Card Processing Security policy is to protect customer cardholder information. This policy applies to all employees who handle customer credit cards or credit card information, their immediate supervisors, and all computers/devices involved with customer cardholder information such as account numbers, names, etc. It is absolutely critical that employees who handle customer cardholder information actively protect it from thieves and hackers. This is a legal and business requirement and must not be ignored. This policy describes what employees should and should not do. Employees are required to read and comply with this policy and any revision made to it. Failure to do so may result in disciplinary action, up to and including termination. Information Technology has a formal incident response plan in place. Any known breach of security is to be reported immediately to the IT Manager or Assistant IT Manager. The Credit Card Processing Security Policy Acknowledgement Form must be signed any employee who handles customer cardholder information. Forward the completed form to IT. See attachment E number 19.0 for the form. POLICY 19.2 COMPUTERS AND SOFTWARE 19.2.1 No other computers are to be connected to any Point of Sale terminal, via cables, wireless or any other type of connection. 19.2.2 No computers other than Point of Sale terminals are to be used to transmit or share cardholder data over the City network or out to the Internet. 19.3 INFORMATION AND RECORDS STORED ON COMPUTERS/DEVISES 19.3.1 Do not record, copy, or store cardholder information, such as credit card account numbers on any computer, thumb-drive, paper copy, CD, DVD, etc. This includes �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT: CREDIT CARD SECTION. F NUMBER: 19.0 PROCESSING SECURITY PREPARED BY: Information Technology EFFECTIVE DATE: 02/01/2014 PAGE: 2 of 2 magnetic stripe information, and other information like the security numbers. 19.3.2 Computers/devises are allowed to record the last four digits ONLY of a credit card account number. 19.3.3 Never, under any circumstances, record, copy, or store customer cardholder PINS, or security numbers. 19.4 PHYSICAL SECURITY 19.4.1 Physical access to all Point of Sale terminals is restricted to those who do have formal management approval. 19.4.2 If you see anyone, staff-member or not, near a Point of Sale terminal who does not have approval, you are required to report it to your supervisor immediately. 19.4.3 All visitors must be in the presence of an employee who is responsible for supervising them.All unsupervised visitors must be escorted away from sensitive systems such as Point of Sale Terminals, and this action shall be reported to their supervisor immediately. 19.4.4 In the event of suspicious behavior, or a security problem, contact your supervisor immediately. 19.5 REASONS TO FOLLOW SECURITY PROCEDURES This policy, and the requirements described in it, helps the City in several important ways: 19.5.1 It reduces the chance that the City will be damaged by hackers or thieves. 19.5.2 It reduces the chance that customer information will be stolen, and reduces the chance of a lawsuit against the City. 19.5.3 It promotes the City's compliance with an industry standard called the Payment Card Industry Data Security Standard (PCI DSS). Failure to comply may result in large fines and the termination of the City's credit card processing services.