Credit Card Security Policy 2018


This policy applies to all employees who handle customer credit cards or credit card information, their immediate supervisors, and all computers/devices involved with customer cardholder information such as account numbers, names, etc.

It is absolutely critical that employees who handle customer cardholder information actively protect it from thieves and hackers. This is a legal requirement, and a business requirement, and must not be ignored. This policy describes what employees should do, and what they should not do. Employees are required to read and comply with this policy and any revisions made to it. Failure to do so may result in disciplinary action, up to and including termination.

Computers and Software

  1. No other computers are to be connected to any Point of Sale terminal (via cables, wireless, or anything else).
  2. No computers other than Point of Sale terminals are to be used to transmit or share cardholder data over the city network or out to the Internet.

Information and Records Stored On Computers/ Devices

  1. Do not record, copy, or store cardholder information (such as credit card account numbers) on any computer, thumb-drive, paper copy, CD, DVD, etc. This includes magnetic stripe information, and other information like the security numbers.
  2. Computers/devices are allowed to record the last 4 digits ONLY of a credit card account number.
  3. Never, under any circumstances, record, copy, or store customer cardholder PINs, or security numbers.

Physical Security

  1. Physical access to all Point of Sale terminals is restricted to those who do have formal management approval.
  2. If you see anyone (staff-member or not) near a Point of Sale terminal who does not have approval, you are required to report it to your supervisor immediately.
  3. All visitors must be in the presence of an employee who is responsible for supervising them. All unsupervised visitors must be escorted away from sensitive systems such as Point of Sale Terminals, and this action shall be reported to their supervisor immediately.

Policies and Procedures

  1. In the event of suspicious behavior, or a security problem, contact your supervisor immediately.
  2. Information Technology has a formal incident response plan in place. Any known breach of security is to be reported immediately to the IT Manager or Assistant IT Manager

Final Comments

This policy, and the requirements described in it, helps the City in several important ways:
  1. It reduces the chance that the City will be damaged by hackers or thieves.
  2. It reduces the chance that customer information will be stolen, and so reduces the chance that the City will be sued.
  3. It promotes the City’s compliance with an industry standard called the Payment Card Industry Data Security Standard (PCI DSS). Failure to comply may result in large fines, and the termination of the City's credit card processing services.