PCI Security Best Practices
Recommendations for Merchants When Collecting Credit Card Payments
Assumption
The merchant is accepting payment card transactions via the ePayPolicy payment page and occasional payments via the phone.
People
1. Vendor-supplied default passwords are always changed before installing a system on the network. Unnecessary default accounts are removed or disabled before installing a system on the network.
2. You and your staff make all passwords for computer access in your business unique and hard to guess: 7 or more characters and a combination of upper- and lower-case letters, numbers, and symbols. Consider using a passphrase as your password; you can make it personal and easy for you to remember. You and your staff use your own user accounts and passwords and do not share with one another.
Processes & Procedures
3. If you need to keep paper with card numbers, or card numbers along with card security codes, you make the numbers unreadable, and you secure the paper in a locked drawer or safe with limited access. For example, to make the number unreadable, mark through the number with a thick, black marker such that you cannot see the number from front or back of page if you hold it to the light; or cut the number out.
4. You only accept payment details via the ePayPolicy payment page or via phone. If you accidentally receive card data via e-mail, you remove it and let the sender know your preferred method to receive card details—which is via the ePayPolicy payment page or via phone.
5. You promptly destroy or shred written account numbers when no longer needed.
6. Ensure that all service providers that store, process, transmit, or impact the security of cardholder data are PCI Level 1 Compliant. The agreement includes an acknowledgment that the service providers are required to maintain PCI Level 1 compliance through annual assessments.
7. Have a plan in the event you feel there is a compromise. If you feel your customers’ information has been compromised, contact ePayPolicy immediately to notify of the breach. You can also refer to this document from Visa outlining additional precautions to take.