Payment Card Industry Data Security Standard (PCI DSS) Policy
Policies
- Code of Ethics
- Anti-Money Laundering and Counter-Terrorism Financing Policy
- Anti-Trafficking in Persons
- Anti-Trafficking in Persons Compliance Plan
- Child Protection and Safeguarding Policy
- Cookie Policy
- Donor Privacy
- Drug and Alcohol-Free Workplace Policy
- Gender Equality Policy
- Indigenous Peoples Policy
- Individual Gift Acceptance Policy
- Misconduct Reporting and Anti-Retaliation Policy
- Payment Card Industry Data Security Standard (PCI DSS) Policy
- Prevention of Sexual Exploitation, Sexual Abuse, and Sexual Harassment
- Privacy Policy
- Professional Conduct, Non-Discrimination, and Non-Harassment Policy
- Prohibited Practices Policy
Purpose
Conservation International (CI) is committed to compliance with the Payment Card Industry Data Security Standards (PCI DSS) to protect payment card data regardless of where that data is processed or stored. This policy governs payment card handling, processing, transmission, storage, and disposal of cardholder data transactions at CI and those that process credit card payments on behalf of CI. This policy is intended to be used in conjunction with the complete PCI DSS requirements.
Scope
This Policy applies to all CI employees, interns, fellows, volunteers, and representatives (jointly, "CI Staff") as well as CI grantees/awardees, contractors, suppliers, consultants, and their employees, sub-grantees/-awardees, and representatives (jointly "CI Delivery Partners"). This includes any third-party vendors, auxiliary service corporations, foundations, individuals, systems, networks, and other parties with a relationship to CI using third-party software to transmit, process, and store electronic or paper payment card transactions on behalf of CI.
Our principles and actions
All CI Staff must adhere to these requirements to protect our donors and maintain the ability to process payments using payment cards.
- Commitment to Standards Compliance: The PCI DSS is a mandated set of requirements agreed upon by the major credit card companies. The security requirements apply to all transactions surrounding the payment card industry and the merchants or organizations that accept these cards as a form of payment. The PCI DSS requirements do not supersede local, state, and federal laws or regulations.
- No Retention of Certain Information: CI prohibits the retention of complete payment card primary account numbers (PAN) or sensitive authentication data in any system, database, network, computer, tablet, cell phone, or paper file. Storing truncated numbers, in approved formats (first six digits or last four digits) is permissible.
- Disposal: Cardholder data must be disposed of in a certain manner that renders all data unrecoverable. This includes paper documents and any electronic media including computers, hard drives, magnetic tapes, and USB storage devices in accordance with CI’s Record Retention Policy. The approved PCI DSS disposal methods include cross-cut shredding, incineration, and approved shredding and disposal service.
Implementation
CI must comply with PCI DSS to accept card payments and avoid penalties. This policy and additional supporting policies:
- Provide the requirements for processing, transmission, storage, and disposal of cardholder data transactions.
- Reduce the organizational risk associated with the administration of payment cards.
- Promote proper internal control.
- Promote compliance with the PCI DSS.
In the event of a Data Compromise or other related security Incident, anyone with knowledge or a reasonable suspicion of an incident is required to immediately notify the CI IT Service Desk or IT Security Team. Failure to protect this information may result in financial loss for CI and our donors, suspension of credit card processing privileges, fines, and damage to the reputation of CI. In the event of a breach or a PCI violation, the payment card brands may assess penalties to our Merchant Bank(s) which will be passed on to CI. These fines, along with credit monitoring fees, can impose substantial financial strain on businesses, underscoring the necessity of abiding by the PCI DSS requirements. Any fines or assessments that may be imposed by the affected credit card company will be the responsibility of CI.
CI Staff who violate this policy are subject to disciplinary consequences up to and including termination of employment. Violation of this Policy or failure to comply with the applicable PCI-DSS requirements by CI Delivery Partners will result in remedial action, including termination of the relevant agreement for cause with immediate effect and demand for restitution.
Definitions
- Cardholder: Individual who owns and benefits from the use of a membership card, particularly a payment card.
- Cardholder Data (CHD): Elements of payment card information that must be protected, including primary account number (PAN), cardholder name, expiration date, and the service code.
- Cardholder Name: The name of the individual to whom the card is issued.
- Expiration Date: The date on which a card expires and is no longer valid. The expiration date is embossed, encoded, or printed on the card.
- Service Code: Permits where the card is used and for what.
- Data Compromise: Any situation where there has been unauthorized access to a system or network where prohibited, confidential, or restricted data, is collected, processed, stored, or transmitted. Payment card data is defined as prohibited data. A data compromise can also involve suspected or confirmed loss or theft of any material or records that contain cardholder data.
- Incident: Suspected or confirmed data compromise.
- Merchant: A department or unit (including a group of departments or a subset of a department) approved to accept payment cards and assigned a merchant identification number.
- Payment Card Industry Data Security Standards (PCI DSS): The security requirements defined by the Payment Card Industry Data Security Standards Council and the major credit card brands including Visa, MasterCard, Discover, American Express, and JCB.
- Primary Account Number (PAN): Number code of 14 or 16 digits embossed on a bank or credit card and encoded in the card's magnetic strip. PAN identifies the issuer of the card and the account and includes a check digit as an authentication device.
- Self-Assessment Questionnaire (SAQ): Validation tools to assist merchants and service providers report the results of their PCI DSS self-assessment.
- Sensitive Authentication Data: Additional elements of payment card information required to be protected but never stored. These include magnetic stripe (i.e., track) data, CAV2, CVC2, CID, or CVV2 data, and PIN or PIN block.
- CAV2, CVC2, CID, or CVV2 data: The three- or four-digit value printed on or to the right of the signature panel or on the face of a payment card used to verify card-not-present transactions.
- Magnetic Stripe (i.e., track) data: Data encoded in the magnetic stripe or equivalent data on a chip used for authorization during a card-present transaction. Entities may not retain full magnetic-stripe data after transaction authorization.
- PIN or PIN block: Personal identification number entered by the cardholder during a card-present transaction, or encrypted PIN block present within the transaction message.