Effective Date: September 28, 2025
PCI DSS Information Security Policy
Objective
This policy ensures basic protection for payment card data and maintains compliance with PCI DSS.
Scope
Applies only to essential personnel and systems directly handling payment card data.
- Cardholder Data Handling
- Only necessary payment data is collected; sensitive authentication data (e.g., CVV/CVC, PIN) is not stored.
- If any cardholder data is stored, it is protected with encryption or access controls.
- Transmission Security
- Payment data sent over the internet uses standard, up-to-date encryption (HTTPS/TLS).
- Access Control
- Users accessing payment systems have unique credentials. No sharing of passwords.
- Security Awareness
- Basic training provided to anyone responsible for handling cardholder data, covering how to identify and report security incidents.
- Software and System Security
- Website platform and plugins are kept up-to-date with vendor-provided security patches.
- Incident Response
- Security incidents or suspected payment card breaches will be reported for evaluation and, if appropriate, addressed promptly.
- Third Parties
- Payment processing is performed by PCI DSS-compliant service providers (e.g., PayPal).
- Policy Review
- This policy is reviewed annually or when business practices change.