Security Policy
We encrypt certain sensitive information (such as credit card information) using Secure Sockets Layer (SSL) technology to ensure that your Personally Identifiable Information is safe as it is transmitted.
Policy Statement
Phillips Pharmacy will take all appropriate measures to protect credit card numbers used to make payments to Phillips Pharmacy.
Rationale
Credit card transactions is becoming the preferred method for making payments to Phillips Pharmacy. Every business that accepts credit and debit card payments is required to comply with the Payment Card Industry Data Security Standards (PCI-DSS). To comply with the PCI-DSS, employees who work directly with credit card processing and documentation are required to review and sign this policy.
Definitions
Cardholder data – The full magnetic stripe of the card or the entire card number plus any of the following; cardholder name, expiration date, service code.
PCI-DSS – The Payment Card Industry Data Security Standard was adopted to assure the protection of customer data and credit card numbers.
Point-of-Sale device - Any device in which cardholder data is inputted to facilitate credit card transactions.
Procedures
- 1. Access to Customer Credit Card Data
1.1 Access is authorized only for Phillips Pharmacy personnel who are responsible for processing or facilitating credit card transactions.
1.2 A copy of this policy must be read and signed by authorized personnel on initial employment and annually thereafter.
1.3 Signed policies will be maintained by management.
- 2. Transmission of Credit Card Information
2.1 Insecure (unencrypted) transmission of cardholder data is prohibited. Credit card numbers and cardholder data may not be emailed, faxed, or sent via any electronic messaging technologies such as instant messaging or chat.
- 3. Telephone Payments
3.1 When recording credit card information for processing via a dial-up terminal, only cardholder name, account number, expiration date, zip code, and street address may be recorded. It is not permissible to record and store the three-digit security code (CVV2).
3.2 Store transaction documentation and merchant receipt in a secure (locked) area.
- 4. Card Present Transactions (Point-of-Sale)
4.1 Point-of-Sale devices must be inspected for tampering before the first use of the week and the inspection must be logged.
4.2 Picture ID is required if the card is not signed.
4.3 Provide a receipt to the customer.
4.4 Store transaction documentation and merchant receipt in a secure (locked) area.
- 5. Receipt of Credit Card Information in Email
5.1 Under no circumstances will credit card numbers received in email be processed.
- 6. Processing Credit Card Transactions and Storage of Cardholder data on Company Computers
6.1 Cardholder data should not be stored electronically.
6.2 Credit Card Transactions over the Company WiFi network is forbidden.
- 9. Retention and Destruction of Cardholder Data
9.1 Cardholder data should be retained in a secure location only as long as is necessary for business purposes
9.2 Cardholder data will be destroyed when no longer needed. Paper will be cross-cut shredded. Electronic files will be destroyed in a manner appropriate to the media on which they are stored.
- 10. Processing Involving Third-Party Service Providers
10.1 Offices must maintain a list of service provider used.
10.2 A written agreement must be maintained that includes an acknowledgment that the service provider is responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of Phillips Pharmacy.
10.3 Service provider PCI DSS compliance must be verified on an annual basis by obtaining the service provider’s Attestation of Compliance or checking for the service provider’s compliance status on the Visa Global Registry of PCI DSS Validated Service Providers.”