PCI POLICY

Policy for Transmission of Payment Card Details

1. Purpose:

This policy outlines the procedures for securely transmitting payment card details to ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS) and protect cardholder data from unauthorized access and fraud. 

2. Scope:

This policy applies to all employees, contractors, and third-party vendors who transmit, process, or store payment card information on behalf of Hoagie Dom LLC

3. Definitions:

  • Cardholder Data:

    Any information found on a payment card, including the card number, expiration date, cardholder name, and CVV. 

  • PCI DSS:

    The Payment Card Industry Data Security Standard, a set of security standards designed to protect cardholder data. 

  • Secure Transmission:

    Using encrypted channels and secure protocols to transmit cardholder data, such as HTTPS. 

  • Insecure Transmission:

    Methods that do not provide encryption or security protocols, such as email, fax, or unencrypted messaging systems. 

4. Policy Statements:

  • Prohibition of Insecure Transmission:

    Cardholder data must never be transmitted via email, fax, SMS, or any other insecure method. 

  • Secure Online Transactions:

    All online transactions involving payment card details must be conducted through secure, encrypted channels (e.g., HTTPS). 

  • Secure Telephone Transactions:

    When taking payment card details over the phone, employees must follow these guidelines:

    • Verify the caller's identity. 

    • Do not read back card details to the caller. 

    • Record card details directly into a secure, PCI DSS compliant system. 

    • Securely dispose of any paper records containing card details after processing. 

  • Secure Physical Mail:

    If physical mail is used to receive card details, it should be handled with extreme care, stored securely, and processed promptly. 

  • Data Storage and Disposal:

    Cardholder data must be stored securely and only for the duration necessary for processing the transaction. Upon completion of the transaction, cardholder data must be securely destroyed or disposed of in accordance with PCI DSS requirements. 

  • Employee Training:

    All employees who handle payment card information must receive regular training on PCI DSS requirements and secure data handling practices. 

  • Vendor Management:

    Third-party vendors who handle cardholder data must be vetted for PCI DSS compliance, and their agreements should explicitly state their responsibility for safeguarding the data. 

  • Incident Response:

    In the event of a suspected or actual data breach, employees must immediately report the incident to Dominic Rocconi, Owner & Founder of Hoagie Dom LLC and follow the established incident response plan. 

5. Enforcement:

Violation of this policy may result in disciplinary action, up to and including termination of employment. 

6. Review:

This policy will be reviewed and updated at least annually to ensure its continued effectiveness and compliance with evolving PCI DSS requirements. 

7. Contact Information:

For questions or concerns regarding this policy, please contact us at: hoagiedom@gmail.com.