Payment Card Processing and Security Policy
This policy mandates compliance with the Payment Card Industry Data Security Standards for GJ Tonewood, LLC in order to securely protect and maintain cardholder data during payment card processing, storage, or transmission.
Ownership of GJT
Credit Card, Data Security Standards (DSS), Security, Payment Card Industry (PCI), Compliance
GJ Tonewood, LLC
PAYMENT CARD PROCESSING AND SECURITY POLICY
Edited: 25th June, 2021
Cardholder Data Any personally identifiable data associated with the cardholder, to include account number, expiration date, name, address, social security number, card service verification code, or any other data stored on the magnetic stripe of the payment card.
Merchants Authorized acceptors of payment cards for the purchase of goods, services, or information.
Network members Acceptors of payment cards for the purchase of goods, services, or information that have been granted direct authorization to perform payment card transactions by the major credit card companies. Generally, these include banking and financial institutions.
Payment Application Data Security Standards (PA-DSS) The Payment Card Industry Security Standards Council program established to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and to ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements.
Payment Card Industry Data Security Standards (PCI DSS) A multifaceted set of comprehensive requirements and security standards developed to enhance payment account data security, security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
PCI Entity Any GJT department, office, section, or affiliated association or group that has been approved to accept, process, transmit, or store credit card transactional or cardholder data as a member, merchant, or service provider operating on behalf of GJT, or in use of the GJT brand name.
Senior Management Persons in the positions of Ownership or Managers, or persons specifically designated by Ownership or a Manager, that make executive decisions and are authorized to accept risks for the administrative unit in the area of information security.
Service Providers Any business entity that is not a payment card brand network member or a merchant directly involved in the processing, storage, transmission, and switching of transaction data or cardholder information, or both. This includes companies that provide services to merchants, service providers, or members that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, intrusion detection systems and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded.
GJT, defined as: GJ Tonewood LLC, www.gjtonewood.com
Verification Code The three or four-digit value printed on the front or back of a payment card; Card Validation Code CVC2 (Mastercard), Card Verification Value CVV2 (VISA), Card Member ID (Discover), or the Card Identification Number CID (American Express).
The Payment Card Industry (PCI) Data Security Standards (DSS) are a mandated set of security standards created by the major credit card companies for the purpose of offering merchants and service providers a complete, unified approach to safeguarding cardholder data for all payment card brands. The PCI DSS apply to all payment card network members, merchants, and service providers that process, store, or transmit cardholder data, as well as to all methods of credit card processing, whether manual or computerized.
This policy mandates compliance with PCI DSS requirements for processing, storing, transmitting, or handling payment card information. GJT is subject to examination of security measures employed to ensure cardholder data are securely maintained. As such, GJT is committed to adhering to the PCI DSS in order to ensure the protection of cardholder data, limit its liability, and maintain the ability to provide payment card transaction services.
All GJT payment card processing activities and related technologies must comply with this policy and the PCI DSS in its entirety. Compliance with card processing activities must be maintained as described herein and in accordance with the policies listed in the Related Policies/Documents section of this policy. No activity may be conducted nor any technology employed that might obstruct compliance with any portion of this policy or the PCI DSS.
To protect your transactions from unauthorized access by third parties, SumUp operates in accordance with the highest card payment industry security standards:
- PCI-DSS (Payment Card Industry Data Security Standard) is the highest data security standard used in the credit card industry concerning data transfer and data storage.
- SSl (Secure Socket Layer) and TLS (Transport Layer Security) are ‘encryption protocols’ that protect data that is transmitted over the internet. We are using 256-bit encryption, the highest possible level currently available.
- PGP (Pretty Good Privacy) is an international standard for secure personal data storage.
Under no circumstances will SumUp ask you to send via email your login credentials. The same holds true for over the phone: SumUp will not call you to ask for your password. Please never provide your password over the phone or in an email.
When you use SumUp to accept card payments we collect information on the transaction and its location. SumUp never distributes this information to third parties, except where it is necessary to process transactions.
SumUp will not sell or rent your personal information to any third party. However, in order to process payments securely (e.g. prevention of fraud) and to provide our service, it is necessary that we share some of the payment information with partner companies.
Your financial security is always our top priority. Therefore, we may occasionally ask you to provide some further information regarding specific card payments you process using the SumUp services. These requests are very infrequent and are performed to protect your account and the cardholders you do business with.
In these cases, SumUp may request some additional information regarding the goods and/or services you provide, invoices for specific transactions, and the contact details (if available) for your customer to allow us to verify the payment.
Network security and technology
Due to the fact that the SumUp device encrypts all the information as it reads the card, no unencrypted data is ever stored on both the card reader and your smartphone/tablet during the transaction process.
Our team works hard for your security and as such we constantly update all systems to ensure we provide the appropriate levels of protection. Furthermore, we take preventive measures necessary to keep our system secure and our clients' data safe. A such, we have qualified internal and external teams to test our security systems on a regular basis, and sensitive data is strictly controlled at all times.
Mobile devices and secure payments
SumUp payments are processed in accordance with the highest industry security standards. SumUp’s transaction process ensures that all data is encrypted and transferred to our secured payment server.
In addition, SumUp never stores any sensitive data on mobile devices such as your smartphone, tablet, or the card reader.
This policy applies to all GJT employees, contractors, consultants, temporaries, vendors, other third-party workers, and any unit that processes, stores, maintains, transmits, or handles payment card information in a physical or electronic format on behalf of the GJT enterprise, or in use of the GJT brand name. This includes any entity that utilizes any part of the GJT network infrastructure for payment card transaction services. Hereafter, these groups shall be referred to as PCI Entities.
Each PCI Entity must be approved by, and registered with, the Office of the Ownership of GJT.
Each PCI Entity must develop, implement, and maintain processes and procedures for conducting secure payment card transaction related activities in accordance with PCI DSS requirements and any other applicable GJT policies.
GJT ownership is responsible for ensuring all cardholder data are protected against unauthorized use, disclosure, fraud, or other compromising activity.
All payment card transactions must be performed on systems approved by the Office of the Ownership of GJT. Approval shall include an annual risk assessment process that identifies threats and vulnerabilities to the payment card processing environment.
Vendor or third-party applications used for payment card processing services must be a PCI Validated Payment Application that meets PA-DSS requirements.
Any known or suspected breach, compromise, or unauthorized access of cardholder data shall be reported immediately to the Office of the Ownership of GJT.
Employees who do not follow this policy and all requirements contained within the appropriate unit procedures may be subject to disciplinary action up to and including termination of employment.
GJT PCI Entities who do not follow this policy and established procedures may be subject to suspension or loss of payment card processing capability and monetary fines.
Vendors or contractors who do not follow this policy and established procedures may be subject to breach of contract penalties.
Any exception to this policy or the established procedures for implementing this policy must be requested in writing in advance and approved by the Office of the Ownership of GJT.
The Office of the Ownership of GJT will be responsible for governing and enforcing GJT PCI compliance and approving any changes to this policy.