S & T Aircraft is required to be compliant with Payment Card Industry (PCI) Data Security Standards (DSS), and is committed to providing a secure environment for our customers to protect against both loss and fraud. S & T Aircraft must comply with PCI-DSS requirements for securely processing, storing, transmitting and disposing of cardholder data.

Payment Card Industry Data Security Standard (PCI-DSS)

The PCI-DSS is a result of collaboration among the major card brands to create common industry security requirements aiming to protect against both cardholder data exposure and compromise. The following programs incorporate PCI-DSS:

The PCI-DSS offers a single approach to safeguarding sensitive data for all card brands. Other card companies operating in the U.S. have also endorsed the PCI-DSS within their respective programs.

PCI-DSS Basic Requirements

The PCI-DSS consists of twelve basic requirements, and corresponding sub-requirements, categorized as follows:

PCI-DSS 3.2.1 as of May 2018

For More Information – Please visit https://www.pcisecuritystandards.org/.

PCI Compliance

PCI-DSS compliance is required of all merchants and service providers that store, process, or transmit cardholder data. The requirements apply to all payment channels, including in person, mail, telephone, and online.

Cardholder Data / Payment Card Data

Cardholder Data / Payment Card Data is all personally identifiable data about the cardholder (i.e. account number, expiration date, data provided by the cardholder, other electronic data gathered by the merchant/agent, etc.). This term also accounts for other personal insights gathered about the cardholder, i.e., addresses, telephone numbers, magnetic stripe data and CVC2/CVV2.

All individuals authorized to accept payment cards (debit and credit cards) must securely process, store and dispose of payment card data (paper and electronic media) in order to adhere to the PCI-DSS.

In order to protect cardholder data and ensure PCI-DSS compliance at S & T Aircraft, the following policies must be followed:

• Individuals must comply with the PCI-DSS.
• All transactions that involve the processing of payment card data (debit and credit cards) are required to utilize secure terminals. Information Systems and Technology (IST), has developed a payment gateway for retail processing, mail/phone orders and e-commerce credit cards. The system transmits payment card transactions to our processor for deposit and automatically updates the S & T Aircraft system in summary on a nightly basis. The transaction detail is securely stored on the system. An interface to the system is available to departments that wish to process e-commerce transactions.
• Exceptions to this policy may be granted only after a written request from the unit has been reviewed and is approved by IST. Under no circumstance should a department contact a credit card processor directly to obtain access to credit card privileges for S & T Aircraft business needs.
• Third party service providers (any entity that handles, reads, transmits or processes payment card data other than the S & T Aircraft) approved by the S & T Aircraft must state through a formal contract that all associated third parties with access to cardholder data will adhere to the PCI-DSS. This contract must clearly define the third party’s obligations and responsibilities in remaining compliant.
• Payment card data may not be transmitted or stored in any other system, server, personal computer or e-mail account. Only the last 4 digits of the card number may be stored. Under no circumstance will it be permissible to obtain credit card information, or transmit credit card information, by e-mail.
• Physical (paper) cardholder data must be locked in a secure area with access limited to only authorized individuals. These printed materials may include, but are not limited to, paper receipts, paper reports, faxes and customer order forms.
• All transactions (ACH, Cash, Check and Credit Card) processed through the Cashier System at Boston University are electronically stored for a period of ten years. Payment card transactions display only the last four digits of the card number. Only authorized employees with a business need are granted access to the full payment card number; until authorized access, the payment card number is fully masked.
• All payment card numbers will be fully masked (overwritten) within 7 months from the date of the original transaction. Payments designated as a recurring transaction will be fully masked 14 months after the date of the original transaction.
• All media used for credit cards must be destroyed when no longer needed. All hardcopy (paper) must be crosscut shred prior to disposal.

Failure to meet the requirements outlined in this policy may result in suspension of physical and or electronic payment capability for affected units. Additionally, the credit card associations may impose fines. Persons in violation of this policy are subject to a full range of sanctions, including the loss of computer or network access privileges, disciplinary action, suspension, termination of employment and legal action. Some violations may constitute criminal offenses under local, state, and federal laws. S & T Aircraft will carry out its responsibility to report such violations to the appropriate authorities.

• It is against S & T Aircraft Policy to store credit card numbers on any computer, server, or database other than systems specifically designed to comply with PCI-DSS policy.
• Restrict access to card data by business need to know
• Paper documents containing cardholder data must be kept in a secure environment (i.e. safe, locked file cabinet, etc.).
• Restrict physical access to cardholder data.
• Cardholder data must be transmitted securely (i.e. encrypted).
• Email is not an approved way to transmit credit card numbers.
• Fax transmittal of cardholder data is permissible only if the receiving fax is located in a secure environment.
• Paper receipts must be destroyed so that account information is unreadable and cannot be reconstructed.
• Technology changes that affect payment card systems are required to be approved by the Information Technology Department prior to being implemented.
• Any new systems/software that process or stores payment cards are required to be approved by the Information Technology Department prior to being implemented.
• Install and maintain a firewall and router configuration to protect cardholder data.
• Use and regularly update anti-virus software.
• Do not use vendor-supplied defaults for systems passwords and other security parameters.
• Assign a unique ID to each person with computer access.
• Computer systems that process payment cards must have the ability to monitor and track access to network resources and cardholder data.
• Report all suspected or known security breaches to the Information Technology Department.

The information contained in this policy is subject to change without notice.
Copyright © 2020 S & T Aircraft Accessories, Inc. All rights reserved.
S & T Aircraft Accessories, Inc., 310 FM 483, New Braunfels, TX 78130, USA.

Updated on 01 January 2020