S & T Aircraft is required to be compliant with Payment Card Industry (PCI) Data Security Standards (DSS), and is committed to providing a secure environment for our customers to protect against both loss and fraud. S & T Aircraft must comply with PCI-DSS requirements for securely processing, storing, transmitting and disposing of cardholder data.
Payment Card Industry Data Security Standard (PCI-DSS)
The PCI-DSS is a result of collaboration among the major card brands to create common industry security requirements aiming to protect against both cardholder data exposure and compromise. The following programs incorporate PCI-DSS:
||Cardholder Information Security Program (CISP)
||Site Data Protection (SDP) Program
||Data Security Requirements
||Discover Information Security and Compliance (DISC) Program
The PCI-DSS offers a single approach to safeguarding sensitive data for all card brands. Other card companies operating in the U.S. have also endorsed the PCI-DSS within their respective programs.
PCI-DSS Basic Requirements
The PCI-DSS consists of twelve basic requirements, and corresponding sub-requirements, categorized as follows:
|Build and Maintain a Secure Network
||1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
|Protect Cardholder Data
||3. Protect stored cardholder data.
4. Encrypt transmission of cardholder across open, public networks.
|Maintain a Vulnerability Management Program
||5. Protect all systems against malware and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
|Implement Strong Access Control Measures
||7. Restrict access to cardholder data by business need-to-know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
|Regularly Monitor and Test Networks
||10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
|Maintain an Information Security Policy
||12. Maintain a policy that addresses information security for all personnel.
PCI-DSS 3.2.1 as of May 2018
For More Information – Please visit https://www.pcisecuritystandards.org/.
PCI-DSS compliance is required of all merchants and service providers that store, process, or transmit cardholder data. The requirements apply to all payment channels, including in person, mail, telephone, and online.
Cardholder Data / Payment Card Data
Cardholder Data / Payment Card Data is all personally identifiable data about the cardholder (i.e. account number, expiration date, data provided by the cardholder, other electronic data gathered by the merchant/agent, etc.). This term also accounts for other personal insights gathered about the cardholder, i.e., addresses, telephone numbers, magnetic stripe data and CVC2/CVV2.
All individuals authorized to accept payment cards (debit and credit cards) must securely process, store and dispose of payment card data (paper and electronic media) in order to adhere to the PCI-DSS.
In order to protect cardholder data and ensure PCI-DSS compliance at S & T Aircraft, the following policies must be followed:
- Individuals must comply with the PCI-DSS.
- All transactions that involve the processing of payment card data (debit and credit cards) are required to utilize secure terminals. Information Systems and Technology (IST), has developed a payment gateway for retail processing, mail/phone orders and e-commerce credit cards. The system transmits payment card transactions to our processor for deposit and automatically updates the S & T Aircraft system in summary on a nightly basis. The transaction detail is securely stored on the system. An interface to the system is available to departments that wish to process e-commerce transactions.
- Exceptions to this policy may be granted only after a written request from the unit has been reviewed and is approved by IST. Under no circumstance should a department contact a credit card processor directly to obtain access to credit card privileges for S & T Aircraft business needs.
- Third party service providers (any entity that handles, reads, transmits or processes payment card data other than the S & T Aircraft) approved by the S & T Aircraft must state through a formal contract that all associated third parties with access to cardholder data will adhere to the PCI-DSS. This contract must clearly define the third party’s obligations and responsibilities in remaining compliant.
- Payment card data may not be transmitted or stored in any other system, server, personal computer or e-mail account. Only the last 4 digits of the card number may be stored. Under no circumstance will it be permissible to obtain credit card information, or transmit credit card information, by e-mail.
- Physical (paper) cardholder data must be locked in a secure area with access limited to only authorized individuals. These printed materials may include, but are not limited to, paper receipts, paper reports, faxes and customer order forms.
- All transactions (ACH, Cash, Check and Credit Card) processed through the Cashier System at Boston University are electronically stored for a period of ten years. Payment card transactions display only the last four digits of the card number. Only authorized employees with a business need are granted access to the full payment card number; until authorized access, the payment card number is fully masked.
- All payment card numbers will be fully masked (overwritten) within 7 months from the date of the original transaction. Payments designated as a recurring transaction will be fully masked 14 months after the date of the original transaction.
- All media used for credit cards must be destroyed when no longer needed. All hardcopy (paper) must be crosscut shred prior to disposal.
Failure to meet the requirements outlined in this policy may result in suspension of physical and or electronic payment capability for affected units. Additionally, the credit card associations may impose fines. Persons in violation of this policy are subject to a full range of sanctions, including the loss of computer or network access privileges, disciplinary action, suspension, termination of employment and legal action. Some violations may constitute criminal offenses under local, state, and federal laws. S & T Aircraft will carry out its responsibility to report such violations to the appropriate authorities.
The information contained in this policy is subject to change without notice.
Copyright © 2020 S & T Aircraft Accessories, Inc. All rights reserved.
S & T Aircraft Accessories, Inc., 310 FM 483, New Braunfels, TX 78130, USA.
Updated on 01 January 2020