Compliance Policy


Policy Statement

The purpose of this policy is to establish a security posture for the interaction of cardholder data and reduce the burden of the implementation and management of PCI of applicable controls required by the most current version of the Payment Card Industry Data Security Standard (PCI DSS). Unless otherwise provisioned, documented, or communicated, this document establishes policy as it relates to the storage, processing, or transmission of cardholder data within Andaman Market Shop.

Scope

This compliance policy applies to all employees, contractors, and third-party entities that store, process, transmit cardholder data, or otherwise interact with cardholder data which is processed against any transaction where Andaman Market Shop owns or is responsible for the associated merchant ID (MID). Furthermore, this policy applies to all devices that are used for the physical capture of cardholder data used to capture those transactions.

Statement of Policy

Unless otherwise approved by leadership, the following policy must be implemented and managed.

Transaction Processing

  1. All payment processing must be facilitated through a validated PCI P2PE solution approved and listed by the PCI Security Standards Council (SSC). No other forms of transaction processing will be permitted or approved.
  2. may not receive or transmit cardholder data electronically outside of a validated P2PE solution.

PCI P2PE Devices

  1. All devices must be deployed in accordance with the vendor provided P2PE Implementation Guide.
  2. Care, custody, and control must be applied to each device used to interact with cardholder data. These processes must include, but are not limited to, the following:
    1. Inventory management
      1. A formal inventory of all P2PE payment devices must be maintained. ii. A formal process to maintain this list must be implemented. This will include asset management of devices in production, inventory, reallocation, and decommissioning.
      2. A formal inspection process must be implemented to ensure that there has not been any unauthorized substitution.
      3. A formal list of each device must be maintained.

        This list will include but is not limited to

        1. Make and model of device
        2. Location of device
        3. Unique identifier
    2. Device security
      1. Devices must be inspected on a basis.

This inspection must be sufficient to identify a tampered device.

Cardholder Data Storage

  1. Storage of electronic/digital cardholder data is prohibited, unless required for documented legal reasons.
  2. Storage of sensitive authentication data after authorization is prohibited.
  3. Storage of physical print media is permitted, given the following requirements are met
    1. A formal data retention policy must exist that defines the data that is retained, and the purpose of the retention. This retention must be defined with specific legal and/or business reasons.
    2. Physical print media containing cardholder data may not be stored for longer than its defined retention period.
    3. There must be a formal process, executed quarterly, to identify any data which has exceeded the retention period.
    4. In the event cardholder data has been identified as exceeding its retention period, a formal process must be implemented to securely dispose of it. Destroyed data should not be able to be recovered or reconstructed.
  4. Storage of physical print media must be secured from any unauthorized access.