Essential Bodyworks Clinic
Payment Card Security Policy and Procedures
Adherence to this policy and the associated procedures is mandatory for all staff who handle or process card payments on behalf of Essential Bodyworks, hereafter referred to as the clinic.
1. Introduction and Policy Statement
1.1 The clinic is happy to take payment via debit or credit card, cash, or bacs transfer depending on the clients preferred payment method. We do not accept card with high processing fees such as AMEX/Diners etc.
1.2 Where essential due to the nature of the transactions, staff may use Point of Sale Terminals (PDQ or card machines) but such machines must comply with the requirements set out below.
1.3 The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard, created to help organisations that process card payments prevent card fraud. It requires strict control of data and confidentiality to ensure the security of payment card details. It is the global data security standard that any business of any size must adhere to if it wishes to accept card payments, and to store, process, and/or transmit cardholder data. The clinic is liable for fines should it fail to comply with PCI DSS as it is considered a breach of contract with our Bank. Non-compliance also puts confidential data held by the clinic at potential risk in contravention of Data Protection Law and PCI Compliance maintenance.
1.4 The clinic owner is responsible for ensuring staff are aware of this policy, the associated procedures and that these are adhered to.
1.5 If any member of staff identifies that this policy is compromised or is at risk of compromise then he/she must report the matter immediately to the clinic owner. They should feel able to do so in the case of genuine mistakes as well as if they are concerned about poor practice by others.
1.6 Individual staff who do not comply with the requirements of the training and this set of policies and procedures may be subject to disciplinary action.
2. Online Payments
2.1 Online payments via our website use a secure card payment service called Stripe. For more information on the security of card payments through stripe click here https://stripe.com/docs/security/stripe.
2.2 If at all possible, payments should be taken by directing the individual to use one of the services above and staff will not therefore have any access to the individual’s payment card details.
2.3 PCI DSS requires that the customer has a free choice of which device to use to make their on-line payment. Staff should therefore not pro-actively direct customers to a specific computer or other device to make payments.
2.4 Through the online payment system no card details are retained by the clinic and there is no access to full card details by any member of clinic staff as this information is stored on an encrypted external server.
2.5 Refunds can only be processed by the designated service for that online payment system stated in paragraph 2.1.
3. Card Payments
3.1 Where unavoidable (e.g. retail outlets), staff may take payments using a Point of Sale terminal (PDQ machine). PDQ machines must be PCI DSS complaint.
3.2 Payments using PDQ machines should normally be taken on a “customer present” basis. When a successful payment is processed the paper ‘merchant copy’ receipt generated by the machine should be stored securely in a locked draw/cabinet and the ‘customer copy’ handed to the customer (if requested). Receipts should not be retained if there is no business need to do so.
3.3 If the transaction is declined, the customer should be informed immediately and asked to contact the card provider. Receipts should be handled in the same way as in 3.2.
3.4 If the customer is not present and the online methods of payment noted in paragraph 2 above are not suitable (for example loss of network connection), the customer may be asked to provide card details over the phone. These must be entered directly by the staff member taking the call into the PDQ machine. Normally this should be done immediately while the customer is on the phone and card details should not be written down. Only if there is a genuine reason why the transaction cannot be processed immediately (loss of network) may details be written down. They must be stored securely in a locked drawer/cabinet, actioned as soon as possible and then cross shredded. Do not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.
3.5 Confidential and sensitive information (e.g. card numbers) is never to be sent unencrypted through end-user messaging technologies such as e-mail, instant messaging, or chat) Card details should never be requested via email. On no account should card details be processed if received this way. Emails must be deleted out of the inbox and deleted folder and a new message composed to the customer informing them that their card details will not be accepted via email.
3.6 Card details should never be requested via a paper booking/payment form.
3.7 All confidential and sensitive data will be retained only as long as required for legal, regulatory and business requirements and in a secured location (e.g. locked cabinet/safe). Cardholder “authorization data”, including track, CVV2, and PIN information, will be retained only until completion of the authorization of a transaction. After authorization, the data must be destroyed via cross shredding or pulping by using the clinic’s approved confidential waste service. Storage of cardholder authentication data post-authorization is prohibited.
3.8 Refunds can only be processed by an authorised member of clinic staff member Refunds must be processed with the customer present and receipts should be handled in the same way as 3.2.
4. Compliance and Review
4.1 The clinic will undertake a PCI-DSS Compliance review on an annual basis with the card processing providers at the time.. This must be carried out before the expiry date requested to ensure all areas of the clinic with no exceptions, are and do remain PCI-DSS compliant.
4.2 Members of the PCI-DSS compliance team will do annual and ad hoc spot checks on all PDQ machines and payment methods to ensure card payments remain secure.
4.3 All third party suppliers who provide card payment facilities must provide the PCI Team with an up to date copy of their Compliance to PCI DSS, on an annual basis.