The purpose of this policy is to establish guidelines for processing charges/credits on Credit Cards to protect against exposure and possible theft of account and personal cardholder information that has been provided to the My Urban Toddler; and to comply with the Payment Card Industry's Data Security Standards (PCI) requirements for transferring, handling and storage of credit card information.
This policy applies to all My Urban Toddler employees, contractors, consultants, temporaries, and other workers. This policy is applicable to any unit that processes, transmits, or handles cardholder information in a physical or electronic format. Affiliated corporations are encouraged to comply.
All transactions (including electronic based) that involve the transfer of credit card information are performed on systems approved by My Urban Toddler, after a prior compliance and security review from Information Technology. All specialized servers approved for this activity are housed within a secure Tier 4 data center and administered in accordance with the requirements of all My Urban Toddler policies and the Cardholder Information Security Program (CISP). My Urban Toddler is involved in PCI DSS compliance and is subject to examination of system security and configuration to ensure cardholder information is securely maintained. In addition:
Confidentiality and Security of Account Information
My Urban Toddler employees are governed by various policies that include Code of Conduct, Acceptable Use, Information Security policies. These policies include the responsibility to protect the confidentiality of individual's personal information.
All credit card & debit card transactions, including web based procurement of the same, must be initiated and controlled through My Urban Toddler. Questionable sales should be reviewed by My Urban Toddler, and or General Counsel.
The practice of least privilege will be utilized to restrict access to sensitive data. This practice involves assigning individual access on a "need-to-know" basis. Positions requiring specific levels of data access will be provided with approval by the department head and IT. For employees without a "need to know", credit card account numbers will be masked to protect account information. The first six and last four digits are the maximum number of digits to be displayed.
Under no circumstances will it be permissible to obtain credit card information or transmit credit card information by e-mail.
Any changes to systems housing account information must only be performed when:
Enforcement by Information Technology
Data Storage and Destruction
The following processes must be followed for all data storage and destruction:
Violations that constitute criminal offenses under local, state, and federal laws shall be carried out and punishable to the fullest extent of the law.
Violations of the policy will be addressed by respective disciplinary policies and procedures. All known and/or suspected violations will be reported to the applicable authorities.