PCI DSS Policy - Payment Card Industry Data Security Standards

  • PURPOSE:

    Departments and clinics throughout the Lister Healthcare Corporation have entered into merchant contracts with the Payment Card Industry as part of our business transaction services. The purpose of this financial policy is to control the transmission and storage of customer information and data received in respect of processing receipts by credit or debit card. This policy considers how LHCC obtains the customer information and data and how it is transmitted, processed, and stored.

    POLICY:

    It is the policy of LHCC to comply with all PCI DSS security standards. This policy sets out the rules and actions to be taken to safeguard all card data received and processed by LHCC. This policy will cover the 12 requirements of PCI DSS.

    PROCEDURE:

    • LHCC has established a firewall and router configuration standard that will formalize testing whenever configurations change. A review of configuration sets will be completed every 6 months. This is done through the processing center/vendor.
    • Vendor supplied defaults will not be used for system passwords and other security parameters.
    • Electronic credit card numbers should not be transmitted or stored on a personal computer or email account. Electronic lists of customers credit card numbers should not be retained. Credit card information should only be accepted by telephone, mail, or in person. Lock credit card terminals and paper storage areas when unattended. Never use an email account.
      • Physical cardholder data must be locked in a secure area. 
      • Access is limited to individuals that require use of the data.
      • Credit card information will be destroyed by shredding immediately after processing.
      • All departments and employees must comply with the PCI DSS Standard
    • LHCC uses encryption for transmission of cardholder data across open, public networks. It is prohibited to use WEP.
    • LHCC ensures that all anti-virus mechanisms are current, actively running, and capable of generating audit logs through our vendor.
    • LHCC requires that the latest  vendor-supplied security patches are installed. Critical patches within a month. Periodic audits are performed to ensure discovery of security vulnerabilities. Updates are provided by our vendor.
    • Access to cardholder data is restricted to only those individuals whose jobs require such access. Access is restricted to a “need to know” basis.
    • Computer access passwords for changes.
    • Physical access to cardholder data area is restricted. Only appropriate personnel are allowed in credit card data area. NO EXCEPTIONS.  All hardcopies with cardholder data must be shredded or held in secure area.
    • Automated audit trails are reviewed and monitored for user activities to determine any security breaches and/or any compromise to the system by vendor.
    • LHCC regularly tests security systems and processes at least annually by vendor.
    • Annual training for PCI DSS will be conducted to all personnel with LHCC to include any new hires.

    INCIDENT RESPONSE POLICY:

    If/When a security breach is discovered, the compliance officer must be contacted immediately. Under no circumstances should contact be made with anyone else. The compliance officer will then asses the situation and take corrective action at that time.

    All personnel responsible for processing, storing or transmitting credit card data must sign a PCI confidentiality statement.

  • Date Format: MM slash DD slash YYYY