Credit Card Management
Understanding the Payment Card Industry (PCI)
What is Payment Card Industry (PCI)?
Payment Card Industry (PCI) are national standards issued by the Payment Card Security Standards Council and apply to all entities involved in the payment card processing.
Sodexo Live! business units that process, store, or transmit credit card data will be required to implement a PCI DSS approved POS solution(s) (cashless preferred), securely maintian approved payment devices and will be subject to an annual PCI assessment to determine overall compliance with current PCI DSS requirements and policies.
All Sodexo Live locations that accept credit/debit card payments are considered merchant locations and must process those payments in a secure manner. It is the responsibility of each location to maintain compliance with the Sodexo Live policies and the Payment Card Industry Data Security Standard (PCI DSS) established by the Payment Card Industry Security Standards Council (PCI SSC).
Sodexo Live’s PCI DSS Compliance Program addresses requirements of the PCI SSC, including:
- Security Awareness Education (required PCI DSS Security Training and Attestation)
- System Vulnerability Scans
- System Penetration Testing
- Periodic Reviews and Audits
- Annual PCI SAQ (Self-Assessment Questionnaire)
PCI DSS Security Training and Attestation
Per PCI DSS requirement 12.6, Sodexo Live requires all location personnel interacting with the Cardholder Data Environment (CDE) in any manner (from the initial entry to the final reconciliation) to complete an annual training and attestation. This mandatory requirement includes student employees, contractors, and volunteers.
Individuals who have not completed training and attestation are not permitted to process Cardholder Data (CHD) on behalf of Sodexo Live interests. Locations using untrained or unattested individuals to process CHD may have their merchant account revoked.
Periodic Reviews and Audits
Sodexo Live corporate Audit may perform periodic reviews or audits of location operations to ensure that locations comply with PCI DSS and the Sodexo Live’s risk is reduced. Failure to cooperate with such activities may result in merchant account usage being revoked.
Locations should also routinely review their procedures and equipment, including physically inspecting card processing equipment to ensure devices have not been substituted or tampered. This Merchant Location Device Inspection Checklist can be used for your inspections.
Annual PCI SAQ (Self-Assessment Questionnaire)
All Sodexo Live locations are required to validate PCI-DSS compliance at least annually by completing the appropriate SAQ in a timely manner. A questionnaire must be completed for each Merchant account, and a new questionnaire must be filled out whenever any of the following have occurred:
· payment processing system changes
· a year has elapsed since your last SAQ
· upon Operations request
Why do I need to care about PCI?
How to Comply with PCI?
Protecting stored cardholder data involves securing equipment with access to data, electronic records, and paper records as well as preventing inadvertent disclosure.
Handling Payments
- In Person Payments
- Payments Made Over the Phone
- Payments Made by Mail, Fax, Email
- Online Payments
Managing Operations
- Check Devices for Tampering
- Monitor for Fraud and Security Breaches
- Maintain a Security Policy
- Report Security Incidents
What resources are available to help me?
Where do I go if I have additional questions? Or need assistance?
The Field ET team can assist you with questions: emergingtech@centerplate.com
Acknowledgement of Materials
Reason for having to acknowledge the materials needs to go here (M Porter to provide).