WHAT IS PCI DSS?

Payment Card Industry Data Security Standard is a set of policies and procedures aiming to improve the security of debit, credit and cash card transactions and protect the information of the cardholder against illegal processing.

MERCHANT LEVELS DEFINED BY VISA

LEVEL
01
Any merchant regardless of acceptance channel processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
LEVEL
02
Any merchant regardless of acceptance channel processing 1M to 6M Visa transactions per year.
LEVEL
03
Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
LEVEL
04
Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants regardless of acceptance channel processing up to 1M Visa transactions per year.

All merchants will fall into one of the four merchant levels based on Visa transaction over a 12-month period. Transaction volume is based on the aggregate number of transactions (inclusive of credit, debit and prepaid).

WHY SHOULD WE CARE?

Most people have debit or credit cards. PCI DSS is consist of policies and procedures design to protect the information of the cardholder.

There are people who are well-organized when it comes to stealing identity and credit card information due to the fact that these are very lucrative globally.

COMPLIANCE BENEFITS

  1. This will allow us to expand our role with existing clients
  2. Able to attract new clients with payment processing needs
  3. Encourages organizational growth

NON-COMPLIANCE RISKS

  1. Stagnant or poor reputation in BPO Industry
  2. Exposure to financial and legal liabilities due to possible data breach and lack of protection for the data currently in possession of the organization
  3. Termination of business

POLICIES & PROCEDURES

YOUR RESPONSIBILITIES

Your responsibility will be defined based on your role, but in general, all employees and clients must work together to ensure the protection of personal information against illegal processing.

If you are part of the IT Staff:

  1. Make sure that there is an annual review of security risks, processes, policies and procedures.
  2. Quarterly and annual scans for internal and external vulnerabilities.
  3. Ensure that all computers have virus/malware and intrusion monitoring and detection.
  4. Change Management process, including detection of changes for critical systems and workstations.
  5. User account management, ID/Password Management and process to control changes.
  6. Restrict access to network, system, software and data resources to appropriate and authorized roles, particularly important for those with access to cardholder data.
  7. Monitoring of all access – administrative and user access to critical systems and workstations.
  8. Undertake an annual audit of compliance.
  9. Conduct an annual security awareness training on policies and procedures to follow in compliance with PCI-DSS Standards.

For all kinds of employees or clients:

  1. Use of biometrics for entry and exit to production floor. Tailgating is strictly not allowed.
  2. Wearing of ID at all times.
  3. No sharing or posting of system username and/or password.
  4. Changing of passwords when required by policy, system or management.
  5. Do not bring your mobile phone inside the office unless authorized and have an accomplished BYOD Form.
  6. Do not open suspicious emails especially if it contains .exe files and you do not know the sender.
  7. Do not use illegal copies of software that may compromise the performance and security of the PC/Laptop that you are using.
  8. No paper or writing instruments at workstations unless authorized for your role.
  9. Bringing in of storage media such as flash drives, external hard drives and things of similar nature is strictly forbidden.
  10. Report suspicious people behavior or occurrences in the office to your supervisor or IT Department.
  11. If your PC is acting weird, inform the IT Department for assessment.
  12. Unauthorized visitors are not allowed inside the office.

Non-compliance with the policies implemented by the management of AGBI shall result in disciplinary action, up to and including suspension and immediate termination.