The purpose of this policy is to establish business processes and procedures for accepting payment cards here at Saponify Naturals LLC online store that will minimize risk and provide the greatest value, security of data, and availability of services to each customer within the rules and regulations established by the Payment Card Industry (PCI) and articulated in the PCI Data Security Standards (DSS). Additionally, these processes are intended to ensure that payment card acceptance procedures are appropriately integrated with the Saponify Naturals, LLC’s financial and other systems.
In response to increasing incidents of identity theft, the major payment card companies created the Payment Card Industry Data Security Standard (PCI DSS) to help prevent theft of customer data. PCI DSS applies to all businesses that accept payment cards to procure goods or services. Compliance with this Standard is enforced by the payment card companies and generally, noncompliance is
Security breaches can result in serious consequences for Saponify Naturals LLC including release of confidential information, damage to reputation, the assessment of substantial fines, possible legal liability and the potential loss of the ability to accept payment card and eCommerce payments.
The customer to whom a payment card has been issued or the individual authorized to use the card.
All personally identifiable data about the cardholder (i.e., account number, expiration date, cardholder name.)
Saponify Naturals LLC processes through Authorize.net and any security protocols have been administered through that process and processor.
The process of converting information into an unintelligible form to anyone except holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process against unauthorized disclosure.
Merchant or Merchant Department:
For the purposes of the PCI DSS and this policy, a merchant is defined as any Saponify Naturals consultant or other entity that accepts payment cards bearing the logos of any of the five members of the Payment Card Industry Security Standards Council (American Express, Discover, JCB, MasterCard orVISA) as payment for goods and/or services, or to accept donations.
Merchant Department Responsible Person (MDRP):
A management employee within a department who has primary authority and responsibility for payment card and eCommerce transaction processing within that department.
Any payment card/device that bears the logo of American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or VISA, Inc.
Payment Card Account Change:
Any change in the payment account including, but not limited to:
Payment Card Industry (PCI) Data Security Standard (DSS):
A multi-faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
Sensitive Authentication Data:
Security-related information (card validation codes/values, full magnetic-stripe data, or personal identification number (PIN)) used to authenticate cardholders, appearing in plain-text or otherwise unprotected form.
This policy applies to all Saponify Naturals LLC employees, contractors, consultants or agents who, in the course of doing business on behalf of the Saponify Naturals LLC, accept, process, transmit, or otherwise handle cardholder information in physical or electronic format.
This policy applies to all Saponify Naturals consultants and administrative areas which accept payment cards regardless of whether revenue is deposited in Saponify Naturals financial account.
Saponify Naturals LLC currently accepts VISA, MasterCard, Discover and American Express Card and has negotiated contracts for processing payment card transactions. Individual Saponify Naturals consultants may not use or negotiate individual contracts with these or other payment card companies or processors.
Saponify Naturals LLC prohibits certain credit card activities that include, but are not limited to:
Each payment card transaction will have an associated fee charged by the credit card company. Payment card fees will be allocated to the CODB account.Refunds:
When a good or service is purchased using a payment card and a refund is necessary, the refund must be credited back to the account that was originally charged. Refunds in excess of the original sale amount or cash refunds are prohibited.
Occasionally a customer will dispute a payment card transaction, ultimately leading to a chargeback. In the case of a chargeback, the customer initiating the transaction is responsible for notifying the Saponify Naturals LLC consultant and for providing appropriate supporting documentation.
Merchant Department Responsible Persons (MDRPs) are responsible for:
Information Technology Services: shall regularly monitor and test the Saponify Naturals LLC Network and coordinate Saponify Naturals LLC compliance with the PCI Standard’s technical requirements and verify the security controls of systems authorized to process credit cards.
The Director, Information Security Management and Compliance: shall maintain currency with the requirements of the PCI DSS and related requirements to ensure that this policy remains current and shall coordinate and lead any campus response to a security breach involving cardholder data.
The Manager, shall:
Internal Auditing Services shall:
All requests shall be reviewed by the Manager, the Director of Information Security Management and Compliance and the Director, Network Services. Saponify Naturals LLC shall respond to all applications
The MDRP may appeal a decision to deny an application to acquire or change a payment card account to the Associate Vice President, Financial Management.
Each auxiliary organization shall develop procedures for payment card account acquisition or change within their organization.
Saponify Naturals LLC discourages the use of wireless technology to process or transmit cardholder data. If the use of wireless technology is approved, the storage of cardholder data on local hard drives, floppy disks or other external media is prohibited. It is also prohibited to use cut-and- paste and print functions during remote access. Activation of modems for vendors will be permitted only when no other alternative is available and will be immediately deactivated after use.
The Owner of Saponify Naturals LLC, may suspend credit card account privileges of any department or administrative unit not in compliance with this policy or that places the Saponify Naturals LLC at risk. Any employee or consultant engaged in payment card activities will be responsible for any financial loss due to inadequate internal controls or negligence in adhering to the PCI Data Security Standard.
Employees who are expected to be given access to cardholder data shall be required to complete upon hire, and at least annually thereafter, security awareness training focused on cardholder data security. Employees shall be required to acknowledge at least annually that they have received training, understand cardholder security requirements, and agree to comply with these requirements.
Owner, Saponify Naturals LLC
Shane Cultice, CNHP MSM