Our Credit Card Information Handling Policy details the protocols and measures for managing and securing credit and debit card information within an organization. This policy underscores the importance of handling sensitive financial data with utmost care and making it accessible only to a limited number of authorized personnel as designated by top executives such as the CIO, CFO or General Counsel. It covers various aspects of data handling, including collection, input, maintenance and disposal of financial data, ensuring all processes comply with applicable laws and standards. This tool is structured to reinforce the company's commitment to safeguarding customer and company data against unauthorized access and breaches.

This document includes two samples that provide specific scenarios and guidelines under the policy framework. Sample 1 focuses on the general policy overview, including the preparation, approval and revision history related to the policy, along with detailed guidelines on how financial data should be handled, emphasizing the need for encryption and secure delivery methods. Sample 2 delves deeper into the procedural aspects, including the document revision history, required reviews and recommendations for handling cardholder data. It also includes a preface that explains the purpose of the policy and the procedures for using it within the organization, ensuring that all security policies are aligned with the enterprise's overarching information security strategy. Each sample serves to illustrate the application of the policy in different contexts within the organization, reinforcing the procedural integrity and compliance with established data protection standards.

Sample procedures include:

• Ensure that the credit card information is not on the hard copy reservation form you keep as backup.
• Delete the credit information in the reservation forms saved on your computer.
• Screen potential employees to minimize the risk of attacks from internal sources.
• Destroy media containing cardholder information when it is no longer needed for business or legal reasons