CBOSS - Blog

Payment Information Guidelines

Written by Mike Lendvay | Jun 3, 2019 2:24:00 PM

CBOSS strives to be on the forefront of security and compliance, in order to protect the data of our clients and their customers. As the result of ten-plus years of audits, CBOSS has developed a comprehensive set of policies and procedures for managing and securing payment data. These policies, along with dedicated training, ensure the safety of sensitive information. This blog will outline the information that needs protected, as well as some best practices your organization can follow.

Sensitive Information

Sensitive information is data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization. There are several common types of sensitive information that we regularly encounter:

  • Credit Card Primary Account Numbers (PAN)
  • Bank Account Numbers (Checking and/or Savings)
  • Social Security Numbers (SSN)

Handling Sensitive Information

Securely and responsibly handling sensitive information is critical at every stage of the data life cycle. The following directives are part of CBOSS’ data management policies:

 

No Writing Down Sensitive Information

Sensitive information should NEVER be written down on paper. If collecting payment information via telephone, the payment information should be entered directly into CPP and NEVER be transposed to paper or stored outside secure payment applications like CPP.

 

No Storing Sensitive Information

Sensitive information should NEVER be typed or stored in clear-text format. If collecting payment information via telephone, the payment information should be entered directly into CPP and NEVER be typed into a text document or stored outside secure payment applications like CPP.

 

No Digital Transmission of Sensitive Information

Sensitive Information should NEVER be sent via any form of digital communication, including email, instant messenger, or any form of end user messaging technology.

 

No Using Sensitive Information in Transaction Research or Discussion

When discussing or investigating transactions, sensitive information is rarely necessary, and should never be shared or transmitted in communications with internal or external support personnel.

 

Redact Sensitive Information

Documents containing sensitive information should always be redacted prior to sharing, to preserve the confidentiality of the customers information.

 

We wrote this post to help our clients practice responsible data management. Feel free to distribute this post throughout your organization, or use it as a baseline to develop new data management policies.