Credit Card Data Security Virtual Terminal Version 3.2 Requirements for Use of this Policy  This policy may only be used if your business meets all of the following requirements: o Your business only accepts Credit Cards using a standalone computer through a virtual terminal solution that is accessed through a web browser such as Internet Explorer, Firefox, Safari, Google Chrome, etc., and; o The virtual terminal is provided and hosted by a PCI DSS validated service provider or providers, and; o If you have a local network that the computer used for credit card processing is isolated from the network via its own firewall or network segmentation. In other words no other computers can connect to the processing computer, and; o There are no device to capture credit card information such as a card reader or PIN pad, and; o Your company does not receive credit card information from any electronic source such as your network or the Internet (a web site), and; o Your business NEVER stores cardholder data in any electronic form including software for storing transactions to process later (store and forward) or batch settlement software. This includes spreadsheets, word documents and any place else in any computer anywhere - ever, and; o IF you store credit card information you only store it on paper, and; o IF you receive any credit card information (Card number, expiration date, cardholder name and/or other credit card information) that you only receive it on paper and it is not ever sent to you electronically. 

1. Purpose 1.1. This policy is intended to ensure customer personal information, particularly credit card information and primary account numbers are securely transmitted and received when using a virtual terminal. 2. Scope and Responsibility 2.1. This policy applies ONLY to a single virtual terminal accessed through a computer with no network connections. 2.2. The information department or information personnel shall be responsible for implementing this procedure. Roles and security responsibilities shall be documented in Appendix C. 2.3. Vendors who provide software or hardware services, for example, hosting companies and hosted software that stores, processes or transmits credit card data or cardholder information are bound by this policy. 3. Policy 3.1. For all hardware and software the password shall be changed from the original vendor default password to a strong password in accordance with the company requirements for administrative passwords. 3.2. Employees are strongly cautioned that transactions may never be accepted on behalf of another business. If another business offers you the opportunity to process their transactions in exchange for money or a “cut” of the transaction, employees are to decline and report the activity to management. Note that this is called “draft factoring” and is illegal and may carry penalties both for you and the business. 

3.3. Password sharing is not allowed for any reason you may use only your own user name and password and you are to keep it secret. You may not accept someone else’s pass word or use their session after they have logged on. 3.4. Electronic Data Security 3.4.1. If there is a network present, the computer used to access the virtual terminal shall be segmented from the network or separated from the network using at least a firewall. 3.4.2. Security Codes 3.4.2.1. Under no circumstances shall the security code, which is sometimes called the CVV or CVC value, be stored – EVEN IF ENCRYPTED or on paper. This number is found printed on the signature block of the card on MasterCard, Visa and Discover and printed on the front of American Express cards. 3.4.2.2. Employees may collect this value directly from a card or verbally from the cardholder over the phone. It may be entered into the virtual terminal where it is erased after authorization. 3.4.3. Cardholder information 3.4.3.1. CARDHOLDER INFORMATION data shall not be stored. No storage on workstations, laptops or personal computers is permitted, even for brief periods of time. 3.4.3.2. Under no circumstances are cards to be swiped or the full contents of the magnetic stripe to be recorded or stored. 3.4.3.3. When data is displayed in reports or on user screens the Cardholder numbers shall be masked so that a maximum of the four (4) digits of the number are printed of displayed. 3.4.3.4. When credit card data is sent over public networks, such as the Internet, it must be encrypted. In other words the address in the browser must start with HTTPS://. 3.4.3.5. Access to CARDHOLDER INFORMATION records shall be on a strict need-to-know basis only. All other access is to be denied unless specifically authorized. 3.4.4. Modems are to be set to automatically disconnect from the host when not in use. 3.4.5. Wireless devices are to be secured according to the company requirements for wireless. 3.5. Record Security 3.5.1. Prohibited Storage 3.5.1.1. Under no circumstances shall the security code, which is sometimes called the CVV or CVC value, be written down or collected on paper. This number is found printed on the signature block of the card on MasterCard, Visa and Discover and printed on the front of American Express cards. 3.5.1.2. Employees may collect this value directly from a card or verbally from the cardholder over the phone. It may be entered into the virtual terminal where it is erased after authorization. 3.5.2. Paper records of credit card account numbers (cardholder information) shall be stored in locked files when not in use.