The Coaching and Support Services takes privacy and data security very seriously and would like to assure all our customers that the company does everything within its power to keep information secure and acts accordingly with PCI Compliance requirements (Payment Card Industry, PCI data security standards).
The Coaching and Support Services has a current website SSL Certificate and the URL will appear as ‘https’, and not ‘http’, which ensures that our pages are secure.
The Coaching and Support Services are able to take virtual card payments over the telephone or on-line in accordance with the payment options stipulated on our invoices. We use Stripe Payments Gateway virtual terminal and Stripe are fully PCI Compliant.
When it comes to compliance and regulations, The Coaching and Support Services prides itself on being up to date and prepared at all times for possible eventualities.
BEST PRACTICE GUIDELINES
The Coaching and Support Services follows stringent guidelines regarding the handling of all customer data and each member of the team fully conforms with these. Strong access control measures are in place to protect our customers at all times.
- Only those authorised to handle confidential and sensitive data are permitted to do so.
- Only those that have to access confidential and sensitive data are authorised to do so.
- Passwords must be changed to a secure alternative on a regular basis.
- Initiative and due diligence must always be shown in checking for suspicious activities.
- An Information Security Policy is in place.
- A Vulnerability Management Program is followed.
- Each member of the team is trained in the importance of data sensitivity, data security and their individual responsibilities in meeting obligations.
- Only secure and PCI compliant systems are used in processing payments.
The Coaching and Support Services use Stripe to process card payments. Stripe’s hardware and software complies with the Payment Card Industry Data Security Standard (PCI DSS). Stripe has been audited by an independent PCI Qualified Security Assessor (QSA) and is certified as a PCI Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.
Stripe follow strict security procedures to ensure the security of all date. For further information regarding Stripe’s official guidance on PCI compliance please see https://stripe.com/docs/security
When we take virtual payments, whether it be over the telephone or on-line, naturally, the customer doesn’t have to be physically present. Since we cannot physically verify that the person making the transaction is the cardholder, we follow the steps listed below to minimise the risk of payment dispute.
Obtain card information – ask the customer to provide the card number, the name on the card, billing address, expiration date and CVV code on the back of the card.
Get proof of service – an order confirmation will be issued, plus a receipt of payment will be provided detailing the purchase and that the transaction was successfully completed and this is always retained on file.
Know the customer – we will get to know our customers, especially before completing a large transaction.
We will be due diligent in checking for any fraudulent or suspicious behaviour.
Virtual payments are taken on the office based laptop, which has the latest firewall and threat protection software. This is updated, reviewed and the system scanned on a regular basis to ensure nothing untoward has occurred.
The password is changed routinely, and access limited to authorised and essential personnel only.
Access to the payments terminal is limited to necessary personnel only and each one is trained in the virtual and physical measures associated with correct compliance and handling in related data. Additional training is implemented regarding our Best Practice Guidelines.
Whenever a member of the team accesses the payments terminal a record is kept of when and why this has taken place to ensure a reliable and up to date reference.
Only necessary information is stored and this will always be stored securely.
We will not retain any PIN or verification codes to any card payments, card numbers, magnetic-stripe data and security codes on client devices. Recurring subscription payments may be set up, as requested, and only the required data will be held and this is done securely by the service provider.
We will only ever use secure card payment services and should this change from Stripe, all our customers will be notified and updated.
VULNERABILITY MANAGEMENT PROGRAM
A Vulnerability Management Program is the continuing and routine process of recognising, evaluating, reporting, managing and rectifying security risks and potential breaches to keep all systems and assets within a network fully protected.
In accordance with PCI Compliance, The Coaching and Support Services have a Vulnerability Management Program in place to detect possible weaknesses and apply the appropriate means to correct them. This includes:
- Frequent vulnerability risk assessments of procedures, networks, and systems.
- Regular reviews and updates of antivirus software.
- Scanning devices routinely.
- Continually updating systems.
- Only ever using secure card payment services.
- Routine changes of passwords.
Risk Assessment Requirements
When carrying out risk assessments we must:
- Identify what must be checked for vulnerabilities.
- Identify which assets are more critical in protecting.
- Check the security software remains appropriate and up to date.
- Measure timescales to rectify any weaknesses found.
- Check if any procedures or service levels need refining.
- Identify how often each asset must be assessed.
- Check we have the correct software and procedures in place for assessments.
- Identify the threat level of data exposure.
Risk Assessments Performed
The areas we risk assess include:
- Devices and installed software
- Computerised storage of data.
- Manual/physical storage of data.
- Who has access to data.
- Training and abilities of those who have access to data.
- How, why and when the data is accessed.
- Ways in which a breach may occur.
In addition, we retain records of who accesses the data and when, and when the systems are tested with the outcomes and any relevant information collated.
INFORMATION SECURITY POLICY
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations that handle branded credit cards from the major credit card companies.
The PCI standard is mandated by the card brands, but administered by the Payment Card Industry Security Standards Council. The Standard was created to increase controls around cardholder data to reduce credit card fraud.
To comply with the PCI DSS The Coaching and Support Services follow strict Best Practice Guidelines and a Vulnerability Management Program, as detailed within this document. We also stay on top of latest updates and changes in legislation via the FSB and Stripe.
When employing new staff we carry out checks for references and rights to work.
Regular staff training and reviews take place to confirm that each person is up to date with procedures, systems and the latest guidelines. It is emphasised to each individual the importance of compliance and how they contribute to the company meeting its commitments.
Who Executes Data Procedures
All staff at The Coaching and Support Services are responsible for ensuring that data procedures are correctly implemented within the areas they are accountable for. Each member of staff has a duty of care to act responsibly and within the stated guidelines.
Jennifer Hallett, Founder, will ensure that the virtual payments aspect of the business remains secure and all staff are trained and follow the correct procedures.
Data procedures will be executed by all personnel and our customers can relax in the knowledge that full compliance is being adhered to.
Business Compliance Guide
To allow us to meet our compliance requirements in the most effective ways possible, The Coaching and Support Services routinely assess and measure current implementation strategies, plus processes and tools to allow us to spot any potential gaps that may lead to a breach of data. This is done using the latest security software and regular reviews of our policies and procedures.
Applying our Vulnerability Management Program we are able to discover any possible weaknesses and apply the appropriate means to correct them.
By carrying out regular detailed risk assessments of each area we are able to keep our systems secure according to the law and avoid unnecessary implications or negative impacts on our customers or ourselves.
To minimise risk we only use PCI compliant and secure online payment facilities, such as Stripe.
Every aspect of data security is covered, tested and reviewed to ensure our systems, procedures and policies are compliant with current legislation.
All data security policies are reviewed and where necessary updated on at least an annual basis, or upon a change to the law.
The review process ensures that:
- Date protection policies remain in place.
- Date protection policies meet current PCI compliance requirements.
- Potential threats are identified and consideration included in procedural documentation.
- Any new legal issues are identified that require changes.
- Staff adherence is being appropriately executed.
Should a data breach occur all parties affected will be notified immediately, along with the relevant authorities. The appropriate steps will be taken to safe guard further data within a reasonable timescale. Disciplinary procedures will be invoked in the case of staff or third parties breaching the Security Policy and/or any supporting policies or standards.
If you have any queries, please email the office at email@example.com.