Accepting, Storing and Processing Cardholder Data Policy (Sept25)

The firm is committed to ensuring that all staff are aware of the guidelines for accepting, storing and processing Cardholder Data. This policy will help to ensure that Cardholder Data, supplied to the firm, is secure and protected.

This policy has been carefully considered and approved by Nicola Robinson (Finance Director/COFA) and Timothy Halliday (Data Protection Manager)

The policy sets out the requirements, controls and procedures we have put in place to ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of requirements which explains how to protect yourself and your customers when taking payments. When your firm takes card payments, your clients are trusting you with their valuable details and assume you are keeping them safe from fraud.

Throughout this policy we will be referring to Cardholder Data and Sensitive Authentication Data. These comprise of:

Cardholder Data:

  1. Primary Account Number (PAN);
  2. Cardholder Name;
  3. Service Code; and
  4. Expiration Date.

Sensitive Authentication Data:

  1. Full Track Data from the magnetic strip, equivalent data on the chip, or elsewhere;
  2. CAV2/CVC2/CVV2/CID – The three (VISA or MasterCard) or four (American Express) digit value printed on the front or back of a payment card; and
  3. PIN/PIN Block – Personal Identification Number entered by cardholder during a transaction and/or encrypted PIN block present within the transaction message.

When creating this policy, we have taken into account the following:

  • guidance and additional information published by Payment Card Industry Standards Council;
  • the services we provide;
  • the transactions we undertake where Cardholder Data is required; and
  • the UK General Data Protection Regulations (UK GDPR) and Data Protection Act 2018 (DPA).

The Payment Card Industry Standards Council maintains, evolves and promotes Payment Card Industry Standards for the safety of Cardholder Data around the world.

The topic of Cardholder Data is also governed by the UK GDPR and DPA. A PCI DSS breach is also a data breach and the data breach reporting procedure must be followed in the event of a PCI DSS breach.

The firm carries out work which requires Cardholder Data to be stored and processed and when doing so must comply with the requirements of the PCI DSS. This policy has been developed by reference to those requirements.

If the requirements of the policy are not followed, suspension of physical and/or electronic payment options may result. Fines may also be imposed by the affected card company.

All staff are required to comply with this policy and follow the procedures set out herein.  Failure to comply will be a serious disciplinary offence and will be dealt with under our disciplinary rules and procedures.

PCI DSS requirements

The PCI DSS requirements are as follows:

  1. Install and maintain a firewall configuration to protect Cardholder Data;
  2. Do not use vendor-supplied defaults for passwords and other security parameters;
  3. Protect stored Cardholder Data;
  4. Encrypt transmission of Cardholder Data across open, public networks;
  5. Use and regularly update antivirus software;
  6. Develop and maintain secure systems and applications;
  7. Restrict access to Cardholder Data by business need-to-know;
  8. Assign a unique ID to each person with computer access;
  9. Restrict physical access to Cardholder Data;
  10. Track and monitor all access to network resources and Cardholder Data;
  11. Regularly test security systems and processes; and
  12. Maintain a policy that addresses information security.

Staff training

We are required, by law, to ensure our staff are aware of the requirements for data protection which are relevant to the implementation of the PCI DSS requirements.

Your responsibilities under PCI DSS

In order to comply, with the PCI DSS requirements, the firm has adopted the following processes which must be followed by all staff who deal with Cardholder Data:

  1. Electronic card numbers should not be transmitted or stored on a personal computer or email account. Electronic lists of Cardholder Data should not be retained. Cardholder Data should only be accepted online, by telephone, mail, or in person. This information should not be accepted via email and departments should not email Cardholder Data;
  2. Physical Cardholder Data must be locked in a secure area. Access should be limited to individuals that require the use of the data. Access should also be restricted on a “need to know” basis;
  3. Only essential information should be stored. You must never store Sensitive Authentication Data after authorisation (even if encrypted).
  4. Cardholder Data should only be retained for the time needed to process, or if retained for reconciliation, for as long as one-year maximum if necessary;
  5. Cardholder Data, if it does not need to be retained, should be destroyed securely (cross-cut) immediately after processing, or immediately after it no longer needs to be retained;
  6. Full PAN’s must be masked (the first six and last four digits are the maximum number of digits you may display), so that only authorised people with a legitimate business need can see more than the first six/last four digits of the PAN. This does not supersede stricter requirements that may be in place for displays of Cardholder Data, such as on a point-of sale receipt as covered in point g);
  7. Card payment receipts/point-of-sale receipts may only show up to the last five digits of the payment card number. If receipts show more than the last five digits, the receipts must be shredded or retained in a secure area;
  8. All departments must comply with the PCI DSS, details of which can be found here: https://www.pcisecuritystandards.org/document_library; and
  9. Any exceptions to this policy must by authorised by Timothy Halliday (COLP & DPM) prior to being followed.

Retention of cardholder data records and data protection

The following processes must be followed for all Cardholder Data storage and destruction:

  • Cardholder Data should only be required for the time needed to process, or if retained for reconciliation, for as long as one-year maximum if necessary.
  • Hardcopies containing Cardholder Data must be destroyed immediately after processing; and
  • All electronic media containing cardholder information should be labelled with a destruction date and marked as confidential.

 Review of this policy

This policy will be reviewed at least annually by Timothy Halliday (COLP & DPM)

September 2025

Go Back
01538 755 761
Email Us

©eric-whitehead 2026. All rights reserved