All Personnel who interact with customer credit card data are responsible for protecting it. To help, On Location has developed the following list of rules to follow when handling credit card information.
Required Actions
Personnel subject to this policy are required to adhere to all training elements presented to them regarding the secure handling of credit card/cardholder data. Specifically:
- Only the approved, in-scope applications (Atlas/EventsAir, Sabre, SAP Concur Travel, Sureware, Sharpen, TPS) are to be used to transmit, store, or process credit card data.
- If credit card data or non-public cardholder data is discovered on any systems outside of these in-scope applications, that discovery must be reported to your supervisor and to OLE Compliance (olecompliance@onlocationexp.com) immediately. Any and all such data must also be deleted from the unapproved system.
- Personnel (including call center employees and on-campus representatives) who record customer phone calls must stop recording while receiving credit card data over the phone from the customer. The employee should then restart the recording once the credit card data has been fully received.
- In rare instances, a customer may provide credit card data while the recording is still running.
- If this inadvertent recording of cardholder data occurs, or an audio recording of credit card data is made for any reason, the recording must be reported and deleted.
- Personnel making/recording the call are responsible for informing the call center manager or another relevant supervisor; that supervisor, in coordination with the IT department, is responsible for ensuring the recording with credit card data is deleted.
Prohibited Actions
Personnel are expressly forbidden from:
- Storing physical copies of customer credit card or cardholder data (including but not limited to printouts or handwritten notes).
- Storing CVV data (the 3- or 4-digit security code commonly found on the back of a credit card) anywhere on or off On Location-controlled systems or applications.
- In certain cases, Personnel may also act as customers of On Location divisions or systems to book their own travel. Subject to the foregoing prohibitions, this policy shall not apply to an employee’s or contractor’s ability to maintain their own personal credit card data.
- Copying or removing credit card data via removable media such as USB drives.
- Storing credit card data on unapproved or out-of-scope systems or components.
- As examples, Personnel may not store credit card or cardholder data on their local computer hard drive, removable media, or on OneDrive.
- Sending unencrypted credit card information via messaging services such as email, Microsoft Teams, or Slack.
- Even encrypted credit card data should not be sent via these messaging services unless absolutely necessary. Any such transmission must be approved in advance and in writing by an authorized supervisor.