ℹ️ This document is about processing credit card transactions on site. The verbiage is intentionally vague to try and cover as many sites and setups as possible. If you have specific questions, please speak to your manager.
Before the transaction
All credit card terminals must be securely stored in a locked cabinet or secured to the countertop/desk/etc. when not in use. This includes host/partner staff.
Employees must recognize and report any suspicious activity involving the company's partners or host locations in relation to credit card terminals and customer data.
Customer data should not be disclosed to partners, except for legitimate reasons to conduct business.
Customer data should not be collected from a partner, except for legitimate reasons to conduct business.
Doxing is the action or process of searching for and publishing private or identifying information about a particular individual on the internet, typically with malicious intent. Doxing is strictly prohibited. This includes searching for guests via social media.
Employees must always use a secure method, such as a tamper-evident bag, to transport credit card terminals and other hardware.
For roaming sites, Employees must always ensure that credit card terminals are returned to a secure location after each use.
All incidents involving credit card terminals or customer data must be promptly reported to management and where applicable, the authorities.
All credit card terminals must be inspected for signs of tampering prior to use, and any suspicious activity must be reported to the manager immediately.
All credit card terminals must be regularly inspected for damage and physical vulnerabilities and any identified issues must be promptly addressed. This includes water damage, swollen battery, etc.
All employees handling credit card terminals must be trained on proper handling and security procedures to ensure compliance with Magic Memories' standards.
All employees should do their due diligence to protect customer data, keeping it confidential and protected from unauthorized access.
All access to customer data must be restricted to Magic Memories' personnel only.
Only employees with a bonafide reason to access customer data are authorized to access credit card processing software (LightSpeed, etc.) and terminals (Square, WindCave, etc.)
Employees understand that all access is logged and monitored for suspicious activity.
All employees who handle credit card transactions must be trained on proper handling procedures and must be authorized by management. New employees may not handle credit card transactions until they are able to complete a transaction, start to finish, under observation of a senior staff member.
Employees must never share login credentials for online credit card processing systems with anyone.
Employees must always log out of online card processing systems when they are not in use.
During the transaction
Employees should avoid touching customer credit cards or payment devices altogether. This includes inserting, tapping or swiping the credit card for the customer. Only in the event of payment issue/failure (and with consent from the customer) may a Magic Memories' employee assist in physically running the transaction.
Employees must always ensure that the customer's card is kept in sight of both the employee and the customer during the transaction. THE CREDIT CARD (OR PAYMENT DEVICE) MUST NEVER LEAVE THE CUSTOMER’S VIEW.
Employees must never leave credit card terminals or customers unattended while a transaction is in progress.
Employees must always ask for and verify a customer's photo ID when processing a credit card transaction.
Employees must never write down or otherwise record the full credit card number, expiration date, or CVV code. This includes when manually processing credit card transactions.
Employees must be knowledgeable with identifying and reporting suspicious transactions, such as transactions with excessive amounts or transactions involving obviously tampered or destroyed credit cards.
Employees should recognize and report patterns of suspicious behavior, such as a customer attempting to run multiple (excessive) transactions from one card or multiple (excessive) cards on one transaction.
Employees should be aware of common fraud techniques, such as skimming and phishing, and must report any suspicious activities.
Employees must be trained to recognize and report any suspicious behavior from customers, such as customers who appear to be acting under duress or customers who appear to be trying to conceal their identity.
Employees must recognize and report any suspicious behavior from other employees, such as employees who appear to be colluding with customers to commit fraud.
Employees must recognize and report any suspicious activity involving the physical hardware, such as terminals that appear to have been tampered with or cameras that appear to have been blocked.
Employees must recognize and report any suspicious activity involving customer data, such as data that appears to have been tampered with, data that appears to have been accessed without authorization, or exported without authorization or need.
Employees must recognize and report any suspicious activity involving the company's network or PC behavior.
Employees must recognize and report any suspicious activity involving the company's payment processors or other third-party services, such as payments showing as complete but never charging a customer or excessive transactions showing when only one transaction was attempted.
After the transaction
Employees must never attempt to process a refund for a customer without proper authorization from management.
Nice to have
All partners and host locations must have a written agreement in place that includes security requirements and regular security assessments.
An annual self-assessment of compliance with this process must be conducted and any identified issues must be promptly addressed.
Comments
0 comments
Please sign in to leave a comment.