Definitions

  • Cardholder Data – Any personally identifiable data associated with the cardholder, to include account number, expiration date, name, address, social security number, card service verification code, or any other data stored on the magnetic stripe of the payment card.
  • Merchants – Authorized acceptors of payment cards for the purchase of goods, services, or information.
  • Network members – Acceptors of payment cards for the purchase of goods, services, or information that have been granted direct authorization to perform payment card transactions by the major credit card companies. Generally these include banking and financial institutions.
  • Payment Application Data Security Standards (PA-DSS) – The Payment Card Industry Security Standards Council program established to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and to ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements.
  • Payment Card Industry Data Security Standards (PCI DSS) – A multifaceted set of comprehensive requirements and security standards developed to enhance payment account data security, security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
  • PCI Entity – Any Company department, office, section, or affiliated association or group that has been approved to accept, process, transmit, or store credit card transactional or cardholder data as a member, merchant, or service provider operating on behalf of Company, or in use of the Company brand name.
  • Senior Management – Persons in the positions of dean, chair, or division or program director, or persons specifically designated by a dean, chair, or division or program director, that make executive decisions and are authorized to accept risks for the administrative unit in the area of information security.
  • Service Providers – Any business entity that is not a payment card brand network member or a merchant directly involved in the processing, storage, transmission, and switching of transaction data or cardholder information, or both. This includes companies that provide services to merchants, service providers, or members that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, intrusion detection systems and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded.
  • Company – “ATPL”, UAB, registration code 304435490, Address: O. Milasiaus str. 5-38, 10102 Vilnius, Lithuania, Tel: +370 686 233 77, e-mail: info@atpl.aero
  • Verification Code – The three or four digit value printed on the front or back of a payment card; Card Validation Code CVC2 (Mastercard), Card Verification Value CVV2 (VISA), Card Member ID (Discover), or the Card Identification Number CID (American Express).

Background

  • The Payment Card Industry (PCI) Data Security Standards (DSS) are a mandated set of security standards created by the major credit card companies for the purpose of offering merchants and service providers a complete, unified approach to safeguarding cardholder data for all payment card brands.  The PCI DSS apply to all payment card network members, merchants, and service providers that process, store, or transmit cardholder data, as well as to all methods of credit card processing, whether manual or computerized.

Purpose

  • This policy mandates compliance with PCI DSS requirements for processing, storing, transmitting, or handling payment card information. Company is subject to examination of security measures employed to ensure cardholder data are securely maintained. As such, Company is committed to adhering to the PCI DSS in order to ensure the protection of cardholder data, limit its liability, and maintain the ability to provide payment card transaction services.

Policy Statement

  • All Company’s payment card processing activities and related technologies must comply with this policy and the PCI DSS in its entirety. Compliance with card processing activities must be maintained as described herein and in accordance with the policies listed in the Related Policies/Documents section of this policy. No activity may be conducted nor any technology employed that might obstruct compliance with any portion of this policy or the PCI DSS.

Scope/Applicability

  • This policy applies to all Company’s employees, contractors, consultants, temporaries, vendors, other third party workers, and any unit that processes, stores, maintains, transmits, or handles payment card information in a physical or electronic format on behalf of the Company enterprise, or in use of the Company brand name. This includes any entity that utilizes any part of the Company network infrastructure for payment card transaction services. Hereafter, these groups shall be referred to as “PCI Entities”.

Policy Requirements

  • Each PCI Entity must develop, implement, and maintain processes and procedures for conducting secure payment card transaction related activities in accordance with PCI DSS requirements and any other applicable Company policies.
  • Vendor or third-party applications used for payment card processing services must be a PCI Validated Payment Application that meets PA-DSS requirements.
  • Any known or suspected breach, compromise, or unauthorized access of cardholder data shall be reported immediately to the Company.

Sanctions

  • Employees who do not follow this policy and all requirements contained within the appropriate unit procedures may be subject to disciplinary action up to and including termination of employment.
  • Company’s PCI Entities who do not follow this policy and established procedures may be subject to suspension or loss of payment card processing capability and monetary fines.
  • Vendors or contractors who do not follow this policy and established procedures may be subject to breach of contract penalties.

References

 

Refunds

 

  • All refunds must be returned using the original payment source and be made to the customer who made the original payment. Where possible these should be returned to the card on which the original payment was made. The only permissible exception is where the card has expired or an account is closed. Proof of this should be obtained. In these circumstances refunds may be made to an alternative card held by the payee.
  • The Total amount for provided Services shall be refunded in full in case of Company's fault and Services were not provided to Customer in full according to Agreement. Company undertakes to refund the full amount of the Services within 5 (five) banking days from the date of signing the agreement on confirmation of this fact by both Parties.


Company Approved Card Payment Methods and Services

Card data must only be received and processed by the Company approved methods and services. These are:

 

Company Approved Payment Methods

Payment Method

Approved Payment Services

Card Transaction

Mandatory Controls

Storage of Card Data

Customer Present

Online

Web Application Transaction

Payment via an online system should generate an email payment confirmation to the customer. This should be the only confirmation document received by the customer from the Company for the transaction.

 

 

 

 No

 

Data is held by the Company PCI-DSS compliant approved supplier

If a customer’s payment has been unsuccessful or declined, the customer should contact their card provider in the first instance.

If a customer faces difficulty in making a payment then staff assistance can be provided.

If the payment problem cannot be resolved, the customer should provide a number to be called back on at a suitable time or offered an alternative payment method.