PCI Compliance Policy

Effective Date: April 1, 2023
Last Updated: November 20, 2024

Purpose

This document outlines the policies and procedures implemented by Very Good Presets to ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS). Our goal is to protect cardholder data and maintain a secure online payment environment.

Scope

This policy applies to all employees, contractors, systems, and processes involved in handling payment transactions on Very Good Presets.

Payment Handling

  1. Third-Party Payment Processor
    We use Stripe to process all online transactions. Cardholder data is never stored, processed, or transmitted through Very Good Presets servers.

  2. Secure Checkout

    • All payment forms are hosted by Stripe and embedded securely using iframe or redirect methods.

    • Transactions occur over HTTPS to encrypt data in transit.

  3. Data Storage

    • No cardholder data (e.g., card numbers, CVV, expiration dates) is stored on our systems or servers.

    • Any sensitive data required for processing is managed by Stripe in compliance with PCI DSS standards.

Security Measures

  1. Encryption
    All connections to [Your Website Name] use Secure Socket Layer (SSL) encryption, ensuring data security during transmission.

  2. Access Control

    • Administrative access to our website is restricted to authorized personnel only.

    • Strong passwords and two-factor authentication (2FA) are enforced for all accounts with access to payment processing tools or dashboards.

  3. Firewall and Monitoring

    • We use a web application firewall (WAF) to monitor and block malicious traffic.

    • Our hosting environment is regularly updated with the latest security patches.

  4. Vulnerability Management

    • Regular vulnerability scans are conducted using Stripe Admin.

    • Detected vulnerabilities are addressed promptly based on their severity.

Employee Training

All employees involved in managing the website or payment processes are trained on PCI compliance requirements, data security best practices, and how to identify and report security threats.

Incident Response Plan

  1. Reporting Security Incidents
    Any suspected security incident involving cardholder data will be reported immediately to your bank.

  2. Response Steps

    • Contain the issue to prevent further data loss.

    • Notify our payment processor and, if required, affected customers.

    • Conduct a post-incident review to improve future security measures.

Regular Assessments

  1. Self-Assessment Questionnaire (SAQ)
    We complete an annual PCI DSS SAQ appropriate to our level.

  2. Security Testing
    Regular penetration testing and vulnerability scans are performed to ensure the integrity of our website and compliance with PCI DSS standards.

Contact Information

For questions about this PCI compliance policy or to report a potential issue, contact Very Good Presets.

This document is reviewed annually or whenever significant changes are made to our payment processes.