PCI Compliance Policy

Purpose

This policy establishes guidelines to ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS) for the secure processing of rent payments via credit cards, debit cards, and ACH transfers.

Scope

This policy applies to all employees, contractors, and systems involved in the handling, transmission, or processing of payment information for rent collection.

Policy Statement

1. Responsibilities

• Properly Management works exclusively with a PCI DSS-compliant third-party payment processor for all payment transactions.
• Employees must follow the outlined procedures to ensure secure handling and transmission of payment data.
• The IT team is responsible for maintaining the secure connection between our systems and the payment processor's API.

2. Data Handling

• No payment card or account information is stored, processed, or transmitted on Properly Management systems.
• All payment data is transmitted securely to the third-party processor using encryption.

3. Security Measures

• All API requests to the processor are encrypted using industry-standard protocols (e.g., TLS 1.2 or higher).
• Access to the payment processing system is restricted to authorized personnel only.
• Antivirus software and endpoint security measures are deployed on all systems interacting with payment data.

4. Employee Training

• All employees involved in the rent payment process are required to undergo annual PCI DSS training.
• Employees must report any suspicious activities or potential security incidents to the IT department immediately.

5. Incident Response

• In the event of a data breach or suspected security issue, the IT department must follow the Incident Response Plan to mitigate risks and report the issue to the payment processor.
• The Compliance Officer is responsible for notifying affected parties and regulatory authorities as required.

6. Vendor Compliance

• The payment processor is required to provide an annual PCI DSS compliance certificate to ensure ongoing adherence to standards.
• Regular reviews of third-party agreements will ensure compliance with PCI DSS requirements.

7. Regular Testing and Reviews

• Vulnerability scans will be performed quarterly to ensure secure API connections.
• Internal audits of PCI compliance policies and practices will occur annually to identify and resolve any gaps.

8. Physical Security

• Access to workstations and systems handling payment data is restricted to authorized personnel.
• Employees must log off or lock their computers when leaving their workstations.

9. Record Keeping

• Records of PCI compliance, training, and vulnerability scans will be retained for at least one year.
• Documentation of compliance efforts will be made available upon request for PCI DSS audits.

Enforcement

Non-compliance with this policy may result in disciplinary action, up to and including termination of employment.

Policy Review

This policy will be reviewed annually and updated as needed to reflect changes in PCI DSS requirements or the company’s operational environment.

Veiw our privacy policy here