Credit Card Security Policy

Collection, Storage and Destruction of Credit Card Details Policy

Policy Statement

Courses Direct values the privacy of credit card information and is committed to protecting the credit card details it holds and uses.

This policy outlines how Courses Direct intends to collect, store and destroy credit card details.

Principles

The policy is based on the following principles:

• Courses Direct must take reasonable steps to protect the credit card details it holds from misuse and loss and from unauthorised access, modifications and disclosure.
• It is a necessary condition for Courses Direct to provide credit card facilities to individuals for the payment of services and goods provided by Courses Direct.

Broad Overview

Courses Direct may consider the following matters when adopting reasonable steps to protect the credit card information it holds:

• The sensitivity of credit card details and an individual's expectations that this information will be protected from misuse and loss and from unauthorised access, modifications and disclosure;
• The harm likely to result if there is a breach of security; and
• The form in which the information is stored (e.g. on paper or electronically) processed and transmitted.

Application

All Courses Direct staff.

Operative Date

Operative from 21 September 2009

1.0 Application of Policy

This policy is designed to deal with situations where a person provides details of their credit card to Courses Direct. The policy is also designed to ensure that Courses Direct will store and destroy credit card details in a manner which protects the credit card details from:

• misuse;
• loss;
• unauthorised access;
• unauthorised modification; and
• unauthorised disclosure.

2.0 Collection of Credit Card Details

Courses Direct is committed to ensuring that credit card details are collected in a secure manner. Courses Direct will take reasonable steps to protect the credit card details it holds from misuse and loss and from unauthorised access, modifications and disclosure during collection by adopting the following practices:

• preventing individuals from providing credit card details in an email;
• ensuring that where credit card details are collected on-line, encryption in accordance with the company's IT Security Policy and IT Security Framework is included within the on-line web page, databases and other supporting programs;
• only collecting credit card details in an appropriate environment, for example not requesting credit card details verbally in a public waiting room; and
• ensuring that when credit card details are collected via facsimile, the facsimile is placed in a secure location.

3.0 Storage of Credit Card Details

3.1 Courses Direct is committed to ensuring that credit card details are held securely. Courses Direct will take reasonable steps to protect the credit card details it holds from misuse and loss and from unauthorised access, modifications and disclosure by adopting the following practices:

• ensuring that credit card details are stored in a secure and protected manner such as locked filing cabinets;
• where possible, removing any credit card details from Courses Direct networked computers;
• ensuring that EFPTOS machines and other devices used to collect credit card details are stored securely, particularly when they are not in use (e.g. overnight);
• ensuring that appropriate staff only have access to credit card details; and
• ensuring information is transferred securely (for example, not transmitting credit card details via e-mail).

3.2 Credit card details may be stored in hard copy documents. If credit card details are stored as electronic data appropriate security measures must be utilised in accordance with the compay's IT Security Policy and IT Security Framework. Some of the ways Courses Direct seeks to protect credit card details include the following:

• confidentiality requirements on the use of information by Courses Direct employees;
• policies on document storage and security;
• security measures for access to the Courses Direct computer systems;
• controlling access to the Courses Direct premises;
• web site protection measures.

3.3 Credit Card details are required to be stored onsite or in an easily accessible location for 12 months for charge back purposes. After 12 months, credit card details may be moved offsite providing the credit card details are stored in a secure location.

3.4 Credit card details must be stored for the length of time prescribed by the Records Disposal Authority.

4.0 Destruction of Credit Card Details

Credit card details will be destroyed in a secure manner when they are no longer needed by Courses Direct. Examples of destruction in a secure manner include shredding, pulping or disintegration of paper files, fire , encryption or scrubbing of credit card number or contracting an authorised disposal company for secure disposal.

5.0 For Further Information

For further information about this policy please contact us.