Register now. Already a member? Login.
- Flights
- Hotels
- Itinerary Builder
- Round Trip
- One Way
- Multi-City
Information on Travel Insurance
Policies
Air Policies
1. Getting a Quote
2. Booking
4. Getting Your Tickets
Rates quoted are Cash discounted and NET. They are not commissionable. Credit cards are accepted at the regular net rate which is 3.5% higher, plus whatever commission you wish to earn from the sale. Taxes are additional and are only estimates. Actual taxes will be determined at the time of booking. Additional information may include booking class, routing, minimum/maximum stay, flight restrictions and delivery fees. All rates are subject to change until booked.
indemnity agreement form
indemnity agreement form
2. Booking
You'll need the passport spelling of the passenger's name. We will file your agency information under your ARC number.
If your agency isn't ARC approved yet, special arrangements can be made. We will hold a reservation tentatively for up
to 7(seven) days. You'll be advised of the due date when you book. We fax the itinerary every time you book and every
time you change the booking.
It is imperative that you review the fax for accuracy.
3. GuaranteeingIt is imperative that you review the fax for accuracy.
You must call to guarantee. Your booking will auto-cancel if you don't guarantee it by the due date. Just call reservations
and give us authorization for Direct Payment* or a credit card number. For credit card sales, you will need the
cardholder's billing address and signature or SOF, and the amount you want to charge for the sale. When a foreign or
third party credit card is used, you will need to fax a copy of the card (front and back) along with a copy of that
cardholder's driver's license and signature. The commission check will be mailed out within two weeks. Agency checks
are also accepted, but they must be received by the next business day following your guarantee. Change/Cancel penalties
apply at this time.
*What is Direct Payment?
It's the same as writing a check, but much more convenient. No more information about your account is released than when you write a check. Fill out the form and fax it in. That's it!
direct payment form
*What is Direct Payment?
It's the same as writing a check, but much more convenient. No more information about your account is released than when you write a check. Fill out the form and fax it in. That's it!
direct payment form
4. Getting Your Tickets
For credits cards, fill out the credit card information at the top of our itinerary and fax it back to us. Or, fax in the Direct Payment form to authorize an electronic debit from your account. Faxed forms must be received within 24 hours of guarantee or your booking may be cancelled.
Tickets are sent via regular mail if payment is received at least 8 days before departure. Exception: Checks for over $1500 must clear bank before tickets will be sent. For close-in departures we can:
Important: You or your client must reconfirm flights with the airline 72 hours before departure each way.
Tickets are sent via regular mail if payment is received at least 8 days before departure. Exception: Checks for over $1500 must clear bank before tickets will be sent. For close-in departures we can:
a) Federal Express for a $15 fee ($25 for Saturday delivery),
b) Charge the overnight delivery to your account number,
c) Deliver the tickets to Teleticket for a $10 fee (MSP departures only)
d) Issue an E ticket for some airlines.
b) Charge the overnight delivery to your account number,
c) Deliver the tickets to Teleticket for a $10 fee (MSP departures only)
d) Issue an E ticket for some airlines.
Hotel Policies
Hotel Booking Policies
The following terms will be referred to throughout this document. “We”, “us”, “our”, “Casa Travel” refer to Casa Travel, Inc. and/or our partners and subsidiaries. The terms “you”, “your”, “agent”, “customer”, “I” refer to the Sub-Agent who is booking a hotel reservation on this Website. The term “guest” refers to the person who will be utilizing the hotel room accommodations.
All hotel bookings made with Casa Travel, Inc. are governed by these Policies. A contract between your agency and us shall come into existence when we (a) issue a booking ID; (b) issue a booking confirmation online or by email; (c) receive payment on established pre-payment terms.
We offer pre-negotiated hotel rates which include taxes. All prices are displayed in USD. The price listed on the booking confirmation will supersede any price listed on Casaagents.com or quoted over the telephone. Services included in the price may be accessed via the “services” link within each hotel property description. Any additional services not included with the hotel room must be paid directly to the hotel or supplier by the guest. Additional services may include, but are not limited to, extended stay, telephone usage, room service, restaurant charges, tips, linens, transportation, and other amenities.
You may hold most hotel properties up to a week after the date you booked, provided the last purchase date does not qualify for penalties. In some cases you may need to purchase a hotel booking instantly. To avoid this, we recommend making the hotel bookings at least 11 days prior to check-in. You will be notified at the time of booking if the reservation is an instant purchase or of the last purchase date for the reservation. If a hotel reservation is not purchased by the deadline stipulated at the time of booking, the reservation will be automatically cancelled by us.
A confirmation email will be sent to the email address given at the time of booking. It is the responsibility of the agent making the booking to verify that all information is correct. Any changes or modification to the reservation may be subject to a change fee or may become completely unavailable. There will be no name changes allowed once a reservation has been made.
We will always try to book the first hotel requested. If the requested property is not available you will be notified via email and you will have the option to make a new booking if you so choose. In extreme circumstances we may be forced to cancel your booking, in which case you will be notified as soon as possible of this change and a full and prompt refund will be made.
Any special requests will be sent to the hotel, but can not be guaranteed. Separate beds are not guaranteed, but may be requested at the time of booking the hotel room. Some hotels may provide a Twin room that consists of one single bed and one sofa bed. A German Double room will consist of two attached single beds side by side. Triple and Quad rooms generally consist of two double beds and twin or double bed(s) plus extra bed. Most hotels will not offer one full size bed per guest.
Upon purchasing the reservation with credit card or DPA, you authorize us to process payment for your hotel reservation that day. If the booking is paid by a credit card, commission payments will be payable 10 business days following guest check-in and payable to the agency name given at the time of booking. Applied payments pertain to that booking only. Once you have purchased the hotel reservation, you will be under any applicable penalties to cancel or change the reservation.
Requests for cancellation must be made via the web site. We will refund those bookings which have been paid for in full provided the booking is eligible for a refund in accordance with the cancellation or change rules provided at the time of booking. Cancellation fees will apply based on the check-in date at each hotel. If the hotel booking is cancelled within 1 day of check-in or the guest is a No Show, no refund will be given. If the hotel booking is cancelled 2-3 days prior to check-in, a minimum charge of a one night stay will apply. If the booking is cancelled more than 3 days prior to check-in there will be no charge and a full refund will be given provided there are no other charges assessed by the hotel. All cancellation rules are subject to change based on the specific rules given by each hotel property at the time of booking.
Requests for changes or modification to the hotel booking may require a fee if assessed by the hotel. You will be notified of the amount at the time of making the change. If the guest does not arrive at the hotel on the date they were booked or leaves early, they will not be eligible for a refund based on a shorter stay.
Occasionally, a hotel is unable to honor/fulfill a confirmed booking. In such case, the hotel will seek to provide a suitable alternative accommodation of the same standard and in the same location of the original purchase.
IMPORTANT: You will be able to access an electronic voucher once the hotel booking has been purchased. It is your responsibility to provide the necessary voucher for each hotel property to the guest(s). Each property must be presented with the appropriate voucher upon check-in by the guest. Failure to provide the hotel property with the voucher may result in the guest being denied service by the hotel property. When a reservation is cancelled after purchase, all previous vouchers become null and void.
Bookings made for trade fair and special event periods may be under special booking conditions. You will be advised of these conditions when you read the applicable rules on your reservation confirmation.
The star ratings are used to categorize the overall quality and level of services and amenities offered by the hotel property. The ratings are established by the relevant issuing body of each country. Some countries may not use an official categorization for hotels.
Country specific Information:
North America hotels will only accept guests under 21 years old when they are accompanied by an adult 21 years of age or older. Tourists in Russia must pay a tourist tax upon arriving at their first hotel in Russia. Ryokans are traditional Japanese and are based on traditional architecture and culture.
The following rating system is a reference guide only. It does not have the same standards as the star ratings used by the country issuing body. The information list below is a guide and is not warranted or guaranteed by us. The Quality Level is an overall quality level of the property.
Rating 1: Quality Level - Acceptable. Adequate provision on furniture, furnishings and fittings.
Rating 2: Quality Level - Good. Good standard of furnishings, service and guest care.
Rating 3: Quality Level – Good to Very Good. Good standard of maintenance and decorations. Ample space and furniture.
Rating 4: Quality Level – Excellent. Very good care and attention to detail will be obvious throughout the property.
Rating 5: Quality Level – Exceptional. Property has high levels of décor, fixtures and fittings, efficient management and guest service staff, and excellent range of accessories and personal touch.
The following is a guide for the different room types. For a detailed description of the specific room type offered by a hotel property, please refer to the search page on the web site.
Twin room (sleeps 2): Contains two beds. Suitable for two people.
Double room (sleeps 2): Contains one double bed. Suitable for two people.
Single room (sleeps 1): Contains one single bed. Suitable for one person.
Triple room (sleeps 3): Contains either three single beds, a double bed and one single bed, or 2 double beds in a room. Please note that many hotels do not have one full size bed for each guest in their triple rooms and one of the beds provided may be a rollaway or pullout.
Quad room (sleeps 4): Contains either two double beds, one double plus two single beds or four single beds in a room.
Cot/cradle or crib: Cot/cradle or crib suitable for a child under the age of two years.
We are only a facilitator to the hotel reservation process. Product information listed on our website is based on the information collected from suppliers and hotels worldwide. We do not recommend or endorse any particular hotel. The content of this site is published in good faith. You acknowledge that we, the booking facilitator, cannot check the accuracy of all information provided by our suppliers. We do not accept any liability for errors or omissions of hotel services on this web site. Any complaints should be reported to the hotel or service supplier directly. We will not be responsible for any problems that could have been rectified during the traveler’s stay at the hotel property.
Under no circumstances will we be liable for any direct, indirect or consequential loss or damages. These circumstances may include but not be limited to: acts of God, outbreak of riot, civil disturbances, hotel construction, etc.
We are not liable for personal injury, illness, property damage or loss of expense of any form during a guest’s stay at a hotel property. We shall not be liable for and will be indemnified by you in respect of any direct or indirect loss by a third party claim. Guests must comply fully with any regulations and rules set by the hotel property. Any damage done to the hotel property will be the responsibility of the guest. Any charges associated with the damage must be paid directly to the hotel upon the guest’s departure.
For credit card sales, an indemnification form must be on file with us. You indemnify us from loss for credit card fraud and unauthorized use related to credit card purchases authorized by you. You will need the cardholder’s name, billing address and signature or SOF, the amount you want to charge for the sale, and the security code for the credit card. When a third party credit card is used, you will need to fax a copy of the card (front and back) along with a copy of that cardholder’s driver’s license and signature. We reserve the right to deny any credit card purchase that is suspicious to our credit card fraud detection and processing department.
We reserve the right to change these booking policies from time to time. I have read, understand, and agree to all of Casa Travel, Inc.’s terms, conditions, and policies. I acknowledge that further policies may apply pertaining to the specific property I book and I will refer to the hotel’s terms, conditions and policies for complete details.
The following terms will be referred to throughout this document. “We”, “us”, “our”, “Casa Travel” refer to Casa Travel, Inc. and/or our partners and subsidiaries. The terms “you”, “your”, “agent”, “customer”, “I” refer to the Sub-Agent who is booking a hotel reservation on this Website. The term “guest” refers to the person who will be utilizing the hotel room accommodations.
All hotel bookings made with Casa Travel, Inc. are governed by these Policies. A contract between your agency and us shall come into existence when we (a) issue a booking ID; (b) issue a booking confirmation online or by email; (c) receive payment on established pre-payment terms.
We offer pre-negotiated hotel rates which include taxes. All prices are displayed in USD. The price listed on the booking confirmation will supersede any price listed on Casaagents.com or quoted over the telephone. Services included in the price may be accessed via the “services” link within each hotel property description. Any additional services not included with the hotel room must be paid directly to the hotel or supplier by the guest. Additional services may include, but are not limited to, extended stay, telephone usage, room service, restaurant charges, tips, linens, transportation, and other amenities.
You may hold most hotel properties up to a week after the date you booked, provided the last purchase date does not qualify for penalties. In some cases you may need to purchase a hotel booking instantly. To avoid this, we recommend making the hotel bookings at least 11 days prior to check-in. You will be notified at the time of booking if the reservation is an instant purchase or of the last purchase date for the reservation. If a hotel reservation is not purchased by the deadline stipulated at the time of booking, the reservation will be automatically cancelled by us.
A confirmation email will be sent to the email address given at the time of booking. It is the responsibility of the agent making the booking to verify that all information is correct. Any changes or modification to the reservation may be subject to a change fee or may become completely unavailable. There will be no name changes allowed once a reservation has been made.
We will always try to book the first hotel requested. If the requested property is not available you will be notified via email and you will have the option to make a new booking if you so choose. In extreme circumstances we may be forced to cancel your booking, in which case you will be notified as soon as possible of this change and a full and prompt refund will be made.
Any special requests will be sent to the hotel, but can not be guaranteed. Separate beds are not guaranteed, but may be requested at the time of booking the hotel room. Some hotels may provide a Twin room that consists of one single bed and one sofa bed. A German Double room will consist of two attached single beds side by side. Triple and Quad rooms generally consist of two double beds and twin or double bed(s) plus extra bed. Most hotels will not offer one full size bed per guest.
Upon purchasing the reservation with credit card or DPA, you authorize us to process payment for your hotel reservation that day. If the booking is paid by a credit card, commission payments will be payable 10 business days following guest check-in and payable to the agency name given at the time of booking. Applied payments pertain to that booking only. Once you have purchased the hotel reservation, you will be under any applicable penalties to cancel or change the reservation.
Requests for cancellation must be made via the web site. We will refund those bookings which have been paid for in full provided the booking is eligible for a refund in accordance with the cancellation or change rules provided at the time of booking. Cancellation fees will apply based on the check-in date at each hotel. If the hotel booking is cancelled within 1 day of check-in or the guest is a No Show, no refund will be given. If the hotel booking is cancelled 2-3 days prior to check-in, a minimum charge of a one night stay will apply. If the booking is cancelled more than 3 days prior to check-in there will be no charge and a full refund will be given provided there are no other charges assessed by the hotel. All cancellation rules are subject to change based on the specific rules given by each hotel property at the time of booking.
Requests for changes or modification to the hotel booking may require a fee if assessed by the hotel. You will be notified of the amount at the time of making the change. If the guest does not arrive at the hotel on the date they were booked or leaves early, they will not be eligible for a refund based on a shorter stay.
Occasionally, a hotel is unable to honor/fulfill a confirmed booking. In such case, the hotel will seek to provide a suitable alternative accommodation of the same standard and in the same location of the original purchase.
IMPORTANT: You will be able to access an electronic voucher once the hotel booking has been purchased. It is your responsibility to provide the necessary voucher for each hotel property to the guest(s). Each property must be presented with the appropriate voucher upon check-in by the guest. Failure to provide the hotel property with the voucher may result in the guest being denied service by the hotel property. When a reservation is cancelled after purchase, all previous vouchers become null and void.
Bookings made for trade fair and special event periods may be under special booking conditions. You will be advised of these conditions when you read the applicable rules on your reservation confirmation.
The star ratings are used to categorize the overall quality and level of services and amenities offered by the hotel property. The ratings are established by the relevant issuing body of each country. Some countries may not use an official categorization for hotels.
Country specific Information:
North America hotels will only accept guests under 21 years old when they are accompanied by an adult 21 years of age or older. Tourists in Russia must pay a tourist tax upon arriving at their first hotel in Russia. Ryokans are traditional Japanese and are based on traditional architecture and culture.
The following rating system is a reference guide only. It does not have the same standards as the star ratings used by the country issuing body. The information list below is a guide and is not warranted or guaranteed by us. The Quality Level is an overall quality level of the property.
Rating 1: Quality Level - Acceptable. Adequate provision on furniture, furnishings and fittings.
Rating 2: Quality Level - Good. Good standard of furnishings, service and guest care.
Rating 3: Quality Level – Good to Very Good. Good standard of maintenance and decorations. Ample space and furniture.
Rating 4: Quality Level – Excellent. Very good care and attention to detail will be obvious throughout the property.
Rating 5: Quality Level – Exceptional. Property has high levels of décor, fixtures and fittings, efficient management and guest service staff, and excellent range of accessories and personal touch.
The following is a guide for the different room types. For a detailed description of the specific room type offered by a hotel property, please refer to the search page on the web site.
Twin room (sleeps 2): Contains two beds. Suitable for two people.
Double room (sleeps 2): Contains one double bed. Suitable for two people.
Single room (sleeps 1): Contains one single bed. Suitable for one person.
Triple room (sleeps 3): Contains either three single beds, a double bed and one single bed, or 2 double beds in a room. Please note that many hotels do not have one full size bed for each guest in their triple rooms and one of the beds provided may be a rollaway or pullout.
Quad room (sleeps 4): Contains either two double beds, one double plus two single beds or four single beds in a room.
Cot/cradle or crib: Cot/cradle or crib suitable for a child under the age of two years.
We are only a facilitator to the hotel reservation process. Product information listed on our website is based on the information collected from suppliers and hotels worldwide. We do not recommend or endorse any particular hotel. The content of this site is published in good faith. You acknowledge that we, the booking facilitator, cannot check the accuracy of all information provided by our suppliers. We do not accept any liability for errors or omissions of hotel services on this web site. Any complaints should be reported to the hotel or service supplier directly. We will not be responsible for any problems that could have been rectified during the traveler’s stay at the hotel property.
Under no circumstances will we be liable for any direct, indirect or consequential loss or damages. These circumstances may include but not be limited to: acts of God, outbreak of riot, civil disturbances, hotel construction, etc.
We are not liable for personal injury, illness, property damage or loss of expense of any form during a guest’s stay at a hotel property. We shall not be liable for and will be indemnified by you in respect of any direct or indirect loss by a third party claim. Guests must comply fully with any regulations and rules set by the hotel property. Any damage done to the hotel property will be the responsibility of the guest. Any charges associated with the damage must be paid directly to the hotel upon the guest’s departure.
For credit card sales, an indemnification form must be on file with us. You indemnify us from loss for credit card fraud and unauthorized use related to credit card purchases authorized by you. You will need the cardholder’s name, billing address and signature or SOF, the amount you want to charge for the sale, and the security code for the credit card. When a third party credit card is used, you will need to fax a copy of the card (front and back) along with a copy of that cardholder’s driver’s license and signature. We reserve the right to deny any credit card purchase that is suspicious to our credit card fraud detection and processing department.
We reserve the right to change these booking policies from time to time. I have read, understand, and agree to all of Casa Travel, Inc.’s terms, conditions, and policies. I acknowledge that further policies may apply pertaining to the specific property I book and I will refer to the hotel’s terms, conditions and policies for complete details.
PCI DSS Policies
PCI DSS POLICY
Payment Card Industry - Data Security Standard Policy
I.PURPOSE
The purpose of this policy is to establish guidelines for processing charges on Credit Cards to protect against possible theft of credit card account and personal cardholder information that has been provided to our Company, and to comply with the Payment Card Industry Data Security Standard (PCI DSS) requirements. The Company will adhere to PCI DSS standards in order to protect its customers, limit its liability and continue processing credit card payments.
II.SCOPE
This policy applies to ALL company departments, employees (working on-site and off-site), as well as independent contractors and/or apprentices/volunteers. This policy applies to any party that processes, transmits or handles cardholder information in a physical or electronic format. All computers and electronic devices involved in processing payment card data are governed by PCI DSS. This includes servers, computers, workstations & terminals that process, transmit or store credit card information.
III.POLICY
Any internal or external parties involved with the acceptance and processing of credit cards must ensure that PCI DSS compliance is maintained. To meet the Payment Card Industry requirements, the following will be strictly enforced:
General Requirements
A.Access to resources and Cardholder Data should be limited to only those individuals whose job requires such access.
B.Any job position that requires access to stored Cardholder Data will be considered security sensitive. Criminal and credit background checks must be performed for any person prior to assignment of duties that includes access to stored Cardholder Data. NOTE: As we transition into the adherence of this policy, the Company may initiate such checks on personnel who are presently performing the job duties newly defined as “security sensitive.”
C.Personnel involved in credit card processing in one of the following categories must attend credit card security training every year. Has access to cardholder data. Handles credit card payments or refunds as part of their regular job duties. Personnel who handle credit card payments on a one time or temporary basis are recommended to attend training but not required.
D.Any person processing credit card information must agree not to disclose or acquire any information concerning a cardholder’s credit card account without the cardholder’s consent.
E.Credit card numbers should never be stored on a personal computer or left unsecured on a desktop.
F.Credit card numbers should never be transmitted via unencrypted email or any other unsecured transmission method—including unified messaging.
G.A self-assessment questionnaire will be completed annually by the merchant.
H.Appropriate segregation of duties between credit card processing (sales and refunds) and the reconciliation function must be maintained.
In-Office Processing Requirements
If credit card data is received via a “secured” fax machine or via the mail, the hard copy that contains credit card data will be subject to the following requirements. Note: If the transaction is subsequently processed using a terminal or the Web, it will also be subject to those requirements.
A. Physical cardholder information must be locked in a secured area, and limited to only those individuals that require access to that data. In addition, access should be restricted to data on a “need to know” basis.
B.Credit Card transactions should be processed in accordance to Company guidelines and the credit card number should be red-noted to include no more than the last four digits. In addition, any Sensitive Cardholder Data should be masked.
C.Stored credit card information will be retained according to the Company retention policy so long as there is a business and/or legal purpose.
D.The following procedures shall be followed for masking credit card information when no longer required:
Blackout credit card number except last four digits and any Sensitive Cardholder Data
Cross-cut shred the original immediately (and not later than same day. If this option is utilized the credit card data shall be secured until shredding occurs).
Retain, if necessary, hard copy of document with unreadable credit card information.
General Credit Card Processing Requirements
A. Cardholder data should not be stored on the PC terminal.
B.Do not print the entire credit card number on either the hard copy or customer copy of any receipts.
C.All terminals must be PCI DSS compliant.
D.Notify the EVP of Operations about any technology changes affecting transaction processing.
Web Payment Processing & Electronic Storage Requirements
A.Approval by the Leader/PCI DSS Task Force or the Company’s EVP of Operations is required before entering into any contracts or before purchasing software and/or equipment that processes, transmits or stores credit card data
B.Sensitive Cardholder Data should not be stored
C.Third party payments should align with PABP or PA DSS approval.
D.Each merchant is responsible for assigning someone to administer the control of log-in privileges, limit software access to secure methods, delete or revoke access to software for terminated employees. Vendor-supplied defaults for system passwords should not be used.
E.Merchant will notify the Leader/PCI DSS Task Force and the EVP/Operations regarding any technology changes affecting transaction processing.
F.Network vulnerability scans shall be performed on machines/devices that are involved in the processing of credit/debit cards on a least a quarterly basis and after any significant change in the network.
IV.SANCTIONS
Merchants not complying with this policy may lose the privilege to accept credit card payments. Additionally, fines may be imposed by the affected credit card company. Persons in violation of this policy are subject to the full range of sanctions, including the loss of computer or network access privileges, disciplinary actions, suspension, termination of employment and legal action. Some violations may constitute criminal offenses under local, state and federal laws. The Company will carry out its responsibility to report such violations to the appropriate authorities.
V.DEFINITIONS & RESOURCES
A. Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is the result of collaboration between the four major credit card brands to develop a single approach to safeguarding sensitive data. PCI DSS defines a series of best practices for handling, transmitting and storing sensitive data.
B.Cardholder Data: Includes cardholder name, full account number, expiration date, service code, PIN / PIN Block or Card Validation Code (e.g. three-digit or four-digit printed on the front or back of a payment card (CVV2, CVC2 data).
C.Sensitive Cardholder Data: Includes Card Validation Code
D.Merchant: Any person/department/company accepting money for goods or services. Includes fees.
E.Credit Card: Any payment card, including debit cards, which is issued by one of the major credit card associations (e.g. Visa, MasterCard, Discover, American Express, et al)
F.PCI DSS Task Force: A committee appointed by the Company to be responsible for full PCI DSS compliance.
G.Payment Application Best Practices (PABP): Program developed by Visa to assist software vendors in creating secure payment applications that are PCI DSS compliant.
A list of all vendors currently PABP compliant can be found on Visa’s website.
H.Payment Application Data Security Standard (PA DSS): Program managed by the Payment Card Industry Security Standards Council (PCI SSC) formerly managed by Visa and known as PABP. PA DSS is a set of standards designed to assist software vendors in developing secure payment applications that comply with PCI DSS requirements. A list of validated payment applications will be listed on the PCI SSC website.
Payment Card Industry - Data Security Standard Policy
I.PURPOSE
The purpose of this policy is to establish guidelines for processing charges on Credit Cards to protect against possible theft of credit card account and personal cardholder information that has been provided to our Company, and to comply with the Payment Card Industry Data Security Standard (PCI DSS) requirements. The Company will adhere to PCI DSS standards in order to protect its customers, limit its liability and continue processing credit card payments.
II.SCOPE
This policy applies to ALL company departments, employees (working on-site and off-site), as well as independent contractors and/or apprentices/volunteers. This policy applies to any party that processes, transmits or handles cardholder information in a physical or electronic format. All computers and electronic devices involved in processing payment card data are governed by PCI DSS. This includes servers, computers, workstations & terminals that process, transmit or store credit card information.
III.POLICY
Any internal or external parties involved with the acceptance and processing of credit cards must ensure that PCI DSS compliance is maintained. To meet the Payment Card Industry requirements, the following will be strictly enforced:
General Requirements
A.Access to resources and Cardholder Data should be limited to only those individuals whose job requires such access.
B.Any job position that requires access to stored Cardholder Data will be considered security sensitive. Criminal and credit background checks must be performed for any person prior to assignment of duties that includes access to stored Cardholder Data. NOTE: As we transition into the adherence of this policy, the Company may initiate such checks on personnel who are presently performing the job duties newly defined as “security sensitive.”
C.Personnel involved in credit card processing in one of the following categories must attend credit card security training every year. Has access to cardholder data. Handles credit card payments or refunds as part of their regular job duties. Personnel who handle credit card payments on a one time or temporary basis are recommended to attend training but not required.
D.Any person processing credit card information must agree not to disclose or acquire any information concerning a cardholder’s credit card account without the cardholder’s consent.
E.Credit card numbers should never be stored on a personal computer or left unsecured on a desktop.
F.Credit card numbers should never be transmitted via unencrypted email or any other unsecured transmission method—including unified messaging.
G.A self-assessment questionnaire will be completed annually by the merchant.
H.Appropriate segregation of duties between credit card processing (sales and refunds) and the reconciliation function must be maintained.
In-Office Processing Requirements
If credit card data is received via a “secured” fax machine or via the mail, the hard copy that contains credit card data will be subject to the following requirements. Note: If the transaction is subsequently processed using a terminal or the Web, it will also be subject to those requirements.
A. Physical cardholder information must be locked in a secured area, and limited to only those individuals that require access to that data. In addition, access should be restricted to data on a “need to know” basis.
B.Credit Card transactions should be processed in accordance to Company guidelines and the credit card number should be red-noted to include no more than the last four digits. In addition, any Sensitive Cardholder Data should be masked.
C.Stored credit card information will be retained according to the Company retention policy so long as there is a business and/or legal purpose.
D.The following procedures shall be followed for masking credit card information when no longer required:
Blackout credit card number except last four digits and any Sensitive Cardholder Data
Cross-cut shred the original immediately (and not later than same day. If this option is utilized the credit card data shall be secured until shredding occurs).
Retain, if necessary, hard copy of document with unreadable credit card information.
General Credit Card Processing Requirements
A. Cardholder data should not be stored on the PC terminal.
B.Do not print the entire credit card number on either the hard copy or customer copy of any receipts.
C.All terminals must be PCI DSS compliant.
D.Notify the EVP of Operations about any technology changes affecting transaction processing.
Web Payment Processing & Electronic Storage Requirements
A.Approval by the Leader/PCI DSS Task Force or the Company’s EVP of Operations is required before entering into any contracts or before purchasing software and/or equipment that processes, transmits or stores credit card data
B.Sensitive Cardholder Data should not be stored
C.Third party payments should align with PABP or PA DSS approval.
D.Each merchant is responsible for assigning someone to administer the control of log-in privileges, limit software access to secure methods, delete or revoke access to software for terminated employees. Vendor-supplied defaults for system passwords should not be used.
E.Merchant will notify the Leader/PCI DSS Task Force and the EVP/Operations regarding any technology changes affecting transaction processing.
F.Network vulnerability scans shall be performed on machines/devices that are involved in the processing of credit/debit cards on a least a quarterly basis and after any significant change in the network.
IV.SANCTIONS
Merchants not complying with this policy may lose the privilege to accept credit card payments. Additionally, fines may be imposed by the affected credit card company. Persons in violation of this policy are subject to the full range of sanctions, including the loss of computer or network access privileges, disciplinary actions, suspension, termination of employment and legal action. Some violations may constitute criminal offenses under local, state and federal laws. The Company will carry out its responsibility to report such violations to the appropriate authorities.
V.DEFINITIONS & RESOURCES
A. Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is the result of collaboration between the four major credit card brands to develop a single approach to safeguarding sensitive data. PCI DSS defines a series of best practices for handling, transmitting and storing sensitive data.
B.Cardholder Data: Includes cardholder name, full account number, expiration date, service code, PIN / PIN Block or Card Validation Code (e.g. three-digit or four-digit printed on the front or back of a payment card (CVV2, CVC2 data).
C.Sensitive Cardholder Data: Includes Card Validation Code
D.Merchant: Any person/department/company accepting money for goods or services. Includes fees.
E.Credit Card: Any payment card, including debit cards, which is issued by one of the major credit card associations (e.g. Visa, MasterCard, Discover, American Express, et al)
F.PCI DSS Task Force: A committee appointed by the Company to be responsible for full PCI DSS compliance.
G.Payment Application Best Practices (PABP): Program developed by Visa to assist software vendors in creating secure payment applications that are PCI DSS compliant.
A list of all vendors currently PABP compliant can be found on Visa’s website.
H.Payment Application Data Security Standard (PA DSS): Program managed by the Payment Card Industry Security Standards Council (PCI SSC) formerly managed by Visa and known as PABP. PA DSS is a set of standards designed to assist software vendors in developing secure payment applications that comply with PCI DSS requirements. A list of validated payment applications will be listed on the PCI SSC website.
