Privacy policy.

PCI DSS Compliance & Commercial Contact Policy

1. Purpose

To establish and enforce security standards that protect cardholder data in compliance with PCI DSS, and to regulate the use of commercial messaging (text/SMS, email, chat) to ensure legal, ethical, and secure communication with customers.

2. Scope

This policy applies to all employees, contractors, and vendors involved in the handling of cardholder data and/or customer communications, including but not limited to SMS, email, messaging apps, and customer support platforms.

3. PCI DSS Security Policy

3.1 Protect Cardholder Data

  • Do not send or request payment card data (PAN, CVV, etc.) via text, email, or messaging platforms.

  • Encrypt all transmission of cardholder data.

  • Store cardholder data only if necessary and in an encrypted format.

3.2 Network and Access Control

  • Use secure, monitored networks for all card-processing systems.

  • Access to cardholder data is restricted to authorized personnel only.

  • Two-factor authentication is required for access to card-processing platforms.

3.3 Logging and Monitoring

  • All access to systems storing cardholder data must be logged.

  • Logs must be retained for at least 12 months and reviewed regularly.

4. Commercial Messaging & Texting Policy

4.1 Consent and Compliance

  • All outbound commercial messaging (SMS or email) must be compliant with relevant regulations, including:

    • TCPA (U.S. Telephone Consumer Protection Act)

    • CAN-SPAM Act

    • GDPR/Privacy laws (where applicable)

  • Express opt-in consent must be obtained before sending marketing messages.

  • Customers must be able to opt out at any time (“Text STOP to unsubscribe”).

4.2 Content Restrictions

  • No cardholder data (full PAN, CVV, expiration date) may be sent via messaging channels.

  • Messaging must not mislead, coerce, or falsely advertise.

  • Do not use abbreviations or links that could be seen as deceptive or unsafe.

4.3 Usage Guidelines

  • Use approved platforms (e.g., Twilio, WhatsApp Business, or company CRM systems).

  • Maintain an up-to-date contact preference database.

  • Limit messaging hours (e.g., no texts before 8 a.m. or after 9 p.m. local time).

4.4 Data Retention and Privacy

  • Do not retain message content longer than necessary.

  • Ensure all platforms used for messaging comply with data privacy and security standards.

  • Backups of communication logs must be encrypted and access-controlled.

5. Incident Response

  • If unauthorized access to messaging platforms or cardholder data occurs, follow the organization's Incident Response Plan immediately.

  • Notify appropriate regulatory authorities as required.

6. Training and Acknowledgment

  • Employees must undergo annual training on PCI DSS and responsible messaging practices.

  • All staff must read and sign this policy as part of onboarding.

7. Policy Review

This policy must be reviewed and updated annually or upon changes in regulation or business processes.

Last Reviewed: July 2025