Midtron Helpdesk Midtron Helpdesk Knowledgebase PCI Compliance
PCI Compliance – Handling Credit Cards End User Guide for Safe and Compliant Credit Card Handling
Suggested knowledgebase articles:

PCI Compliance – Handling Credit Cards End User Guide for Safe and Compliant Credit Card Handling

End User Guide for Safe and Compliant Credit Card Handling

1. General Handling

Should Do

  • Verify the cardholder’s presence before processing payments.
  • Use only approved, PCI-compliant systems (POS, PMS, payment gateways).
  • Mask credit card numbers on receipts (first 6 and last 4 digits only).
  • Report suspicious transactions immediately to management or compliance.

Should Not Do

  • Do not write down or store full credit card numbers on paper or files.
  • Do not email, text, or chat credit card details.
  • Do not process payments on personal or unauthorized devices.

2. Storage of Cardholder Data

Should Do

  • Store only the minimum card data needed for business/legal reasons.
  • Encrypt all stored cardholder data using strong encryption (AES-256 or better).
  • Restrict access to cardholder data to staff with a clear business need.

Should Not Do

  • Do not store CVV/CVC codes, PINs, or magnetic stripe data.
  • Do not keep expired or unnecessary card data beyond retention policy.
  • Do not leave cardholder data in spreadsheets, notes, or support tickets.

3. Transmission of Cardholder Data

Should Do

  • Use TLS 1.2+ for all card data transmission.
  • Confirm third-party processors are PCI DSS compliant.
  • Use secure VPN channels if transmitting card data remotely.

Should Not Do

  • Do not transmit card data over email, chat apps, or SMS.
  • Do not use public Wi-Fi to process or transmit card data.

4. Access & Authentication

Should Do

  • Require unique user IDs and strong passwords for all staff.
  • Use multi-factor authentication on systems handling card data.
  • Revoke access immediately when employees leave the company.

Should Not Do

  • Do not share usernames or passwords between staff.
  • Do not use vendor default credentials.
  • Do not use generic/shared accounts for handling card data.

5. Physical Security

Should Do

  • Restrict access to payment terminals and cardholder data storage areas.
  • Lock offices, cabinets, or safes containing cardholder records.
  • Shred or destroy paper records immediately after use.

Should Not Do

  • Do not leave cardholder data visible on desks, printers, or whiteboards.
  • Do not allow unauthorized visitors into secure areas.

6. Monitoring & Reporting

Should Do

  • Review security logs regularly for unusual activity.
  • Run quarterly vulnerability scans and annual penetration tests.
  • Provide annual PCI compliance training to all staff.

Should Not Do

  • Do not ignore alerts, failed logins, or suspicious behavior.
  • Do not delay system updates or patches.
  • Do not assume “IT will handle everything” — compliance is everyone’s job.

✅ Quick User Checklist

  • ???? Encrypt and mask cardholder data.
  • ???? Limit access to authorized staff only.
  • ???? Never store CVV, PIN, or track data.
  • ???? Do not email or text card numbers.
  • ???? Shred paper records containing cardholder data.
  • ???? Report incidents to IT/security immediately.
Was this article helpful? Yes | No

Article Details

Article ID:
5
Category:
PCI Compliance
Rating :