The Kentucky Association of Mortgage Professionals (KAMP) follows the Credit Card Processing Security Standards as required.
The following is the procedure we follow in our association for credit card processing and storage.
1)Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. oKAMP handles only card-not-present (e-commerce or mail/telephone-order) transactions; oKAMP does not store, process, or transmit any cardholder data on your premises, but relies entirely on a third party to handle these functions; oKAMP has confirmed that the third party handling storage, processing, and/or transmission of cardholder data is PCI DSS compliant;
Access Control Measures Requirement 9: Restrict physical access to cardholder data
9.6 Are all paper and electronic media that contain cardholder data physicallysecure?YES (Such media includes computers, electronic media, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes.)
9.7(a) Is strict control maintained over the internal or external distribution of any kind of media that contains cardholder data?YES
(b) Do controls include the following: 9.7.1 Is the media classified so it can be identified as confidential?YES 9.7.2 Is the media sent by secured courier or other delivery method that can be accurately tracked?YES
9.8 Are processes and procedures in place to ensure management approval is obtained prior to moving any and all media from a secured area (especially when media is distributed to individuals)?YES
9.9 Is strict control maintained over the storage and accessibility of media that containscardholder data?YES
9.10 Is media containing cardholder data destroyed when it is no longer needed for business or legal reasons? YES
Destruction should be as follows: 9.10.1 Are hardcopy materials cross-cut shredded, incinerated, or pulped?YES
Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for employees and contractors
12.8 Contractually, are the following required if cardholder data is shared with service providers?YES
12.8.1 That service providers must adhere to the PCI DSS requirements?YES
12.8.2 An agreement that includes an acknowledgement that the service provider is responsible for the security of cardholder data the provider possesses?YES
Kentucky Association of Mortgage Professionals • P.O. Box 1641 • Owensboro, KY 42302 PH 270-929-2836 • FX 270-574-0005 • firstname.lastname@example.org