Compliance Policy

This policy/procedure is applicable to Welcome Independent Living (WIL) and its employees.

Welcome Independent Living

PCI DSS compliance policy

Version 1.0
June 2025

THE POLICY

WIL processes thousands of pounds in card payments annually. Application of this policy is critical to maintaining our business operations.

This policy has been drafted and approved in agreement our compliance management team. It describes the principles of compliance that WELCOME INDEPENDENT LIVING LTD follow and establishes a policy that:

facilitates ongoing compliance with the Payment Card Industry Data Security Standards (PCI DSS).
enables WELCOME INDEPENDENT LIVING LTD to continue to have the facility to accept card payments in support of delivering our business.
is appropriate and fit for purpose for the service provision within WELCOME INDEPENDENT LIVING LTD.
endeavours to balance the need for effective governance with agile process.

The PCI policy shall:

be documented and available on the WELCOME INDEPENDENT LIVING LTD website for all staff and customers.
be communicated within the organisation.
be managed and maintained effectively in accordance with company process.
be signed off as acknowledged and understood by all staff that it is applicable to on joining WELCOME INDEPENDENT LIVING LTD and then at least annually.
be available to interested parties, as appropriate.

Failure to comply with this policy
Failure to comply by one part of WELCOME INDEPENDENT LIVING LTD could result in our bank withdrawing permission for the whole of WELCOME INDEPENDENT LIVING LTD to take card payments. Individuals who do not comply with this policy may be subject to disciplinary action.

Detailed procedural requirements are contained in various policy and procedure documents across WELCOME INDEPENDENT LIVING LTD. The Business and HR Team must give prior approval to any new or proposed changes to existing policies, systems, procedures, and processes that might affect payments using payment cards, or our payment gateways to ensure that the changes do not undermine compliance with this standard.

The Business and HR Team is responsible for completing an annual self-assessment for PCI DSS compliance.

When does this policy apply?
This policy applies to all WELCOME INDEPENDENT LIVING LTD staff, at all times (including the use of personal card details relating to expense claims and corporate credit cards). It also applies to contractors, subcontractors or temporary staff working on behalf of WELCOME INDEPENDENT LIVING LTD in the delivery of other services.

What is covered by this policy?
Any/all processes or operations relating to taking, storing, processing and securely destroying data relating to card payments.

Policy Statement
This policy states WELCOME INDEPENDENT LIVING LTD’s commitment to compliance and good practice with the Payment Card Industry Data Security Standards (PCI DSS).

All staff (that it is applicable to) will read and sign this policy on joining WELCOME INDEPENDENT LIVING LTD and then confirm annually that they will adhere to ongoing compliance with PCI DSS in support of delivering our business objectives.

To implement this statement, all staff should ensure:

We limit the range of IT systems that contain payment card data in order to limit the risk in relation to PCI DSS compliance requirements.

We do not record payment card details (PAN / CVV) in any of our core systems such as Outlook etc.
We do not store any 16-digit string numbers on any documents or files stored on our systems, including personal or company credit cards.
We do not record payment card details from 3rd parties on any documents or files stored on our computers or file servers.
We use PCI DSS compliant hosted payment services to take payment card payments for self-service transactions through the web, payments via the secure payment line and for payments taken by staff.
Any providers selected to process payment information must be PCI compliant.
Access to systems should not be granted to any 3rd party without prior approval from ITD.

We maintain strong systems controls

We comply with the IT Security User Guide (held on the intranet).
We protect our network and systems in accordance with PCI DSS requirements.

These include:

Maintaining an effective firewall and router configuration.
Not using vendor supplied defaults for system parameters and other security parameters.
Providing effective data-retention and disposal policies.
Encrypting transmission of card holder data across open, public networks.
Maintaining anti-virus software.
Maintaining secure systems and applications.
Restricting access to card holder data to only staff whose jobs require it.
Ensuing appropriate access controls and monitoring systems are in place.
Assigning a unique ID to each person with computer access.
Regularly testing security systems and processes.
Maintaining an information security policy (held on the intranet).

We restrict the ways that payment card information comes into or out of WELCOME INDEPENDENT LIVING LTD so that we can ensure it is safe.

We do not use email to send or receive any payment card details. Emails containing payment information are deleted and the sender is advised to make payment by an alternative method.
We do not use physical mail to send or receive any payment card details. Any unsolicited receipts of card details are securely destroyed and the sender advised to use one of our approved methods.
We provide approved and PCI DSS compliant means for members and customers to make POS, online payments and payments via an automated phone line.
We will not accept images of cards for payments, and do not make use of screen shots, photos, scanned pdfs, or any digitised image in the business that may contain card numbers.

We protect card data within WELCOME INDEPENDENT LIVING LTD as if it were cash.

We never write down the 16-digit PAN code, expiry date or 3-digit security code (or CVV) from a card.
We do not send card details between WELCOME INDEPENDENT LIVING LTD locations by internal mail or email.
We operate additional policies in those areas that routinely handle payment cards to restrict the exposure of card information. These include:
- No payment card details are written down or repeated when taking payment by telephone.
- Call recordings are disabled whilst card details are taken so that no card details are captured during this part of the phone transaction.
- All PDQ receipts are secured safely and contain only masked card details.
- Mobile phones and smart devices capable of capturing image, video, audio, or Optical Character Readers (OCR) are kept out of sight and not allowed to be used in the designated PCI Compliant areas.
We comply with the card payment handset (PDQ) guidelines to protect card data, ensuring our devices are approved and updated as required.
We limit physical access to any retained card data, e.g., reports from payment platforms only contain last 4 digits of card. We only allow staff who need access for their role to access the data.

We only keep payment card data for as long as necessary for business and legal reasons.

We comply with the WELCOME INDEPENDENT LIVING LTD Document retention and destruction policy and destroy documents as soon as they are no longer needed.
- We do not retain card payment details once the payment has been processed.
- We only retain PDQ merchant copy receipts for as long as necessary. This is defined in the PDQ machine guidelines.
We comply with the Data Retention policy (held on the intranet) and destroy data as soon as it is no longer needed.

We ensure that our systems, processes and staff are PCI-DSS compliant by:

Providing specific training for staff members who handle card payments to ensure they are aware of their roles and responsibilities in respect of protecting card payments and associated data.
Ensuring that our payment processors, POS machine vendors and P2PE vendors are PCI DSS Compliant.
Ensuring that only approved devices are used to take card payments in person.
Ensuring that our website hands off card payment processes to an embedded virtual terminal using PCI-DSS approved systems.
Ensuring that our POS devices and payment systems are upgraded and updated as per vendor guidelines.
Completing an annual PCI-DSS Self-Assessment Questionnaire as required.
Performing a quarterly vulnerability assessment of our infrastructure.
Ensuring that our card data environment (CDE) is segregated from other networks.
Conducting appropriate security reviews of our infrastructure on a regular basis.
Ensuring that overarching governance activities take place on a regular basis to maintain risk assessments and ongoing compliance with PCI-DSS requirements.

Remote / home working

Extra challenges are experienced when employees are working remotely but these risks can be mitigated by reminding staff:

Any unauthorised copying, moving, sharing, or storing of payment card data in remote environments is prohibited.
Remote staff should also be aware of their physical surroundings, for example taking care to prevent sensitive information from being viewed by unauthorised persons.
Beware of potential phishing calls. Remote staff should know how to confirm that a person who phones, claiming to be from IT Support is legitimate before providing any information.
Remote workers should be provided with and only use company approved hardware devices e.g. mobile phone, laptops, desktops etc. as this ensures WELCOME INDEPENDENT LIVING LTD can maintain control of systems and technology supporting the processing of telephone-based payments.
Such hardware should:

Have firewalls installed and operational.
Have the latest version of the approved virus protection software.
Have the latest approved security patches installed.
Be configured to prevent users from disabling security controls.

Compliance Policy

This policy/procedure is applicable to Welcome Independent Living (WIL) and its employees.

facilitates ongoing compliance with the Payment Card Industry Data Security Standards (PCI DSS).

enables WELCOME INDEPENDENT LIVING LTD to continue to have the facility to accept card payments in support of delivering our business.

is appropriate and fit for purpose for the service provision within WELCOME INDEPENDENT LIVING LTD.

endeavours to balance the need for effective governance with agile process.

The PCI policy shall:

be documented and available on the WELCOME INDEPENDENT LIVING LTD website for all staff and customers.

be communicated within the organisation.

be managed and maintained effectively in accordance with company process.

be signed off as acknowledged and understood by all staff that it is applicable to on joining WELCOME INDEPENDENT LIVING LTD and then at least annually.

be available to interested parties, as appropriate.

We do not record payment card details (PAN / CVV) in any of our core systems such as Outlook etc.

We do not store any 16-digit string numbers on any documents or files stored on our systems, including personal or company credit cards.

We do not record payment card details from 3rd parties on any documents or files stored on our computers or file servers.

We use PCI DSS compliant hosted payment services to take payment card payments for self-service transactions through the web, payments via the secure payment line and for payments taken by staff.

Any providers selected to process payment information must be PCI compliant.

Access to systems should not be granted to any 3rd party without prior approval from ITD.

We maintain strong systems controls

We comply with the IT Security User Guide (held on the intranet).

We protect our network and systems in accordance with PCI DSS requirements.

These include:

Maintaining an effective firewall and router configuration.

Not using vendor supplied defaults for system parameters and other security parameters.

Providing effective data-retention and disposal policies.

Encrypting transmission of card holder data across open, public networks.

Maintaining anti-virus software.

Maintaining secure systems and applications.

Restricting access to card holder data to only staff whose jobs require it.

Ensuing appropriate access controls and monitoring systems are in place.

Assigning a unique ID to each person with computer access.

Regularly testing security systems and processes.

Maintaining an information security policy (held on the intranet).

We restrict the ways that payment card information comes into or out of WELCOME INDEPENDENT LIVING LTD so that we can ensure it is safe.

We do not use email to send or receive any payment card details. Emails containing payment information are deleted and the sender is advised to make payment by an alternative method.

We do not use physical mail to send or receive any payment card details. Any unsolicited receipts of card details are securely destroyed and the sender advised to use one of our approved methods.

We provide approved and PCI DSS compliant means for members and customers to make POS, online payments and payments via an automated phone line.

We will not accept images of cards for payments, and do not make use of screen shots, photos, scanned pdfs, or any digitised image in the business that may contain card numbers.

We protect card data within WELCOME INDEPENDENT LIVING LTD as if it were cash.

We never write down the 16-digit PAN code, expiry date or 3-digit security code (or CVV) from a card.

We do not send card details between WELCOME INDEPENDENT LIVING LTD locations by internal mail or email.

We operate additional policies in those areas that routinely handle payment cards to restrict the exposure of card information. These include:

No payment card details are written down or repeated when taking payment by telephone.

Call recordings are disabled whilst card details are taken so that no card details are captured during this part of the phone transaction.

All PDQ receipts are secured safely and contain only masked card details.

Mobile phones and smart devices capable of capturing image, video, audio, or Optical Character Readers (OCR) are kept out of sight and not allowed to be used in the designated PCI Compliant areas.

We comply with the card payment handset (PDQ) guidelines to protect card data, ensuring our devices are approved and updated as required.

We limit physical access to any retained card data, e.g., reports from payment platforms only contain last 4 digits of card. We only allow staff who need access for their role to access the data.

We only keep payment card data for as long as necessary for business and legal reasons.

We comply with the WELCOME INDEPENDENT LIVING LTD Document retention and destruction policy and destroy documents as soon as they are no longer needed.

We do not retain card payment details once the payment has been processed.

We only retain PDQ merchant copy receipts for as long as necessary. This is defined in the PDQ machine guidelines.

We comply with the Data Retention policy (held on the intranet) and destroy data as soon as it is no longer needed.

We ensure that our systems, processes and staff are PCI-DSS compliant by:

Providing specific training for staff members who handle card payments to ensure they are aware of their roles and responsibilities in respect of protecting card payments and associated data.

Ensuring that our payment processors, POS machine vendors and P2PE vendors are PCI DSS Compliant.

Ensuring that only approved devices are used to take card payments in person.

Ensuring that our website hands off card payment processes to an embedded virtual terminal using PCI-DSS approved systems.

Ensuring that our POS devices and payment systems are upgraded and updated as per vendor guidelines.

Completing an annual PCI-DSS Self-Assessment Questionnaire as required.

Performing a quarterly vulnerability assessment of our infrastructure.

Ensuring that our card data environment (CDE) is segregated from other networks.

Conducting appropriate security reviews of our infrastructure on a regular basis.

Ensuring that overarching governance activities take place on a regular basis to maintain risk assessments and ongoing compliance with PCI-DSS requirements.

Remote / home working Extra challenges are experienced when employees are working remotely but these risks can be mitigated by reminding staff:

Any unauthorised copying, moving, sharing, or storing of payment card data in remote environments is prohibited.

Remote staff should also be aware of their physical surroundings, for example taking care to prevent sensitive information from being viewed by unauthorised persons.

Beware of potential phishing calls. Remote staff should know how to confirm that a person who phones, claiming to be from IT Support is legitimate before providing any information.

Remote workers should be provided with and only use company approved hardware devices e.g. mobile phone, laptops, desktops etc. as this ensures WELCOME INDEPENDENT LIVING LTD can maintain control of systems and technology supporting the processing of telephone-based payments.

Such hardware should:

Have firewalls installed and operational. Have the latest version of the approved virus protection software. Have the latest approved security patches installed. Be configured to prevent users from disabling security controls.

Remote / home working

Extra challenges are experienced when employees are working remotely but these risks can be mitigated by reminding staff:

Have firewalls installed and operational.
Have the latest version of the approved virus protection software.
Have the latest approved security patches installed.
Be configured to prevent users from disabling security controls.