Common use of Access to the Sensitive Cardholder Data Clause in Contracts

Access to the Sensitive Cardholder Data. All Access to sensitive cardholder should be controlled and authorised. Any job functions that require access to cardholder data should be clearly defined. • Any display of the card holder should be restricted at a minimum to the first 6 and the last 4 digits of the cardholder data. • Access to sensitive cardholder information such as PAN’s, personal information and business data is restricted to employees that have a legitimate need to view such information. • No other employees should have access to this confidential data unless they have a genuine business need. • If cardholder data is shared with a Service Provider (3rd party) then a list of such Service Providers will be maintained as detailed in Appendix C. • Stockport School will ensure a written agreement that includes an acknowledgement is in place that the Service Provider will be responsible for the for the cardholder data that the Service Provider possess. • Stockport School will ensure that a there is an established process, including proper due diligence is in place, before engaging with a Service provider. • Stockport School will have a process in place to monitor the PCI DSS compliance status of the Service provider.