PCI Compliance Policy

PCI Compliance Policy

BeYofi World Merchant Services, LLC / BeYofi World Pay (BWP)

1. Purpose

BeYofi World Merchant Services, LLC (“Company”, “we”, “us”) is fully committed to protecting cardholder data and maintaining compliance with the Payment Card Industry Data Security Standard (PCI DSS). This policy establishes the requirements and practices for processing, storing, and transmitting payment card data securely.

2. Scope

This policy applies to all employees, contractors, agents, and systems that handle, process, store, or transmit cardholder data as part of BeYofi World Pay’s (BWP) services, in both US and international operations.

3. Cardholder Data Protection

Data Minimization: Collect only the minimum cardholder data necessary for transactions.

Secure Transmission: Encrypt all cardholder data during transmission over public networks using industry standards (such as TLS).

Data Storage: Only store cardholder data when strictly necessary and always keep it encrypted and/or tokenized.

Data Disposal: Irreversibly destroy cardholder data that is no longer needed.

4. Access Controls

Access to cardholder data is limited to authorized personnel based on job role.

Unique user IDs are required; shared or group accounts are not permitted.

Access rights are reviewed at least quarterly and revoked immediately upon role change or termination.

5. Physical Security

Paper records and hardware storing cardholder data are protected in physically secure, access-controlled areas.

Physical access to payment processing equipment and environments is strictly controlled.

6. Network Security

Network segmentation is maintained between cardholder data environments and other business operations.

Firewalls, antivirus, and intrusion detection/prevention systems are in place and regularly updated.

Systems and applications undergo regular vulnerability scans and annual penetration testing.

7. Security Awareness & Training

All employees undergo onboarding and annual PCI compliance and security training.

Training includes instruction on recognizing and reporting data security incidents.

8. Incident Response & Escalation Procedures

Reporting:
 - All suspected or actual breaches involving cardholder data must be reported immediately to the PCI Compliance Officer and the IT Security Lead.
 - All BWP employees, contractors, and partners are required to report incidents within 15 minutes of identification.

Escalation:
 - The PCI Compliance Officer will initiate the incident response plan within one hour of report receipt.
 - Management and, if required, external partners (forensics, law enforcement, affected merchants) will be notified within four hours.

Containment & Investigation:
 - Incidents are assessed and containment measures are taken to minimize further data exposure.  - Detailed investigation and documentation of the incident proceed as soon as possible but must start within 24 hours of the initial report.

Communication:
 - Stakeholders, including affected parties and regulatory entities, will be notified using the timeline and processes defined in company protocols and applicable law.

Remediation:
 - All incidents will be remediated promptly, with root causes identified and policies updated as needed.

Post-Incident Review:
 - After resolution, a post-mortem review will be conducted within 7 days to address process gaps and implement improvements.

9. Related Company Policies and References

This PCI Compliance Policy should be read together with the following documents (links or file addresses should be updated as appropriate):

Privacy Policy – How user and cardholder data is collected, used, and protected.

Acceptable Use Policy – Defines appropriate and prohibited uses of BWP services.

Terms & Conditions – Complete outline of user rights and obligations.

Incident Response Plan – Detailed escalation steps and contacts.

Cookie Policy – Information on our use of cookies and user management of preferences.

In the event of a conflict between policies, the stricter security standard will always apply.

10. Vendor & Third-Party Management

All vendors or partners handling cardholder data must maintain PCI DSS compliance.

Contracts require evidence of compliance and assign responsibilities for data protection.

11. Monitoring & Testing

Cardholder data environments are monitored for unauthorized access or anomalies.

Regular security reviews, internal audits, vulnerability scans, and annual PCI DSS audits are enforced.

12. Continuous Improvement

PCI DSS requirements are integrated into company policies, technology projects, and operational planning.

Annual policy reviews and real-time updates in response to regulatory or business changes ensure ongoing effectiveness.

13. Disciplinary Action

Employees or contractors violating this policy are subject to disciplinary measures up to and including termination.

14. Contact

For PCI compliance questions or concerns:

Email: info@beyofiworldpay.com

Incident Response: security@beyofiworldpay.com