Credit Card Processing Policy
Sports World Ministries, Inc. (“Sports World”) is committed to protecting the sensitive financial information of its donors. This policy applies to all Sports World employees, contractors, volunteers, and representatives (collectively “Team Members”) that interact with donors on Sports World’s behalf.
1. Vendor Processing Only.
Sports World will contract with vendors (“Payment Processors”) to facilitate donations to its ministry. Before establishing service with a vendor that stores, processes, or transmits cardholder data on behalf of Sports World, Team Members must obtain approval from Sports World to use that vendor. A vendor must be able to demonstrate that they are PCI-DSS compliant.
2. Data Processing.
Sports World’s Payment Processors require donor contact information, credit card Primary Account Number (“PAN”), and Credit Security Code (“CSC”) (collectively, “Cardholder Data”) in order to process donations. Cardholder Data may only be used in a manner required for business, legal, and/or regulatory purposes. When possible, donors should be directed to interact directly with Payment Processors via websites or text messaging services. If a donor requires providing their Cardholder Data directly to Sports World, the Team Member receiving the Cardholder Data must only collect information strictly necessary for completing the donation and at a time in which the Team Member can contemporaneously enter that data in the Payment Processor’s platform. If it is necessary for the Team Member to record a physical copy of any Cardholder Data, the Team Member must ensure any copy of the cardholder data is rendered unreadable by destroying the physical copy of the Cardholder Data immediately upon providing the Cardholder Data to the Payment Processor.
3. Prohibited Activities.
- Sports World will never request Cardholder Data from its donors.
- Sports World will never store Cardholder Data in any form.
- Sports World Team Members will never transmit or accept any cardholder data by email, chat, instant message, SMS, or any similar messaging technology.
4. Access control
Access to system components and cardholder data must be limited to individuals whose job requires such access. Access rights for individuals must be set to the least number of privileges to perform the required job and must be assigned based on job classification and function. All user accounts and passwords granting access to any payment vendor must be unique to that system and unique to that user. Group, shared, or generic accounts and passwords are not allowed.