Payment Card Security Policy

We must protect cardholder information of patients and any individual or entity that utilises a credit or debit card to transact business with us. The Payment Card Industry Data Security Standard (PCI‐DSS) was adopted to assure the protection of customer data and credit card numbers.

To comply with the PCI‐DSS, staff members who work directly with credit and debit card processing and documentation are required to review and sign this policy on an annual basis.

Service Provider 

Our card payment providers are:

• Clover, which is owned by First Data (card terminals, online terminal)
• Sage Pay (Powered by Elavon) (meddbase online terminal, online booking terminal)

We are currently using two Clover Flex handheld devices in the Front Office and one in the X-Ray department.  

Procedures For Access To Patient Credit Or Debit Card Data

• Only authorised staff may process credit or debit card transactions or have access to documentation related to credit and debit card transactions.
• A copy of this policy must be read and signed by authorised personnel on initial employment and annually thereafter.

Card Information In Email

• Under no circumstances will credit card numbers be sent via e-mail or written on paper by all members of staff in the building

Template Response* For Credit or Debit Card Number Received In Email

Thank you for your recent communication regarding payment for our services. For your protection, we cannot accept credit or debit card information via email. Email is an insecure means of transmitting information and you should never use it to send your credit or debit card number or other sensitive personal information.  

Please call our office on +44 207 563 1234 during business hours to complete the transaction. Alternatively, we can take the details over the phone and store is securely on our systems for future payments. Thank you.

*Delete the cardholder data from your response and delete the original message after replying.

Processing Credit or Debit Card Transactions and Storage of Cardholder Data on Company Computers

• Card details only to be stored using our secure system on Meddbase, which protects and encrypts the patient data and is fully PCI compliant
• Cardholder data should not be stored electronically. If there is a documented requirement for such storage, appropriate encryption must be used and data must be stored on a computer belonging to the PCI environment

Retention and Destruction of Cardholder Data

We retain the stored card details upon authorisation for the period of 6 months. PCI compliance is in place and reviewed annually to ensure the protection of Cardholder’s data.