StandardCard Security & Compliance

PCI DSS Compliance Overview

Internal control objectives aligned to the Payment Card Industry Data Security Standard for any system that stores, processes or transmits cardholder data.

v3.0effective 2025-01-10

Scope

This standard summarizes RPC's internal control objectives aligned to the Payment Card Industry Data Security Standard (PCI DSS) for any system, network segment or third-party service that stores, processes or transmits cardholder data. Together these systems form the Cardholder Data Environment (CDE).

All in-scope systems must be inventoried in the CDE asset register and re-validated at least once every six months, or immediately after any architectural change that could expand the CDE boundary.

Control objective groups

RPC organizes its cardholder data controls into six objective groups: (1) build and maintain secure networks and systems, (2) protect stored and transmitted cardholder data, (3) maintain a vulnerability management program, (4) implement strong access control measures, (5) regularly monitor and test networks, and (6) maintain an information security policy.

Each objective group maps to a named control owner inside Card Security & Compliance who is accountable for evidence collection ahead of the annual assessment.

Data classification

Primary Account Number (PAN), cardholder name, expiration date and service code are classified as Restricted — Cardholder Data. PAN must be masked when displayed (showing at most the first six and last four digits) and must be rendered unreadable wherever stored, using strong cryptography or an approved tokenization scheme.

Sensitive Authentication Data — full magnetic-stripe track data, CVV2/CVC2 values and PIN blocks — must never be stored after authorization, even in encrypted form. Any system found retaining Sensitive Authentication Data post-authorization must be quarantined and reported to Card Security & Compliance within 24 hours of discovery.

Compliance validation

RPC validates compliance annually through a Report on Compliance (RoC) performed by an external Qualified Security Assessor (QSA), consistent with our processor volume tier. Quarterly external vulnerability scans are performed by an Approved Scanning Vendor (ASV), and results with a CVSS score of 4.0 or higher must be remediated within 30 calendar days.

Internal penetration testing of the CDE is performed at least annually and after any significant change to network architecture or applications in scope.

Roles and responsibilities

Card Security & Compliance owns the standard and the annual assessment calendar. System Owners of in-scope applications are responsible for keeping data-flow diagrams current and for remediating findings assigned to their systems within agreed SLAs.