PDQ Information Security Policy
1.0 DOCUMENT CONTROL
1.1 DOCUMENT DETAILS
Title: Information Security Policy
Type: Policy
Effective Date: 28 March 2025
Revision Period: Annual
​
Author: Tibor Laczko
Function: Consultant
​
Owner: Financial Controller
Function: Financial Controller
​
Reviewed/authorised by: Wilson Vale Board of Directors
Function: Wilson Vale Board of Directors
​1.2 CHANGE HISTORY
Item | Version | Date | Revision Description |
|---|---|---|---|
0 | 0.1 | 14/01/2016 | Initial draft |
1 | 1.0 | 03/06/2016 | Final draft |
2 | 2.0 | 05/06/2017 | Annual review |
3 | 3.0 | 06/06/2018 | Annual review |
4 | 4.0 | 20/06/2019 | Annual review |
5 | 5.0 | 18/06/2020 | Annual Review |
6 | 6.0 | 17/06/2021 | Annual Review |
7 | 7.0 | 22/06/2022 | Annual Review |
8 | 8.0 | 21/08/2023 | Annual Review |
9 | 9.0 | 21/08/2024 | Annual Review |
10 | 10.0 | 28/03/2025 | Update PCI DSS V4 Final Draft |
1.3 Communication, Review and Maintenance
​
This Policy is communicated to all relevant staff as part of their induction and as part of the annual refresher programme. The Policy is held on the HO filing system. Staff shall be informed of any changes to the Policy by their line manager. This Policy shall be made available to relevant interested parties as required.
​
This Policy shall be reviewed annually by the Policy Owner to ensure it remains fit for purpose and at other times as dictated by operational needs.
​​
1.4 References
Payment Card Industry Data Security Standard (PCI DSS) v4.01
​​
CONTENTS
​
1.0 Document Control
1.1 Document Details
1.2 Change History
1.3 Communication, Review and Maintenance
1.4 References
2.0 Document Purpose
3.0 Scope
4.0 Policy Detail
4.1 Daily device checks
4.1.1 The following checks must be performed
4.2 Monthly formal audits
4.2.1 The audit must include
4.3 Incident Response
4.4 Training and Awareness
4.5 Record Keeping
5.0 Policy Review
​
1.0 Document Purpose
This policy ensures compliance with PCI DSS Requirement 9.5 by protecting PDQ devices from tampering and unauthorized substitution. It establishes procedures for daily device checks and monthly formal audits to safeguard cardholder data.
2.0 Scope
​
This policy applies to all PDQ devices used in the restaurant for processing cardholder payments.
​
3.0 Policy Detail
​
3.1 Daily device checks
​
Before the start of each service, designated staff must inspect all PDQ devices for signs of tampering.
​
Any discrepancies or suspicious findings must be reported immediately to the manager on duty.
​
3.1.1 The following checks must be performed:
​
-
Inspect the terminal for physical damage, unusual attachments, or modifications.
-
Ensure that no unauthorized stickers, labels, or devices are attached.
3.2 Monthly formal audits
​
A formal audit of all PDQ devices must be conducted monthly by the designated compliance officer or manager.
​
A completed Card Reader Monthly Inspection Checklist must be prepared and submitted to the Head Office with month end closing bookwork and stock sheets.
​
3.2.1 The audit must include
​
-
Verification of device inventory against the master list
-
Thorough inspection of each device for tampering or substitution.
​
3.3 Incident Response:
If tampering or unauthorized substitution is detected:
​
-
Immediately remove the affected device from service
-
Notify the Head Office and follow the incident response plan
-
Retain the device for further investigation, if required.
​
3.4 Training and Awareness:
​
-
All staff handling PDQ devices must receive training on this policy and the importance of device security.
-
Refresher training must be conducted annually or as needed.
​
3.5 Record Keeping:
​
Monthly Audit Reports must be retained for a minimum of 12 months for compliance and review purposes.
​
4.0 Policy Review:
​
This policy will be reviewed annually or as required to ensure continued compliance with PCI DSS requirements.
