Bridekirk Fine Art uses cookies on this website. They help us to know a little bit about you and how you use our website, which improves the browsing experience and marketing - both for you and for others. They are stored locally on your computer or mobile device. To accept cookies continue browsing as normal. Or go to the cookies policy for more information and preferences.

Card Security

Bridekirk Fine Art

Credit Card Security Policies


Version 1.0 - 11, 01,2012


This document is the property of Bridekirk Fine Art; it contains information that is proprietary, confidential, or otherwise restricted from disclosure. If you are not an authorized recipient, please return this document to the above-named owner. Dissemination, distribution, copying or use of this document in whole or in part by anyone other than the intended recipient is strictly prohibited without prior written permission of Bridekirk Fine Art.

Revision History


Approving Manager


Initial Publication

D Anderson


Annual Review

D Anderson


Annual ReviewD Anderson01/11/2014
Annual ReviewD Anderson03/03/2015
Annual ReviewD Anderson22/09/2021

Introduction and Scope


This document explains Bridekirk Fine Art's credit card security requirements as required by the Payment Card Industry Data Security Standard (PCI DSS) Program.  Bridekirk Fine Art management is committed to these security policies to protect information utilised by Bridekirk Fine Art in attaining its business goals.  All employees are required to adhere to the policies described in this document.

Scope of Compliance

The PCI requirements apply to all systems that store, process or transmit cardholder data.  Currently, Bridekirk Fine Art does not store cardholder data in electronic format, nor does it process or transmit any cardholder data on their systems or premises.  Retention of cardholder data, if any, shall be limited to paper reports or receipts.

Due to the limited nature of the in-scope environment, this document is intended to meet the PCI requirements as defined in the Self-Assessment Questionnaire (SAQ) A, ver. 2.0, October 2010.  Should Bridekirk Fine Art implement additional acceptance channels, begin storing, processing, or transmitting cardholder data in electronic format, or otherwise become ineligible to validate compliance under SAQ A, it will be the responsibility of Bridekirk Fine Art to determine the appropriate compliance criteria and implement additional policies and controls as needed.

Requirement 9:  Restrict Physical Access to Cardholder Data

Physically Secure all Media Containing Cardholder Data

Hard copy materials containing confidential or sensitive information (e.g., paper receipts, paper reports, faxes, etc.) are subject to the following storage guidelines:

All media must be physically secured. (PCI requirement 9.6)

Strict control must be maintained over the internal or external distribution of any kind of media containing cardholder data.  These controls shall include:

Media must be classified so the sensitivity of the data can be determined. (PCI Requirement 9.7.1)

Media must be sent by a secure carrier or other delivery methods that can be accurately tracked. (PCI Requirement 9.7.2)

Logs must be maintained to track all media that is moved from a secured area, and management approval must be obtained prior to moving the media.  (PCI Requirement 9.8)

Strict control must be maintained over the storage and accessibility of media containing cardholder data. (PCI Requirement 9.9)

Destruction of Data

All media containing cardholder data must be destroyed when no longer needed for business or legal reasons. (PCI requirement 9.10)

Hardcopy media must be destroyed by shredding, incineration or pulping so that cardholder data cannot be reconstructed. Container storing information waiting to be destroyed must be secured to prevent access to the contents. (PCI requirement 9.10.1)

Requirement 12:  Maintain a Policy that Addresses Information Security for Employees and Contractors

Service Providers

Bridekirk Fine Art shall implement and maintain policies and procedures to manage service providers. (PCI requirement 12.8)

This process must include the following:

  1. Maintain a list of service providers (PCI requirement 12.8.1)
  2. Maintain a written agreement that includes an acknowledgment that the service providers are responsible for the security of the cardholder data the service providers possess (PCI requirement 12.8.2)
  3. Implement a process to perform proper due diligence prior to engaging a service provider (PCI requirement 12.8.3)
  4. Monitor service providers’ PCI DSS compliance status (PCI requirement 12.8.4)