PCI DSS Security Brief

PURPOSE

The Payment Card Industry Data Security Standard (PCI DSS) was created to keep customers’ credit card data secure. At Mister Car Wash, where an average of 50% of our customers pay with credit cards, being PCI compliant is critical to our business. When we are PCI compliant, we:

Respect our customers’ privacy
Agree to protect their personal reputation
Uphold our reputation as an honest company with good business practices

It is your responsibility to understand and follow the PCI requirements as outlined in this document.

PASSWORDS

DO NOT share your passwords to the POS system.
Notify your Regional Manager or Mister IT if you suspect any unauthorized use of passwords.
Update your password quarterly.

IT CABINET

IF YOUR IT CABINET LOCKS: Keep the cabinet LOCKED and secure the key in the safe. Maintain a log book and record every time the cabinet is unlocked and accessed. The log should indicate date, time, and purpose of access.
IF YOUR IT CABINET DOES NOT LOCK: Keep the room where the cabinet is stored LOCKED at all times. Maintain a log book and record every time the room is entered. The log should indicate date, time, and purpose of entry.
Limit access to this area to authorized personnel only. If it becomes necessary for a non- employee to enter this area, they must sign a visitor log sheet indicating date, time, and purpose of access. Be sure to verify the identity of visitors before allowing them access.
Change the safe combination and store password at every change in management personnel.

POS EQUIPMENT

Regularly inspect credit card readers, POS equipment, computers, and devices on the point- of-sale network to make sure that they have not been tampered with. Report to IT immediately if you see any unauthorized devices attached to computers or devices on the point-of-sale network. Unauthorized devices include, but are not limited to, computers, laptops, and portable data storage devices, including cell phones.
Keep keys to express payment terminals (XPTs)/kiosks, gates, or gas pumps with credit card readers in a secured location.
DO NOT install, replace, or return any POS equipment unless you have first verified with Mister IT.
Watch for virus or other computer malware alerts or suspicious computer activity. Report alert messages or anything suspicious to Mister IT.
DO NOT attach any portable data storage devices/media, including cell phones, to the point- of-sale network or computers.

VIDEO SURVEILLANCE

Make sure that you have a security camera positioned to view the POS IT security cabinet door or the door to the locked room where the POS system is housed, as well as each area where credit card transactions take place (e.g., lobby registers, outdoor registers, etc.). Check the cameras regularly to verify they are all functioning.

SECURITY ACCESS

Maintain tight control over security access cards:
Make sure no managers share a card.
Employees must turn in their access card immediately upon termination.
Immediately set the status of all terminated employees to “inactive” on the POS.
Restrict access to cardholder data on a business need-to-know basis. Limiting the number of personnel that have access to cardholder data will lessen the chances of a security breach.

CREDIT CARDS

NEVER write down or record credit card numbers, expiration dates, or PINs other than to enter a card directly into a POS terminal. Do not type credit card data into a notes or comment field.
Secure lost or forgotten cards in the locked safe. Shred and properly dispose of lost or forgotten cards if they are recovered within 14 days.

REVISION HISTORY

Revised Date
Revised By Revisions 02/12/2017 Terri Hale Document created 05/10/2019 Laruen Babson Updated to reflect requirements. Removed signature line - will track compliance in Mister Learn 06/15/2019 Lucas Shippers Updated language and format 10/17/2024 Andrew Poskey Moved to Fresh 3/13/2025 Andrew Poskey Updated title formatting 8/27/2025 Andrew Poskey Reviewed and updated per Kurt Myers, Director IT Security