PCI Compliance Policy

Last Updated: 15/4/25

1. Introduction

RSTEPOS is committed to ensuring the highest level of security for payment card data. As a provider of point-of-sale and integrated payment solutions including TapaPOS, TapaPay, iWantFed, and GiveaVoucher, we adhere to the standards set by the Payment Card Industry Data Security Standard (PCI DSS).

This policy outlines how we manage and maintain PCI compliance across our systems and services, including our approach to secure card data processing, storage, and transmission.

2. Our PCI Compliance Approach

We partner with PCI DSS-compliant acquiring and gateway providers and design our systems to:

  • Never store sensitive card data such as full card numbers, CVV codes, or track data

  • Use tokenization and encryption where payment details are captured

  • Process payments only via PCI-certified third-party platforms like [TapaPay’s acquiring bank/gateway]

  • Ensure all hosted services (e.g. online ordering via iWantFed) are served over HTTPS/TLS-secured connections

3. Key Practices

Data Security

  • No payment card data is stored on any local or server infrastructure managed by RSTEPOS

  • All payment activity is redirected or handled through PCI DSS Level 1 certified providers

  • All data in transit is encrypted using TLS 1.2 or higher

Access Control

  • Only authorised personnel have access to payment configuration settings (e.g. API keys, merchant IDs)

  • Role-based access is enforced across our back office and POS applications

Staff Awareness

  • Staff with access to systems that integrate payment components receive PCI awareness training as part of onboarding

  • Regular reviews are conducted to ensure access rights remain appropriate

Device Security

  • TapaPOS terminals and card readers are tamper-resistant and comply with PCI PTS (PIN Transaction Security) requirements

  • Devices are regularly inspected for signs of tampering and maintained in accordance with manufacturer and acquirer guidance

4. Third-Party Services

RSTEPOS works with certified third-party providers to deliver secure payment solutions. These partners maintain their own PCI DSS certifications and are required to:

  • Provide annual attestation of compliance (AOC)

  • Notify RSTEPOS of any breach or security incident affecting cardholder data

5. Incident Response

If a security breach or suspected compromise occurs, RSTEPOS will:

  • Immediately disable affected systems or services

  • Notify affected merchants and acquirers where required

  • Work with third-party providers and forensic investigators

  • Fulfill any reporting obligations to PCI DSS or applicable regulators

6. Ongoing Compliance

RSTEPOS regularly reviews its payment infrastructure and partnerships to ensure continued compliance. Our commitment includes:

  • Working only with PCI DSS-certified platforms

  • Updating documentation and processes with PCI revisions

  • Participating in audits where applicable

7. Contact Us

If you have questions about our PCI Compliance Policy, please contact:

RSTEPOS Compliance Team
Email: support@rstepos.com
Phone: 02871860069