Credit Card Management Policy and Procedures

Approved by the Practice Manager/Director of PsychSolutions Clinicians on 2nd May 2022

About PsychSolutions Clinicians

PsychSolutions believe in helping people to thrive. Our mission is to provide timely and accessible care of the highest quality to children, adults and organisations. We offer a range of health and wellbeing services including psychological assessment and counselling, educational as well as corporate leadership and workplace services. Committed to quality in all that we do, we help people cultivate self-worth, build resilience and grow in mental wellness in order to thrive.

PsychSolutions is committed to delivering best practice ethical standards in all areas of our company.

For the individual we provide the following psychological services:

  • Psychological assessment and counselling in many clinical areas;
  • Cognitive Behaviour Therapy (CBT), Acceptance and Commitment Therapy (ACT), Dialectical Behaviour Therapy (DBT), Mindfulness, Eye Movement Desensitisation Reprocessing and other evidence-based therapies;
  • psychological assessment and counselling for workers compensation related rehabilitation;
  • Employee Assistance Programs (EAPs);
  • Speech Therapy Services
  • Psychiatry Services
  • Dietitian Services
  • Behaviour Assessment and Behaviour Management Plans;
  • online mental health assessments and cognitive assessments; and

We are conveniently located in Orange, Bathurst and Dubbo, NSW

Policy and Procedures Purpose

The purpose of this Policy and Procedures is to provide the policies and procedures for Credit Card Management by PsychSolutions staff. It also provides guidelines around the correct permission, access, use and storage of Client credit card information.

This policy and associated set of procedures outlines PsychSolutions staff ongoing obligations to all Clients in respect of how we manage their Personal Information and Credit Card details. This Policy and Procedures should be read in conjunction with both the Finance Management Policy and Procedures and the Privacy Policy and Procedures.

Scope

This Policy applies to all PsychSolutions Clinicians employees and Clients.

Definitions

Client
A Client is a person receiving goods and/or services from PsychSolutions.

Online Customer
An Online Customer is a person receiving goods and/or services from PsychSolutions.

Employee
An employee is a person who is hired to provide services in exchange for compensation (pay) (Australian Taxation Office, 2012). An employee is a paid member of staff – this can be on a full-time, part-time, fixed term or casual basis. This includes contractors providing services to PsychSolutions for a set time or specific task and those engaged in the performance of duties for PsychSolutions from a labour hire agency.

Aims of the Policy and Procedures

PsychSolutions Credit Card Management Policy & Procedures ensures that PsychSolutions staff has an effective, efficient, and lawful approach in collecting, charging, storing, accessing, securing, and disposing of a Client’s credit card information.

Reference

PsychSolutions has adopted the PCI Data Security Standards to protect and govern the way we accept, store, process and transmit credit card transactions.
A copy of the PCI security standards can be obtained from the PCI Security Standards Council website at www.pcisecuritystandards.org.
PsychSolutions as the Merchant (Collector) works with the third party, Pin Payments who is a Level 1 PCI Service Provider. PsychSolutions Clinicians is guided by and works in adherence with Pin Payment’s Terms of Service.
PsychSolutions as the Merchant (Collector) works with the third party, BPOINT who is a Level 1 PCI Service Provider. PsychSolutions is guided by and works in adherence with BPOINT Australia’s Services Agreement.

Third Parties

Where reasonable and practicable to do so, we will collect your credit card Information only from you. However, in some circumstances we may be provided with information by third parties. In such a case we will take reasonable steps to ensure that you are made aware of the information provided to us by the third party.
PsychSolutions as the Merchant (Collector) works with two primary third parties in relation to Credit Card Management.
B-Point is a DATAVAULT tokenisation service that allows us to securely store credit cards, charge cards and bank account details. This allows PsychSolutions to become PCI DSS compliant.

Credit Card Authority Policy

Purpose of the Policy

The credit card authority policy governs the way PsychSolutions staff seek, process, store and destroy a client or customer’s credit card information. Credit card authority is only gained when a Credit Card Authority Form is completed and signed by a client or customer.

Procedures

Prior to any of the following credit card procedures being undertaken, the authorising person noted must provide authority to PsychSolutions. This policy should be considered closely alongside the Financial Management Policy and Procedures and the Privacy Policy and Procedures.

Gaining Authorisation

The following are the steps PsychSolutions’ Staff will take to gain authorisation from a client or customer to store Credit Card information.

  • If you are a new Client of PsychSolutions, you will be asked over the phone if you would like to store your credit card information on your client file for payment of each session.
  • With your verbal consent, we will enter in your credit card name, credit card number, CCV and expiry date into our secure payment system. This is a preliminary authority only.
  • Once verbal agreement is given, you will be sent an electronic Credit Card Authority Form. It will ask you to provide your first name, surname, D.O.B and your signature. The form will also outline your standard session fee and our payment terms and cancellation policy.
  • The form will request your compliance and authority with the following:

 

Gaining Credit Card AuthorityClient or Customer
Storing Credit Card InformationClient or Customer
Processing a Credit CardClient or Customer

The form response is saved in our online Customer Relationship Management System and on your client file which can only be access by authorised Staff.
Your authority will remain in place until such time as you withdraw consent in writing to keep your details on file.

When and how we will charge your credit card

We will let you know that we are going to charge your card (on the day of your consultation) and again in our Appointment Text Reminder (48 hours prior to your session).
In line with our Payment Terms, we will charge your credit card in full, on the day of your appointment using our automatic payment system, B-Point.
If you need to make a change to your appointment or your card details before we charge your card, please notify us at least 24 business hours before your session.

Storage of Credit Card Information

For Clients, Credit card information is encrypted and stored in a completed isolated system. At no time is unencrypted card data stored on disk either at PsychSolutions or inside a third parties management system or in the card storage system. Internally Client card information is referenced only using a token. The token is not derived from card information in any way.

When your Credit Card Information is no longer needed for the purpose for which it was obtained, we will take reasonable steps to delete or destroy your Credit Card Information. If at any time a client or customer wishes to amend their authority, they can do so in writing to PsychSolutions.

Maintaining the Quality of your Personal Information

It is an important to us that your Credit Card and Personal Information is up to date. We will take reasonable steps to make sure that your Credit Card and Personal Information is accurate, complete and up to date. If you find that the information we have is not up to date or is inaccurate, please advise us as soon as practicable so we can update our records and ensure we can continue to provide quality services to you.

Effectiveness and Review

The Practice Manager, in conjunction with the Director, will review this Policy and Procedures document each 36 months on the anniversary of its approval.