Privacy Policy

Belize Caribbean Tours

Payment Card Security Policy

(Aligned with PCI DSS SAQ A-EP v4.0.1)

Document Owner: Belize Caribbean Tours
Technical Administrator: Aesthetics Marketing Solutions Limited
Applies To: https://belizecaribbeantour.net/
Payment Integration: Heritage Bank WooCommerce Payment Gateway
Effective Date: 2-18-2026
Review Cycle: Annually (or upon infrastructure change)

1. Purpose

This policy establishes the security controls required to protect cardholder data and ensure compliance with PCI DSS v4.0.1 SAQ A-EP, applicable to e-commerce merchants that outsource payment processing but whose website can impact the security of the payment transaction.

Belize Caribbean Tours does not store, process, or transmit cardholder data locally. All payment data is securely handled by Heritage Bank’s hosted payment environment.

2. Scope

This policy applies to:

  • The public website hosted at:
    https://belizecaribbeantour.net/

  • WordPress + WooCommerce infrastructure

  • Hosting environment and server configuration

  • Administrative access to the website

  • All personnel managing website content or integrations

This policy does NOT apply to Heritage Bank systems, which are PCI DSS validated independently.

3. Payment Data Flow

  1. Customer selects services on Belize Caribbean Tours website.

  2. Customer proceeds to checkout.

  3. Customer is securely redirected to Heritage Bank’s hosted payment page.

  4. Cardholder data is entered ONLY on Heritage Bank’s environment.

  5. Authorization is processed by Heritage Bank.

  6. Belize Caribbean Tours receives transaction confirmation only (no card data).

At no point does Belize Caribbean Tours store:

  • Card numbers

  • CVV

  • Expiry date

  • Authentication data

4. PCI DSS Responsibility Model

Control Area Responsibility
Website Security Belize Caribbean Tours / AMS Ltd.
Server Hardening Hosting Provider / AMS Ltd.
Payment Processing Heritage Bank
Card Data Storage Not Stored
Vulnerability Scanning Belize Caribbean Tours
Access Control Belize Caribbean Tours
Secure Development AMS Ltd.

5. Technical Security Controls

5.1 Secure Hosting Environment

The website is hosted in a hardened environment with:

  • Firewall protection

  • Malware monitoring

  • Intrusion prevention systems

  • Isolated hosting account

  • Daily security patching

  • File integrity monitoring

5.2 Encryption Requirements

  • HTTPS enforced across entire website

  • TLS 1.2+ minimum encryption

  • Weak ciphers disabled

  • HSTS enabled

  • Secure cookies enforced

5.3 No Storage of Cardholder Data

Belize Caribbean Tours systems are configured to:

  • Never log payment form fields

  • Never cache checkout pages

  • Never store PAN data

  • Never store authentication data

5.4 Secure WooCommerce Configuration

The WooCommerce environment is configured to:

  • Use redirect method to Heritage Bank gateway

  • Disable local payment capture

  • Prevent card fields from being hosted onsite

  • Restrict plugin installation

  • Use only validated payment modules developed by AMS Ltd.

6. Access Control Policy

Administrative access is restricted by:

  • Unique user IDs (no shared logins)

  • Strong password enforcement

  • Multi-Factor Authentication (MFA)

  • Role-based permissions

  • Login attempt monitoring

  • Immediate revocation upon staff termination

7. Vulnerability Management (SAQ A-EP Requirement)

Belize Caribbean Tours performs:

  • Quarterly ASV vulnerability scans (by PCI-approved vendor)

  • Annual penetration testing (or after major changes)

  • Weekly malware scans

  • Monthly plugin updates

  • Emergency patching for critical vulnerabilities

8. Change Management

All website updates follow controlled procedures:

  1. Changes tested in staging environment.

  2. Security validation performed.

  3. Updates logged and approved.

  4. Only authorized AMS personnel deploy changes.

Unauthorized modifications are strictly prohibited.

9. Logging & Monitoring

The system maintains logs of:

  • Administrative logins

  • File changes

  • Plugin installations

  • Security alerts

  • Failed login attempts

Logs are retained for minimum 12 months.

10. Incident Response Plan

If a suspected security incident occurs:

  1. Website is immediately placed into maintenance mode.

  2. AMS security team initiates forensic review.

  3. Hosting provider is notified.

  4. Heritage Bank is informed if transaction risk exists.

  5. PCI compliance procedures followed.

  6. Vulnerability is remediated before restoring service.

11. Third-Party Service Providers

Provider Service
Heritage Bank Payment Processing
Hosting Provider Infrastructure Hosting
Aesthetics Marketing Solutions Ltd. Website Management & Security

All providers are required to maintain appropriate security standards.

12. Security Awareness

Personnel with website access receive guidance on:

  • Phishing prevention

  • Password hygiene

  • Secure use of admin systems

  • Recognizing suspicious activity

13. Annual Validation

Belize Caribbean Tours will:

  • Complete SAQ A-EP annually

  • Maintain scan compliance

  • Review this policy yearly

  • Update controls as PCI DSS evolves

14. Compliance Statement

Belize Caribbean Tours confirms that:

  • Payment card handling is fully outsourced to Heritage Bank.

  • The company maintains a secure e-commerce environment.

  • Systems are configured to meet PCI DSS SAQ A-EP v4.0.1 requirements.

  • No cardholder data is stored, processed, or transmitted locally.

15. Policy Review

This document shall be reviewed:

  • Annually

  • After infrastructure updates

  • After plugin/payment changes

  • After any security event

Facebook
Instagram
Tiktok