Call Now
Click here
+1 689 2416 305
complaince@oneclickaway.co
Facebook-f X-twitter Instagram
Get Started
Call Now
Click here
+1 689 2416 305
complaince@oneclickaway.co
Facebook-f X-twitter Instagram
Get Started

Payment Card Industry Data Security Standard (PCI DSS) Policy

Effective Date: Jan 1, 2026 Annual Certification: January of each year

1. Introduction

Oneclickaway Inc. (“Oneclickaway”,”we,” “us,” or “our”) operates the website Oneclickaway.co. We are an authorized retailer for top internet carriers in the United States of America. Our website serves as a platform for customers to compare internet carriers in their zip code. The primary call to action promoted on our website is an inbound phone call to our Oneclickaway call center agents.

Crucially, Oneclickaway Inc. does NOT directly process, store, or transmit any credit card data. All customer orders, including credit card processing, are handled entirely within the secure systems and ecosystem of the respective internet carriers. This policy outlines our commitment to PCI DSS compliance, acknowledging our role in facilitating customer interaction that leads to payment processing by a third party (the internet carrier).

2. Scope of this Policy

This PCI DSS Policy applies to all personnel, systems, and environments within Oneclickaway Inc. that could potentially impact the security of cardholder data, even if we do not directly handle it. This includes:

  • Our call center environment: While our agents do not collect credit card information, they guide customers to the carrier’s ecosystem for order processing. We must ensure our environment does not inadvertently expose or compromise cardholder data during this process.
  • Our website (Oneclickawayusa.co): While the website itself does not support transactions, we must ensure its security does not create vulnerabilities that could indirectly affect the payment process once a customer transitions to a carrier’s system.
  • Any systems or processes that interact with or could potentially impact the security of the carrier’s payment processing environment.

3. PCI DSS Compliance Posture

Oneclickaway Inc. is committed to maintaining its annual PCI DSS certification, obtained every January. Our compliance is based on the understanding that we are a referral-based business where payment processing is entirely offloaded to the internet carrier’s secure environment. Therefore, our PCI DSS scope is significantly reduced but still requires adherence to relevant controls to protect the broader payment ecosystem.

4. Our Approach to PCI DSS Compliance

While Oneclickaway Inc. does not directly handle credit card data, we adhere to the principles of PCI DSS to ensure a secure environment for our customers and to support the overall integrity of the payment ecosystem. Our strategy focuses on:

4.1. Minimizing PCI DSS Scope:
  • No Direct Payment Processing: Oneclickaway agents never ask for, collect, store, or transmit credit card numbers, CVV codes, expiration dates, or any other sensitive authentication data.
  • Referral to Carrier Ecosystem: Customers are directed to the internet carrier’s official and PCI-compliant systems for all transaction processing. Our agents provide guidance and support, but the actual payment transaction occurs directly with the carrier.
  • No Cardholder Data Storage: Because we do not process payments, we do not store any cardholder data (e.g., Primary Account Numbers – PAN, sensitive authentication data).
4.2. Adherence to Relevant PCI DSS Requirements (as applicable to our environment):

Even with limited scope, we maintain security controls that align with PCI DSS principles to prevent any potential impact on cardholder data. This includes, but is not limited to, the following requirements:

  • Requirement 1: Install and maintain network security controls.
    • Implementing and maintaining firewalls and routers to segment our internal network from the internet.
    • Restricting inbound and outbound traffic to only what is necessary for business operations.
    • Documenting and reviewing firewall configurations.
  • Requirement 2: Apply secure configurations to all system components.
    • Not using vendor-supplied defaults for system passwords and other security parameters.
    • Implementing strong, unique passwords for all systems.
    • Securing all system components within our environment that interact with our call center operations or website.
  • Requirement 3: Protect cardholder data with strong cryptography during transmission over open, public networks (where applicable).
    • Ensuring secure communication protocols (e.g., TLS 1.2 or higher) are used for our website and any other data transmissions over public networks, even if not directly involving cardholder data.
  • Requirement 4: Protect all systems and networks from malicious software.
    • Implementing and regularly updating anti-virus and anti-malware solutions on all relevant systems (e.g., call center workstations, servers).
    • Ensuring these protections are active, current, and generate audit logs.
  • Requirement 5: Develop and maintain secure systems and applications.
    • Implementing a robust patch management process to ensure all systems and applications are kept up-to-date with security patches.
    • Addressing security vulnerabilities promptly.
  • Requirement 6: Restrict access to system components and cardholder data by business need-to-know.
    • Implementing strict access controls to our internal systems and networks.
    • Granting access to information and systems only to personnel who require it for their job functions.
  • Requirement 7: Identify users and authenticate access to system components.
    • Assigning a unique ID to each individual with computer access.
    • Implementing strong authentication methods for all users accessing our systems.
  • Requirement 8: Restrict physical access to cardholder data.
    • Restricting physical access to our call center, server rooms, and other sensitive areas.
    • Implementing measures to prevent unauthorized personnel from accessing physical media or devices.
  • Requirement 9: Log and monitor all access to system components and cardholder data.
    • Implementing logging mechanisms to track all access to systems and network resources.
    • Regularly reviewing logs for suspicious activity.
  • Requirement 10: Regularly test security systems and processes.
    • Performing regular vulnerability scans of our network and systems.
    • Conducting penetration testing as required by our PCI DSS level.
    • Testing security processes (e.g., incident response).
  • Requirement 11: Support information security with organizational policies and programs.
    • Maintaining a comprehensive information security policy that is reviewed and updated annually.
    • Implementing a formal security awareness program for all personnel.
    • Defining roles and responsibilities for information security.
    • Managing Third-Party Service Providers (Carriers): While the carriers are responsible for their own PCI DSS compliance, Oneclickaway Inc. ensures that we only partner with reputable service carriers who demonstrate their own commitment to security and compliance. We will verify their PCI DSS compliance status as part of our ongoing relationship management.

5. Employee Training and Awareness

All Oneclickaway Inc. employees, particularly call center agents, receive mandatory annual training on:

  • This PCI DSS Policy and its implications for their roles.
  • The strict prohibition against handling, storing, or transmitting credit card data.
  • Recognizing and reporting potential security incidents or suspicious activities.
  • The importance of directing customers to the carrier’s secure payment ecosystem.

6. Incident Response Plan

Oneclickaway Inc. maintains an incident response plan to address any suspected or actual security incidents that could potentially impact the security of our systems or indirectly affect cardholder data, even if we do not directly handle it. This plan includes procedures for:

  • Detection and analysis of incidents.
  • Containment, eradication, and recovery.
  • Post-incident review.
  • Communication with relevant parties, including our acquiring bank and the payment brands, if deemed necessary based on the nature and scope of the incident.

7. Annual Certification

Oneclickaway Inc. undergoes an annual PCI DSS assessment and achieves certification every January. This process ensures our continued adherence to the applicable PCI DSS requirements. We maintain all necessary documentation, including our Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC), to demonstrate our compliant status.

8. Jurisdiction

This PCI DSS Policy is drafted in accordance with the Payment Card Industry Data Security Standard (PCI DSS) and is applicable under the jurisdiction of the United States of America. We are committed to complying with all relevant federal and state laws that may indirectly impact our security practices related to cardholder data.

9. Contact Information

For any questions or concerns regarding this PCI DSS Policy, please contact us:

Oneclickaway Inc. SKS Building 39829 Paseo Padre Parkway, Fremont, CA 94538 USA

Phone: (689) 241-6305 Email: Compliance@oneclickaway.co