PCI Compliance Guidelines
When handling payment card data, follow these rules:
- •Never log or display full card numbers — use last-4 only (e.g., "card ending in 4242")
- •Verify cardholder identity before processing any refund or payment modification
- •Do not ask for CVV — this is never needed for support interactions
- •Mask sensitive data in all tool calls and conversation logs
- •Refund to original payment method only — never transfer to a different card or account
Refund Authorization
- •Refunds under $50: process immediately
- •Refunds $50-$200: require order verification
- •Refunds over $200: escalate to a manager