Terms and Conditions / Privacy Policy

Terms and Conditions

Registered Office : Sandown Court, Station Road, Glenfield, Leicester LE3 8BT. Cheapestprintonline.co.uk shall be referred from now on for the purpose of these terms and conditions as 'CPO'.

Acceptance of orders - a) CPO contracts for the supply of goods and/or services only subject to these terms and conditions and all terms and conditions in the customer's order or enquiries inconsistent therewith shall be of no effect.

b) The terms and conditions herein shall constitute the entire agreement between CPO and any modification to these conditions will be binding only if it is evidenced in writing signed by a director of CPO and such evidence contains specific reference to those conditions being modified.

c) Acceptance of the customers order takes place when an order confirmation - website order/email/fax/written/verbally is despatched/conveyed to the customer, or preliminary work is undertaken on the customers instructions. All turnaround times and delivery dates are estimated and cannot be guaranteed due to the nature of manufacturing (i.e. machine failure, staff sickness etc.) and cannot be therefore held liable for any delay in meeting the agreed delivery schedule, out of pocket expenses or any other claim.

d) We reserve the right to decline any order without giving any reason.

Currency - Payment for accepted orders must be in the currency agreed on the order confirmation or other written communication sent to the customer from ourselves detailing the order - fax/written/email. Without this written notification pounds sterling must be assumed.

Disclaimer - CPO disclaims to the maximum extent permitted by law all representations, warranties (express or implied) regarding products, services, quantities, pricing, graphics, software, information, published on our web site, in our buying guides or in any other form or location. Data is constantly updated and therefore is not necessarily accurate, current or complete. Provision of the products, services, software, information is on an "as is" basis. In particular CPO disclaims without limitation, warranties of merchantability, fitness for purpose or non infringement.

Tax - Value added tax will be charged, if applicable, at the rate ruling on the date of supply whether or not included on the quote, order, invoice.

Preliminary work - All work carried out, whether experimentally or otherwise, at customer's request shall be charged.

Supply of design data - A charge may be made to cover any additional work involved where the design data supplied or specified is not clear, legible, or in the prescribed format/specification to produce satisfactory results. Where design data is so supplied or specified, responsibility will not be accepted for imperfect work caused by defects in the supply, format or specification. In addition, you agree that all material uploaded by you onto our site will be done at your own risk and you must not upload any material that will breach any third party rights to such material unless you have their express consent. We have the right to disclose your identity to any third party claiming that any material uploaded by you to our site constitutes a violation of their rights, unruleful, pornographic or defamatory to third parties. You must retain a copy of all material you upload. We expressly exclude all liability for any uploaded material which is lost or damaged during or after the uploading process.This includes any incompatibility or defects caused by differing software versions/ conflicting operating systems. All compatibility issues should be addressed by the customer to CPO before proceeding with the order. This also applies to incorrect colour formats being provided by the customer (i.e. supplying full colour design but only ordering black and white print or the use of pantone colours when only CMYK print is used).
Any issues not addressed by the customer will not be the responsibility of CPO should the final order not meet the customers satisfaction. Where we are aware defects in the data are so severe and cannot be remedied we will halt further processing awaiting your instructions. The work to this point will be chargeable (i.e. if design is approved but the final product is refused for any reason, the design is deemed still chargeable)

Proofs - When placing an order with CPO, you are agreeing that you have read and understood the 'How to supply Artwork' page on our website .If you upload a file to our website, you are shown a proof of your final printed product at the final upload stage, you have the option here to either approve your proof or click the button 'i am struggling....' if you approve the proof we will print your file as the proof is displayed on screen - If you choose the wrong size or orientation here, your image may appear correct on your preview but could end up printed cropped,wrong size, upside down or have an incorrect quanitity (i.e. half as many at a larger size) (please note: your monitor or viewing device will display your proof in RGB, your final printed product is printed in CMYK which will differ slightly to the RGB screen proof). We will not be held responsible for any errors reported after approval of artwork - this is the responsibility of the customer to ensure their artwork is provided correctly (i.e. colour make-up, fonts used, safe areas etc). Artwork created by ourselves remains the property of Cheapestprintonline, although the customer is entitled to a print quality .pdf file for reprint purposes.

Archived Designs - Due to the volume of files processed by CPO, we do not store any files uploaded/ provided to us longer than 5 working days. Any orders left outstanding by the customer after 90 days (i.e. incompleted artwork or missing print files) will be cancelled and the paid print slot will be allocated to one of our chosen charities. No refund will be given.
We make no guarantee that such files will be available for retrieval at any time.

Copyright - Unless negotiated and agreed in writing, the copyright of General Artwork, Commissioned Artwork and Illustrations belongs to CPO, except where the whole printed product design is uploaded, transferred to us by the customer or designed by the customer. The customer shall be responsible for all the design data they supply. He/she should obtain the necessary authority to reproduce picture, artwork, photographs, logos etc. The customer is also resposnsible for including any relevant watermarks/ disclaimers or copyright within their design. The customer will indemnify us and our agents from any claim arising thereof.

Delivery and payment - Should we fail to despatch within the agreed schedule, It is up to the discretion of CPO as to whether it sees fit to issue compensation in the way of increasing the order quantity at no extra charge or issuing any amount of refund. CPO uses a third party for all delivery services, and as such cannot be held directly responsible for any damages during transit, delay in meeting the agreed delivery schedule, or loss of order. In such an event, CPO will not be held liable for any
damages or costs incurred, but will pass the details of the third party courier used onto the customer, so that the customer can then pursue the matter.

(a) Delivery of work shall be accepted when tendered and thereupon or, if earlier, on notification that the work has been completed the ownership shall pass and payment shall become due.

(b) Should expedited delivery be agreed, extra may be charged to cover any overtime or any other additional costs involved.

(c) Should work be suspended at the request of or delayed through any default of the customer for a period of 14 days we shall then be entitled to payment for work already carried out, materials specially ordered and any other additional costs including storage.

(d) Please only sign for the delivery of your order if it is complete and in good condition,
as you are signing in aceptance of the above. Any shortages, damage or claims cannot be made after this time.

(e) Should the customer place multiple orders for the same required despatch date, we reserve the right to consolidate those orders in as many or as few boxes as we deem necessary, regardless of the multiple postage costs incurred by the customer.

(f) Should the incorrect delivery option be chosen on checkout, we reserve the right to withhold the order and refund only the delivery charge until the correct delivery costs are paid. Should the correct delivery charges not be paid within 10 working days, we reserve the right to destroy the order with no compensation or further refund.

(g) Delivery charge is for delivery to one address and will only be delivered within the specified region (i.e. mainland UK or Scottish Highlands). Additional delivery address are chargeable.

(h) Delivery dates are only estimates and cannot be guaranteed due to the third party service we employ. Compensation is not available for any delayed orders.

Variations in quantity - Every endeavour will be made to provide the correct quantity ordered, but estimates are conditional upon margins for 5 per cent for work in black only and 10 per cent for other work being allowed for overs or shortage.


Quality - You accept that colour variations are inherent within the printing process for files submitted. You also understand and accept that computer hardware set-ups are such that we cannot guarantee that the Product colours will match those displayed on your computer screen during the ordering process. 'Quality of print' will obviously always be based on the quality of the file(s) supplied by the customer. Low quality artwork (low resolution, RGB/ PANTONE colours, no safe area etc.) will therefore always result in low quality print which we cannot be held responsible for.

a) Due to the nature of the printing process, we shall not be required to guarantee an exact match in colour or texture between the printed results and any proof or existing copy so supplied.
b) Due to the ink tolerances involved in the four colour printing process, slight variance in finished printed colour is inevitable.
c) Pantone spot colour matches cannot be produced using the full colour process.
d) Our presses are calibrated to ISO densities: any dispute regarding colour will not be withheld. See our 'How to supply artwork' webpage for further guidance and advice.
e) If a leaflet is to be folded by us, we will endeavour to fold to the natural layout of your design and is usually not necessary for you to advise us of the fold type. If the fold is not obvious or deemed inappropriate, the leaflets will be despatched unfolded.
f) On rare occasions, we may need to upgrade your order to a thicker material to batch our jobs properly - we will never 'downgrade' an order but should you specifically require your chosen material, please state at the time of placing your order.

Claims or Complaints - Advice of damage, misprints, quality disputes, delay or partial loss of goods in transit or of nondelivery must be given in writing to us and the carrier within three working days of delivery ( or in the case of non-delivery within 7 days of despatch of the goods ). All other claims must be made in writing to us within 7 days of delivery. Any claims made outside of this timeframe can no longer be entertained.

Cancellations - Due to the manufacturing process of our print, orders cannot be cancelled once processed as a print slot is allocated on a larger printed sheet with several other orders - so even if a file is not supplied, the print run still has to go ahead. If you havent supplied a file for print, your 'allocated slot' will still be printed but appear blank (as a bespoke manufactured product, the distance selling act does not apply).

Abusive language - A certain level of civility is expected during every telephone communication with CPO and as such any Racism, Insults, Swearing or Abusive language will not be tolerated and will result in the termination of any communication and cancellation of any outstanding orders.

Limitation of Liability - a) The sole liability of CPO in respect of any defect in, or failure of any goods or services supplied or for any shortage in the quantity of goods delivered or for any loss, injury attributable directly or indirectly thereto (other than in respect of death or personal injury) is limited to i) making good by replacement or ii) repairing defects or failures which under proper use appear therein. b) Without prejudice to the foregoing, CPO shall in no circumstances be liable - i) for any indirect or consequential loss (including without limitation loss of production, loss of profit or liability to third parties) suffered or incurred by the customer. ii) for any loss or damage in excess of the contract price for the goods or part thereof in respect of which a claim is made. We shall not be liable for any loss to the customer arising from delay in transit of their goods.

Customer's property - (a) Except in the case of a customer who is not contracting in the course of a business or holding himself out as doing so, customer's property and all property supplied to us by or on behalf of the customer shall while it is in our possession or in transit to or from the customer be deemed to be at customer's risk unless otherwise agreed and the customer should arrange insurance accordingly.
(b) We shall be entitled to make a reasonable charge for the storage of any customer's property left with us before receipt of the order or after notification to the customer of completion of the work.

Materials/data supplied by the customer - (a) We may reject any paper, plates, data, media or other materials supplied or specified by the customer which appear to us to be unsuitable. Additional cost incurred if materials are found to be unsuitable during production may be charged.

(b) Responsibility will not be accepted for imperfect work caused by defects in or unsuitability of materials so supplied or specified.


(c) Supplying files of imperfect quality (such as images/text with an original resolution of less than 300dpi) will be printed by CPO on the basis of 'if it is legible, it is deemed printable' and fit for purpose. CPO will not be held responsible for the customer's image quality and will not comment on resolution/quality. Should the resolution be so bad that it is not legible, the customer will be informed and the order possibly delayed. Due to our proofing process, we advise that customers' only upload and approve their artwork for print from a computer based website browser as CPO will not be held responsible for the quality / content of print if approved on a device other than a computer or failure to upload the artwork, delaying the order.

(d) Due to the manufacturing process, any files provided without adequate bleed may end up with thin white slithers once cut to size for which CPO cannot be held responsible.

(e) Quantities of materials supplied shall be adequate to cover normal spoilage.

Inappropriate subject matter supplied by the customer. When a file is uploaded to our automated workflow all material is uploaded at your own risk.
We assume you have permission to upload such files and that they do not contain abusive or offensive language, content or images. The customer must take full responsibility for all files uploaded and their content and absolve us from all liability for any uploaded material that may come across as offensive in anyway.

Promotions and special offers - Although not listed on certain promotions by mail or email, all promotions, coupons and special offers are only available on quantities up to 25,000. Any promotional codes or coupons used over these quantities will be null and void.Credit terms - For invoices not settled within the agreed credit terms, we reserve the right to charge interest on the overdue debt at 2% above the HSBC Bank base rate at the time and an administration fee to cover the debt recovery costs.

Overdue Payments - If payment is not received within the agreed terms, CPO will instruct their solicitors to recover the amount due. The solicitors costs plus a £50.00 admin charge will be added to the amount due along with any interest accrued as in section (c)

Insolvency - If the customer ceases to pay his debts in the ordinary course of business or cannot pay his debts as they become due or being a company is deemed to be unable to pay its debts or has a winding-up petition issued against it or being a person commits an act of bankruptcy or has a bankruptcy petition issued against him, we without prejudice to other remedies shall (I) have the right not to proceed further with the contract or any other work for the customer and be entitled to charge for work already carried out (whether completed or not) and materials purchased for the customer, such charge to be an immediatem debt due to us, and (ii) in respect of all unpaid debts due from the customer we have a general lien on all goods and property of his in our possession (whether worked on or not) and shall be entitled on the expiration of 14 days notice to dispose of such goods or property in such manner and at such price as we think fit and to apply the proceeds towards such debts.

Illegal matter - (a)We shall not be required to print or design any matter which in our opinion is or may be of an illegal or libellous nature or any infringement of the proprietary or other rights of any third party.

(b)We shall be indemnified by the customer in respect of any claims costs and expenses arising out of any libellous matter, overprinting, finishing or modification to print supplied, or any infringement of copyright, patent, design of or any other proprietary or personal rights contained in any material printed for the customer. The indemnity shall extend to any amounts paid on a lawyer's advice in settlement of any claim.

Printing - Every effort will be made to obtain the best possible colour reproduction on customer's work but because of the nature of the processes involved, we shall not be required to guarantee an exact colour consistency throughout a quantity or an exact match in colour or texture between the customer's file provided, monitor display - local or over the internet, colour proof and the printed article. Final printed materials can vary between Litho and Digital printing processes and as such cannot be matched between them.

For operational reasons we may at times need to upgrade paper weight to the next grammage available - we will never print on a lesser weight but may upgrade the material at our discretion.

Force majeure - We shall be under no liability if we shall be unable to carry out any provision of the contract for any reason beyond our control including (without limiting the foregoing) Act of God, legislation, war, fire, flood, drought, failure of power of supply, lock-out, strike or other action taken by employees in contemplation or furtherance of a dispute or owing to any inability to procure materials required for the performance of the contract. During the continuance of such a contingency the customer may by written notice to us elect to terminate the contract and pay for work done and materials used but subject thereto shall otherwise accept delivery when available.

Law - These conditions and all other express terms of the contract shall be governed and construed in accordance with the laws of England.

Privacy Policy


This website is operated by CPO We take your privacy very seriously therefore we urge to read this policy very carefully because it contains important information about on:
Who we are,
How and why we collect, store, use and share personal information,
Your rights in relation to your personal information, and
How to contact us and supervisory authorities in the event that you have a complaint.

Who we are
CPO ('we' or 'us') (trading as Cheapestprintonline) collect, use and are responsible for certain personal information about you. When we do so we are regulated under the General Data protection Regulations which apply across the European Union (including the United Kingdom) and we are responsible as 'controller' of that personal information for the purposes of those laws.

The personal information we collect and use
a) Personal information you provide to us
We collect the following personal information that you provide to us:
Name, address, telephone, email
Some examples of when we collect this information include:
When registering for an account or requesting a quote

b) Personal information you provide about third parties
If you give us information about another person, you confirm that the other person has appointed you to act on their behalf and agreed that you:
shall consent on their behalf to the processing of their personal data;
shall receive any data protection notices on their behalf; and
shall consent on their behalf to the transfer of their personal data abroad.

c) Monitoring and recording communications
We may monitor communications such as emails and telephone calls for the following purposes:
Training and quality assurance

d) Cookies and similar technologies
A cookie is a small text file which is placed onto your computer or electronic device when you access our website. Similar technologies include web beacons, action tags, local shared objects ('flash cookies') and single-pixel gifs. Such technologies can be used to track users' actions and activities, and to store information about them. We use these cookies and/or similar technologies on this website.

For example we may use cookies to monitor and/or collect the following information:
Traffic data

This information helps us to build a profile of our users. Some of this information may be aggregated or statistical, which means that we will not be able to identify you individually. In addition it should be noted that in some cases our cookies or similar technologies may be owned and controlled by third parties who will also collect personal information about you. On the first occasion that you use our site we will ask whether you consent to our use of cookies. If you do not, cookies will not be used. Thereafter you can opt-out of using cookies at any time or you can set your browser not to accept cookies and the websites below tell you how to remove cookies from your browser. However, some of our website features may not function as a result.

For further information on cookies generally visit www.aboutcookies.org or www.allaboutcookies.org.

How we use your personal information
We collect information about our users for the following purposes:
Manage your account

Who your information may be shared with
We may share your information with:
Law enforcement agencies in connection with any investigation to help prevent unlawful activity We will not share you personal information with any other 3rd parties.

We would like to send you information about products, services, offers, competitions and our business which may be of interest to you. Such information could be sent by post, email, telephone, text message or automated call. We will ask whether you would like us to send you marketing messages on the first occasion that you provide any relevant contact information (i.e. on purchase, signing up to a newsletter, entering a competition etc). If you do opt in to receive such marketing from us you can opt out at any time (see 'What rights do you have?' below for further information). If you have any queries about how to opt out, or if you are receiving messages you do not want you can contact us using the details provided below.

Whether personal information has to be provided by you, and if so why
The provision of the following information is required from you:
Name, address, email and phone number

This is to enable us to do the following:
For delivery
We will inform you at the point of collecting information from you, whether you are required to provide the information to us.

How long your personal information will be kept
We will hold your personal information for the following periods:
We will keep your information indefinitely
These periods are no longer than necessary in each case.

Reasons we can collect and use your personal information
We rely on the following as the lawful basis on which we collect and use your personal information:

Consequence of our use of your personal information
The consequence to you of our use of your personal information is:
You will be presented with adverts that suit your criteria

Keeping your information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We will also use technological and organisation measures to keep your information secure. These measures may include the following examples: user Account access is controlled by a password

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so. Indeed, while we will use all reasonable efforts to secure your personal data, in using the site you acknowledge that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal data that are transferred from you or to you via the internet. If you have any particular concerns about your information, please contact us using the details below.

Transfers of your information out of the EEA
We will not transfer your personal information outside of the EEA at any time.

Children and the validity of consent
Where we obtain consent from any user we will take reasonable steps to ascertain whether the user is over 13 years of age and whether the child is sufficiently informed to give valid consent. If the user is not, parental consent will be required to provide consent for the processing of any personal information.

What rights do you have?
Under the General Data Protection Regulation you have a number of important rights free of charge.
In summary, those include rights to:
fair processing of information and transparency over how we use your use personal information
access to your personal information and to certain other supplementary information that this
Privacy Notice is already designed to address
require us to correct any mistakes in your information which we hold
require the erasure of personal information concerning you in certain situations
receive the personal information concerning you which you have provided to us, in a structured,
commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations
object at any time to processing of personal information concerning you for direct marketing
object to decisions being taken by automated means which produce legal effects concerning
you or similarly significantly affect you
object in certain other situations to our continued processing of your personal information
otherwise restrict our processing of your personal information in certain circumstances
claim compensation for damages caused by our breach of any data protection laws
For further informaiton on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner's Office (ICO) on individual's rights under the
General Data Protection Regulations
If you would like to exercise any of these rights please:
email, call or write to us
let us have enough information to identify you
let us have proof of your identity (a copy of your driving license, passport or a recent credit
card/utility bill)
let us know the information to which your request relates
From time to time we may also have other methods to unsubscribe (opt-out) from any direct marketing including for example, unsubscribe buttons or web links. If such are offered, please note that there may be some period after selecting to unsubscribe in which marketing may still be received while your request is being processed.

How to complain
We hope that we can resolve any query or concern you raise about our use of your information.
The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ or telephone: 0303 123 1113.

Changes to the privacy policy
This privacy policy was published on 28/05/2018 and last updated on 28/05/2018.
We may change this privacy policy from time to time. You should check this policy occasionally to ensure you are aware of the most recent version that will apply each time you access this website. We will also attempt to notify users of any changes by: By a notice on website



Security Policy


CPO handles sensitive cardholder information daily. Sensitive Information must have adequate safeguards in place to protect the cardholder data, cardholder privacy, and to ensure compliance with various regulations, along with guarding the future of the organisation.
CPO commits to respecting the privacy of all its customers and to protecting any customer data from outside parties. To this end management are committed to maintaining a secure environment in which to process cardholder information so that we can meet these promises.
Employees handling sensitive cardholder data should ensure:

Handle Company and cardholder information in a manner that fits with their sensitivity and classification;

Limit personal use of CPO information and telecommunication systems and ensure it doesn’t interfere with your job performance;

CPO reserves the right to monitor, access, review, audit, copy, store, or delete any electronic communications, equipment, systems and network traffic for any purpose;

Do not use e-mail, internet and other Company resources to engage in any action that is offensive, threatening, discriminatory, defamatory, slanderous, pornographic, obscene, harassing or illegal;

Do not disclose personnel information unless authorised;

Protect sensitive cardholder information;

Keep passwords and accounts secure;

Request approval from management prior to establishing any new software or hardware, third party connections, etc.;

Do not install unauthorised software or hardware, including modems and wireless access unless you have explicit management approval;

Always leave desks clear of sensitive cardholder data and lock computer screens when unattended;

Information security incidents must be reported, without delay, to the individual responsible for incident response locally – Please find out who this is.


We each have a responsibility for ensuring our company’s systems and data are protected from unauthorised access and improper use. If you are unclear about any of the policies detailed herein you should seek advice and guidance from your line manager.

Network Security

A high-level network diagram of the network is maintained and reviewed on a yearly basis. The network diagram provides a high level overview of the cardholder data environment (CDE), which at a minimum shows the connections in and out of the CDE. Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable should also be illustrated.

In addition, ASV should be performed and completed by a PCI SSC Approved Scanning Vendor, where applicable. Evidence of these scans should be maintained for a period of 18 months.

Acceptable Use Policy

Management’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to CPO’s established culture of openness, trust and integrity. Management is committed to protecting the employees, partners and CPO from illegal or damaging actions, either knowingly or unknowingly by individuals. The Company will maintain an approved list of technologies and devices and personnel with access to such devices as detailed in Appendix B.

Employees are responsible for exercising good judgment regarding the reasonableness of personal use.

Employees should take all necessary steps to prevent unauthorized access to confidential data which includes card holder data.

Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts.

All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature.

All POS and PIN entry devices should be appropriately protected and secured so they cannot be tampered or altered.

The List of Devices in Appendix B will be regularly updated when devices are modified, added or decommissioned. A stocktake of devices will be regularly performed and devices inspected to identify any potential tampering or substitution of devices. 

Users should be trained in the ability to identify any suspicious behaviour where any tampering or substitution may be performed. Any suspicious behaviour will be reported accordingly.

Information contained on portable computers is especially vulnerable, special care should be exercised.

Postings by employees from a Company email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of CPO, unless posting is in the course of business duties.

Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.


Protect Stored Data

All sensitive cardholder data stored and handled by CPO and its employees must be securely protected against unauthorised use at all times. Any sensitive card data that is no longer required by the Company for business reasons must be discarded in a secure and irrecoverable manner.

If there is no specific need to see the full PAN (Permanent Account Number), it has to be masked when displayed.

PAN'S which are not protected as stated above should not be sent to the outside network via end user messaging technologies like chats, ICQ messenger etc.,



It is strictly prohibited to store:

The contents of the payment card magnetic stripe (track data) on any media whatsoever. 

The CVV/CVC (the 3 or 4 digit number on the signature panel on the reverse of the payment card) on any media whatsoever. 

The PIN or the encrypted PIN Block under any circumstance.


Information Classification

Data and media containing data must always be labelled to indicate sensitivity level.

Confidential data might include information assets for which there are legal requirements for preventing disclosure or financial penalties for disclosure, or data that would cause severe damage to CPO if disclosed or modified. Confidential data includes cardholder data.

Internal Use data might include information that the data owner feels should be protected to prevent unauthorized disclosure.

Public data is information that may be freely disseminated.


Access to the sensitive card holder data

All Access to sensitive cardholder should be controlled and authorised. Any job functions that require access to cardholder data should be clearly defined.

Any display of the card holder should be restricted at a minimum to the first 6 and the last 4 digits of the cardholder data.

Access to sensitive cardholder information such as PAN’s, personal information and business data is restricted to employees that have a legitimate need to view such information.

No other employees should have access to this confidential data unless they have a genuine business need.

If cardholder data is shared with a Service Provider (3rd party) then a list of such Service Providers will be maintained as detailed in Appendix C.

CPO will ensure a written agreement that includes an acknowledgement is in place that the Service Provider will be responsible for the for the cardholder data that the Service Provider possess.

CPO will ensure that a there is an established process, including proper due diligence is in place, before engaging with a Service provider.

CPO will have a process in place to monitor the PCI DSS compliance status of the Service provider.


Physical Security

Access to sensitive information in both hard and soft media format must be physically restricted to prevent unauthorised individuals from obtaining sensitive data.


Media is defined as any printed or handwritten paper, received faxes, floppy disks, back-up tapes, computer hard drive, etc. 

Media containing sensitive cardholder information must be handled and distributed in a secure manner by trusted individuals. 

Visitors must always be escorted by a trusted employee when in areas that hold sensitive cardholder information.

Procedures must be in place to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible. “Employee” refers to full-time and part-time employees, temporary employees and personnel, and consultants who are “resident” on Company sites. A “visitor” is defined as a vendor, guest of an employee, service personnel, or anyone who needs to physically enter the premises for a short duration, usually not more than one day.

A list of devices that accept payment card data should be maintained.

The list should include make, model and location of the device.

The list should have the serial number or a unique identifier of the device

The list should be updated when devices are added, removed or relocated

POS devices surfaces are periodically inspected to detect tampering or substitution.

Personnel using the devices should be trained and aware of handling the POS devices

Personnel using the devices should verify the identity of and=y third party personnel claiming to repair or run maintenance tasks on the devices, install new devices or replace devices.


Personnel using the devices should be trained to report suspicious behaviour and indications of tampering of the devices to the appropriate personnel. CPO sites. A “visitor” is defined as a vendor, guest of an employee, service personnel, or anyone who needs to enter the premises for a short duration, usually not more than one day. Strict control is maintained over the external or internal distribution of any media containing card holder data and has to be approved by management

Strict control is maintained over the storage and accessibility of media

All computer that store sensitive cardholder data must have a password protected screensaver enabled to prevent unauthorised use.


Protect Data in Transit

All sensitive cardholder data must be protected securely if it is to be transported physically or electronically.


Card holder data (PAN, track data, etc.) must never be sent over the internet via email, instant chat or any other end user technologies.

If there is a business justification to send cardholder data via email or by any other mode then it should be done after authorization and by using a strong encryption mechanism (i.e. – AES encryption, PGP encryption, IPSEC, etc.). 

The transportation of media containing sensitive cardholder data to another location must be authorised by management, logged and inventoried before leaving the premises. Only secure courier services may be used for the transportation of such media. The status of the shipment should be monitored until it has been delivered to its new location.


Disposal of stored data

All data must be securely disposed of when no longer required by CPO, regardless of the media or application type on which it is stored.

An automatic process must exist to permanently delete on-line data, when no longer required.

All hard copies of cardholder data must be manually destroyed when no longer required for valid and justified business reasons. A quarterly process must be in place to confirm that all non-electronic cardholder data has been appropriately disposed of in a timely manner.

CPO will have procedures for the destruction of hardcopy (paper) materials. These will require that all hardcopy materials are crosscut shredded, incinerated or pulped so they cannot be reconstructed.

CPO will have documented procedures for the destruction of electronic media. These will require:

All cardholder data on electronic media must be rendered unrecoverable when deleted e.g. through degaussing or electronically wiped using military grade secure deletion processes or the physical destruction of the media;

If secure wipe programs are used, the process must define the industry accepted standards followed for secure deletion.


All cardholder information awaiting destruction must be held in lockable storage containers clearly marked “To Be Shredded” - access to these containers must be restricted.


Security Awareness and procedures

The policies and procedures outlined below must be incorporated into company practice to maintain a high level of security awareness. The protection of sensitive data demands regular training of all employees and contractors.


Review handling procedures for sensitive information and hold periodic security awareness meetings to incorporate these procedures into day to day company practice.

Distribute this security policy document to all company employees to read. It is required that all employees confirm that they understand the content of this security policy document by signing an acknowledgement form (see Appendix A).

All employees that handle sensitive information will undergo background checks (such as criminal and credit record checks, within the limits of the local law) before they commence their employment with CPO.

All third parties with access to credit card account numbers are contractually obligated to comply with card association security standards (PCI/DSS). 

Company security policies must be reviewed annually and updated as needed. 


Credit Card (PCI) Security Incident Response Plan

The Company PCI Security Incident Response Team (PCI Response Team) is comprised of the Information Security Officer and Merchant Services. CPO PCI security incident response plan is as follows:


Each department must report an incident to the Information Security Officer (preferably) or to another member of the PCI Response Team.

That member of the team receiving the report will advise the PCI Response Team of the incident.

The PCI Response Team will investigate the incident and assist the potentially compromised department in limiting the exposure of cardholder data and in mitigating the risks associated with the incident.

The PCI Response Team will resolve the problem to the satisfaction of all parties involved, including reporting the incident and findings to the appropriate parties (credit card associations, credit card processors, etc.) as necessary.

The PCI Response Team will determine if policies and processes need to be updated to avoid a similar incident in the future, and whether additional safeguards are required in the environment where the incident occurred, or for the institution.


CPO PCI Security Incident Response Team (or equivalent in your organisation):









Communications Director






Compliance Officer
















Information Security Officer








Collections & Merchant Services








Risk Manager












Information Security PCI Incident Response Procedures:

A department that reasonably believes it may have an account breach, or a breach of cardholder information or of systems related to the PCI environment in general, must inform CPO PCI Incident Response Team. After being notified of a compromise, the PCI Response Team, along with other designated staff, will implement the PCI Incident Response Plan to assist and augment departments’ response plans.



Incident Response Notification

Escalation Members (or equivalent in your company):

Escalation – First Level:
Information Security Officer Controller
Executive Project Director for Credit Collections and Merchant Services Legal Counsel
Risk Manager

Director of CPO Communications

Escalation – Second Level:
CPO President
Executive Cabinet

Internal Audit
Auxiliary members as needed

External Contacts (as needed)
Merchant Provider Card Brands
Internet Service Provider (if applicable)
Internet Service Provider of Intruder (if applicable) Communication Carriers (local and long distance) Business Partners
Insurance Carrier
External Response Team as applicable (CERT Coordination Center1, etc) Law Enforcement Agencies as applicable inn local jurisdiction

In response to a systems compromise, the PCI Response Team and designees will:

Ensure compromised system/s is isolated on/from the network.

Gather, review and analyze the logs and related information from various central and local safeguards and security controls

Conduct appropriate forensic analysis of compromised system.


Contact internal and external departments and entities as appropriate.

Make forensic and log analysis available to appropriate law enforcement or card industry security personnel, as required.

Assist law enforcement and card industry security personnel in investigative processes, including in prosecutions.



The credit card companies have individually specific requirements that the Response Team must address in reporting suspected or confirmed breaches of cardholder data. See below for these requirements.

Incident Response notifications to various card schemes 

In the event of a suspected security breach, alert the information security officer or your line manager immediately. 

The security officer will carry out an initial investigation of the suspected security breach. 

Upon confirmation that a security breach has occurred, the security officer will alert management and begin informing all relevant parties that may be affected by the compromise. 



VISA Steps

If the data security compromise involves credit card account numbers, implement the following procedure:

Shut down any systems or processes involved in the breach to limit the extent, and prevent further exposure. 

Alert all affected parties and authorities such as the Merchant Bank (your Bank), Visa Fraud Control, and the law enforcement.

Provide details of all compromised or potentially compromised card numbers to Visa Fraud Control within 24 hrs. 

For more Information visit: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_if_ compromised.html 


Visa Incident Report Template

This report must be provided to VISA within 14 days after initial report of incident to VISA. The following report content and standards must be followed when completing the incident report. Incident report must be securely distributed to VISA and Merchant Bank. Visa will classify the report as “VISA Secret”*.

Executive Summary


Include overview of the incident

Include RISK Level(High, Medium, Low)

Determine if compromise has been contained



Initial Analysis

Investigative Procedures

Include forensic tools used during investigation


Number of accounts at risk, identify those stores and compromised

Type of account information at risk

Identify ALL systems analyzed. Include the following:

Domain Name System (DNS) names

Internet Protocol (IP) addresses

Operating System (OS) version F

unction of system(s)

Identify ALL compromised systems. Include the following:

DNS names

IP addresses

OS version

Function of System(s)

Timeframe of compromise

Any data exported by intruder

Establish how and source of compromise

Check all potential database locations to ensure that no CVV2, Track 1 or Track 2 data is stored anywhere, whether encrypted or unencrypted (e.g., duplicate or backup tables or databases, databases used in development, stage or testing environments, data on software engineers’ machines, etc.)

If applicable, review VisaNet endpoint security and determine risk

Compromised Entity Action


Contact(s) at entity and security assessor performing investigation


*This classification applies to the most sensitive business information, which is intended for use within VISA. Its unauthorized disclosure could seriously and adversely impact VISA, its employees, member banks, business partners, and/or the Brand.

MasterCard Steps:

Within 24 hours of an account compromise event, notify the MasterCard Compromised Account Team via phone at 1-636-722-4100.

Provide a detailed written statement of fact about the account compromise (including the contributing circumstances) via secured e-mail to compromised_account_team@mastercard.com.


Provide the MasterCard Merchant Fraud Control Department with a complete list of all known compromised account numbers.

Within 72 hours of knowledge of a suspected account compromise, engage the services of a data security firm acceptable to MasterCard to assess the vulnerability of the compromised data and related systems (such as a detailed forensics evaluation).


Provide weekly written status reports to MasterCard, addressing open questions and issues until the audit is complete to the satisfaction of MasterCard.

Promptly furnish updated lists of potential or known compromised account numbers, additional documentation, and other information that MasterCard may request.


Provide finding of all audits and investigations to the MasterCard Merchant Fraud Control department within the required time frame and continue to address any outstanding exposure or recommendation until resolved to the satisfaction of MasterCard.



Once MasterCard obtains the details of the account data compromise and the list of compromised account numbers, MasterCard will:

Identify the issuers of the accounts that were suspected to have been compromised and group all known accounts under the respective parent member IDs.


Distribute the account number data to its respective issuers.


Employees of CPO will be expected to report to the security officer for any security related issues. The role of the security officer is to effectively communicate all security policies and procedures to employees within CPO and contractors. In addition to this, the security officer will oversee the scheduling of security training sessions, monitor and enforce the security policies outlined in both this document and at the training sessions and finally, oversee the implantation of the incident response plan in the event of a sensitive data compromise.

Transfer of sensitive data policy

All third-party companies providing critical services to CPO must provide an agreed Service Level Agreement.

All third-party companies providing hosting facilities must comply with CPO’s Physical Security and Access Control Policy.

All third-party companies which have access to Card Holder information must

Adhere to the PCI DSS security requirements.

Acknowledge their responsibility for securing the Card Holder data.

Acknowledge that the Card Holder data must only be used for assisting the completion of a transaction, supporting a loyalty program, providing a fraud control service or for uses specifically required by law.

Have appropriate provisions for business continuity in the event of a major disruption, disaster or failure.

Provide full cooperation and access to conduct a thorough security review after a security intrusion by a Payment Card industry representative, or a Payment Card industry approved third party.


User Access management

Access to Company is controlled through a formal user registration process beginning with a formal notification from HR or from a line manager.

Each user is identified by a unique user ID so that users can be linked to and made responsible for their actions. The use of group IDs is only permitted where they are suitable for the work carried out.

There is a standard level of access; other services can be accessed when specifically authorized by HR/line management.

The job function of the user decides the level of access the employee has to cardholder data

A request for service must be made in writing (email or hard copy) by the newcomer’s line manager or by HR. The request is free format, but must state:


Name of person making request;
Job title of the newcomers and workgroup;
Start date;
Services required (default services are: MS Outlook, MS Office and Internet access).

Each user will be given a copy of their new user form to provide a written statement of their access rights, signed by an IT representative after their induction procedure. The user signs the form indicating that they understand the conditions of access.

Access to all CPO systems is provided by IT and can only be started after proper procedures are completed.

As soon as an individual leaves the Company employment, all his/her system logons must be immediately revoked.

As part of the employee termination process HR (or line managers in the case of contractors) will inform IT operations of all leavers and their date of leaving.


Access Control Policy

Access Control systems are in place to protect the interests of all users of CPO computer systems by providing a safe, secure and readily accessible environment in which to work.

The Company will provide all employees and other users with the information they need to carry out their responsibilities in an as effective and efficient manner as possible.

Generic or group IDs shall not normally be permitted, but may be granted under exceptional circumstances if sufficient other controls on access are in place.


The allocation of privilege rights (e.g. local administrator, domain administrator, super-user, root access) shall be restricted and controlled, and authorization provided jointly by the system owner and IT Services. Technical teams shall guard against issuing privilege rights to entire teams to prevent loss of confidentiality. Access rights will be accorded following the principles of least privilege and need to know.

Every user should attempt to maintain the security of data at its classified level even if technical security mechanisms fail or are absent.

Users electing to place information on digital media or storage devices or maintaining a separate database must only do so where such an action is in accord with the data’s classification.

Users are obligated to report instances of non-compliance to CPO CISO.

Access to CPO IT resources and services will be given through the provision of a unique Active Directory account and complex password.

No access to any CPO IT resources and services will be provided without prior authentication and authorization of a user’s CPO Windows Active Directory account.

Password issuing, strength requirements, changing and control will be managed through formal processes. Password length, complexity and expiration times will be controlled through Windows Active Directory Group Policy Objects.

Access to Confidential, Restricted and Protected information will be limited to authorised persons whose job responsibilities require it, as determined by the data owner or their designated representative. Requests for access permission to be granted, changed or revoked must be made in writing.

Users are expected to become familiar with and abide by CPO policies, standards and guidelines for appropriate and acceptable usage of the networks and systems.

Access for remote users shall be subject to authorization by IT Services and be provided in accordance with the Remote Access Policy and the Information Security Policy. No uncontrolled external access shall be permitted to any network device or networked system.

Access to data is variously and appropriately controlled according to the data classification levels described in the Information Security Management Policy.

Access control methods include logon access rights, Windows share and NTFS permissions, user account privileges, server and workstation access rights, firewall permissions, IIS intranet/extranet authentication rights, SQL database rights, isolated networks and other methods as necessary.

A formal process shall be conducted at regular intervals by system owners and data owners in conjunction with IT Services to review users’ access rights. The review shall be logged and IT Services shall sign off the review to give authority for users’ continued access rights.


Contacting us
If you have any questions about the terms and conditions, the policies outlined above, or the information we hold about you, please contact us by:
e-mail: Hello@cheapestprintonline.co.uk
Cheapestprintonline, sandown court, Glenfield. Le3 8bt
telephone: 0116 287 7989
Calls will be answered at the following times:
Monday to Friday 9am-5pm
We may record calls for quality and training purposes.


Business Cards Invitations
Letterheads Display Boards About us
  A6 Single Sided Flyers DL Double Sided Flyers A4 Posters Compliment Slips Vehicle Graphics How to place your order
A6 Double Sided Flyers A4 Single Sided Flyers A3 Posters Booklets / Brochures Promotional Items How to supply artwork
A5 Single Sided Flyers A4 Double Sided Flyers A2 Posters Carbonless Forms T-Shirts About our design service
A5 Double Sided Flyers A3 Folded Flyers (A4) A1 Posters Stickers / Labels Takeaway Menus FAQ's
DL Single Sided Flyers A4 Folded Flyers (A5 or DL) A0 Posters DVD Inlays / Booklets PVC Banners Contact us