1. No category

policy for security of card data - University Administration and Services

University of Oxford Finance Division
FINANCIAL POLICY
2.1.2 CARD DATA SECURITY
(RECEIPTS VIA PAYMENT CARD)
Date: 23rd December 2008
Version: 1.03
Status: Final
Author: Nick Carver
FINANCIAL POLICY 2.1.2 CARD DATA SECURITY (RECEIPTS VIA PAYMENT CARD)
TABLE OF CONTENTS
Page
EXECUTIVE SUMMARY ................................................................................................................... 3
PURPOSE ....................................................................................................................................... 3
SCOPE ............................................................................................................................................ 3
OVERVIEW ................................................................................................................................... 4
PAYMENT CARD INDUSTRY SECURITY STANDARDS (PCI SS) .............................................. 6
PCI SECURITY STANDARDS COUNCIL (PCI SSC) ................................................................ 6
PCI DATA SECURITY STANDARD (PCI DSS) ........................................................................ 6
OVERVIEW OF PCI DSS REQUIREMENTS ............................................................................. 6
PCI DSS COMPLIANCE AND NON-COMPLIANCE ................................................................ 7
RESPONSIBILITIES ............................................................................................................................ 8
POLICY FOR SECURITY OF CARD DATA ..................................................................................... 9
GENERAL GUIDANCE ................................................................................................................ 9
POLICY FOR RECEIVING OR OBTAINING CARD DATA................................................... 10
CARD AUTHORISATION FORM ............................................................................................. 11
POLICY FOR TRANSMITTING CARD DATA TO REMOTE CARD TERMINALS ............ 11
POLICY FOR PROCESSING CARD DATA THROUGH THE CARD TERMINAL .............. 12
POLICY FOR STORING CARD DATA..................................................................................... 12
POLICY FOR CARD DATA RECEIVED AND PROCESSED ONLINE ................................. 13
PROCEDURE FOR REPORTING CARD DATA IRREGULARITIES .................................... 14
CARD DATA SECURITY POLICY AND PROCEDURES REVIEW ...................................... 14
APPENDICES ..................................................................................................................................... 15
A
B
C
CARD DATA TO BE KEPT / TO BE DESTROYED ......................................................... 15
CARD TRANSACTION TERMINOLOGY ........................................................................ 15
CARD TRANSACTION MAP ............................................................................................. 16
REVISION HISTORY......................................................................................................................... 17
REVIEW AND AUTHORISATION ................................................................................................... 17
23 December 2008 – Version 1.03
Page 2 of 17
FINANCIAL POLICY 2.1.2 CARD DATA SECURITY (RECEIPTS VIA PAYMENT CARD)
EXECUTIVE SUMMARY
PURPOSE
The purpose of this financial policy is to control the transmission and storage of customer
information and data received in respect of processing receipts by credit or debit card.
This policy considers how the University obtains the customer information and data and how it is
transmitted, processed, and stored.
This financial policy should be compatible, and read in conjunction, with the processes and
associated financial control framework as published on the University Finance Division website for:


Cash and Banking
Card transactions
Note: wherever a statement in this policy refers to ‘Card’, the statement applies to credit, debit,
charge, and procurement cards, unless specifically stated otherwise.
SCOPE
The main areas covered by this ‘card data security’ policy are:




Receiving card data
Transmitting card data
Processing card data
Storing card data
23 December 2008 – Version 1.03
Page 3 of 17
FINANCIAL POLICY 2.1.2 CARD DATA SECURITY (RECEIPTS VIA PAYMENT CARD)
OVERVIEW
This policy deals with the controls required over the transmission, processing, and storage of all data
and information received in respect of all card receipts accepted by the University.
The management and control of data and information received in respect of cards at the University
involves departments, budgetary units, the Treasury Section and the Cashiers Office.
Key controls for controlling card data are as follows:
Receiving or obtaining card data
Card data should be received by appropriate methods only; preferably using face-to-face (chip & pin)
transactions, where the customer is present and able to enter their card details directly into the card
terminal; or via the online payments system.
Receiving card payments, where the customer is not present, is discouraged, but if it is necessary, the
preferred method is to receive the card details by phone and enter them immediately into the card
terminal.
Any card details sent by fax must only be received by Cashiers, who have a fax machine located in a
secure environment.
Card details must never be sent by email or by other electronic method, or be entered into any online
payment system other than that approved by the University.
Transmitting card data (to remotely held card terminals)
Where personal card data has to be transmitted (from order taking / receiving location to card
processing location), the card data must be recorded on ‘card authorisation forms’ and the forms
must be kept secure at all stages of the transmission.
If sending card authorisation forms to Central Cashiers, this can be either: (a) Faxed to their secure
fax OR (b) hand delivered, OR (c) sent via the University secure (cash) carrier.
Where ‘card authorisation forms’ are to be transmitted to card terminals held in departments, they
must be hand delivered or sent via the University secure carrier.
Do not transmit ‘card authorisation form’ data via email or any other electronic method, or send the
forms by internal or external post.
23 December 2008 – Version 1.03
Page 4 of 17
FINANCIAL POLICY 2.1.2 CARD DATA SECURITY (RECEIPTS VIA PAYMENT CARD)
OVERVIEW (continued)
Storing card data
Sensitive card data must never be retained after being used for processing.
All records of card security details or authentication data must be destroyed. The bottom of the ‘card
authorisation form’, where such card details are recorded, must be cut off and shredded or destroyed
by other means.
No track data (card electronic data) must be stored.
The rest of the ‘card authorisation form’, and till rolls supporting card transactions, can be stored, as
long as they are held with access restricted to authorised personnel only.
Card data received and processed online
Only the University approved online payment facility must be used for payment by credit card
online.
EPOS systems must be compliant with PCI DSS requirements and this policy, where applicable.
Do not transmit card data over the University network.
23 December 2008 – Version 1.03
Page 5 of 17
FINANCIAL POLICY 2.1.2 CARD DATA SECURITY (RECEIPTS VIA PAYMENT CARD)
PAYMENT CARD INDUSTRY SECURITY STANDARDS (PCI SS)
PCI SECURITY STANDARDS COUNCIL (PCI SSC)
The PCI Security Standards Council was founded by American Express, MasterCard Worldwide,
and Visa Inc (amongst others). Participating organisations include merchants, payment card issuing
banks, processors, developers and other vendors. It is a global open body formed to develop,
enhance, disseminate, and assist with the understanding of security standards for payment account
security. The Council maintains, evolves, and promotes the PCI security standards. Link to PCI
Security Standards Council for more detail.
PCI DATA SECURITY STANDARD (PCI DSS)
PCI Security Standards are technical and operational requirements set by the PCI SSC to protect
cardholder data. The standards apply to all organisations that store, process or transmit cardholder
data. The Council is responsible for managing the security standards, while compliance with the PCI
DSS is enforced by the founding members of the Council.
OVERVIEW OF PCI DSS REQUIREMENTS
The 12 requirements of PCI DSS are covered by this policy as stated below.
Requirements 1-2 Build and maintain a secure network
These sections are not covered by this policy as the University employs 3rd parties to process online
transactions securely.
Requirements 3-4 Protect cardholder data
These sections are covered by this policy and primarily state that the University should not store or
transmit card and transaction data unnecessarily. Organisations accepting payment cards are
expected to protect cardholder data and prevent their unauthorised use.
Requirements 5-6 Maintain a vulnerability management programme
As for requirements 1-2, these sections are not covered by this policy.
Requirements 7-9 Implement robust control measures / Control access to card data
These sections are covered by this policy and deal with access to card data, which should be limited
to when there is a business requirement and restricted to relevant staff only.
Requirements 10-11 Regularly monitor and test your computer networks
As for requirements 1-2, these sections are not covered by this policy.
Requirement 12 Make information security a priority
This section is covered by this policy and requires the University to create and maintain a security
policy to ensure ongoing compliance with PCI DSS, including the need to ensure that all employees
are aware of the importance of card data security.
23 December 2008 – Version 1.03
Page 6 of 17
FINANCIAL POLICY 2.1.2 CARD DATA SECURITY (RECEIPTS VIA PAYMENT CARD)
PCI DSS COMPLIANCE AND NON-COMPLIANCE
Compliance
The PCI DSS applies to all entities that store, process and/or transmit cardholder data. It covers
technical and operational system components included in or connected to cardholder data. All
Merchants who accept or process payment cards must comply with the PCI DSS.
Non-compliance
MasterCard and Visa can impose substantial penalties for non-compliance with the PCI DSS
regulations, with further penalties for any actual data compromise. As a final resort, the Merchant
can be refused permission to process card data.
23 December 2008 – Version 1.03
Page 7 of 17
FINANCIAL POLICY 2.1.2 CARD DATA SECURITY (RECEIPTS VIA PAYMENT CARD)
RESPONSIBILITIES
The key responsibilities in connection with the policy for card data security are given below.
Heads of Departments and Units
Heads of Departments and Units are responsible for ensuring that this policy is adhered to, in
particular the policies on:




receiving card data
transmitting card data
processing card data
storage of card data
Departmental Administrators
Department administrators must act as the Card Data Security Officer for their unit(s) where cards
are accepted for payment of goods and services or as gifts received.
As Card Data Security Officer, the departmental administrator must ensure card data received and
processed in accordance with this policy.
Head of Treasury
The Head of Treasury must ensure that:



this policy is maintained, reviewed, and communicated effectively
the cashiers office is adequately resourced and trained in the card data storage procedures
the controls over card data are effective and secure, and regularly reviewed.
The Head of Treasury must ensure that the Head of Financial Assurance Services is advised if an
investigation of material non-compliance is required, and that incidents are escalated, where
necessary, to the Director of Finance.
Chief Cashier
The Chief Cashier has overall reponsibility for ensuring this card data security policy is:




communicated to all relevant parties
regularly reviewed
kept up-to-date in respect of process, procedures and internal and external regulations
adhered to
Further detail on responsibilities
Further detail on the responsibilities of staff for each step and element of the process of receiving
payment by card can be found in the Financial Control Frameworks for ‘Cash and Banking’ and
‘Card transactions’, available on the University Finance Division website.
23 December 2008 – Version 1.03
Page 8 of 17
FINANCIAL POLICY 2.1.2 CARD DATA SECURITY (RECEIPTS VIA PAYMENT CARD)
POLICY FOR SECURITY OF CARD DATA
This policy sets out the rules and actions to be taken to safeguard all card data received and
processed by the University.
It is important that customers’ and donors’ card data is treated as confidential and kept secure at all
times.
Card processes
This policy is to be followed in conjunction with the University card processes, which vary
according to the nature of the transaction (i.e. Customer present/not present; Department has card
terminal/uses Central Cashiers; Online).
GENERAL GUIDANCE
Preferred card data processing procedure
When setting up procedures for taking card payments, the preferred procedure is to transact card
data:


Using face-to-face (Chip & PIN) transactions (where the customer is present and the order
taker or sales person has a card terminal), or
Using the Online Payments System for online stores.
Discouraged card data processing procedures
The following methods for processing card transactions, whilst acceptable, are discouraged:

Receiving payment by card where the ‘Customer is Not Present’ (other than via the Online
Payments System).
Note: This is applicable whether the card terminal is with the order taker / sales person or remotely
situated. Instances where the order is taken by phone and entered directly into the card terminal
could be considered as an exception to this rule.

Receiving payment by card where the order-taker does not have immediate access to a card
terminal (i.e. where the card terminal is in a department office remote from the order taker, or
where the Central Cashiers’ Office card terminal is used).
Prohibited card data processing procedures
The following methods for receiving and/or processing card transactions are strictly prohibited:


Receiving card data via e-mail or any other electronic method
Using any online payment system apart from the official University system, unless prior
sanction is obtained from the Head of Treasury.
23 December 2008 – Version 1.03
Page 9 of 17
FINANCIAL POLICY 2.1.2 CARD DATA SECURITY (RECEIPTS VIA PAYMENT CARD)
POLICY FOR RECEIVING OR OBTAINING CARD DATA
No card details via email or other electronic method
Do not accept customer’s card details via e-mail or any other electronic method, under any
circumstances.
Obtaining card details where customer is not present
Receiving payment by card where ‘customer is not present’ (other than via an online store) is
discouraged. However, it is recognised that customers often wish to make payments over the phone,
in which case the following procedures must be followed:
Obtaining card details by phone
The preferred method of taking card details where the customer is not present is by phone, where the
order taker has immediate access to a card terminal. In such circumstances, the order taker must enter
the card transaction directly into the card terminal.
Alternatively, if the order taker does not have immediate access to a card terminal, but if the card
details are not entered directly into the card terminal, the card details must only be written down on a
‘card authorisation form’ (see below).
Card details entered directly where customer and card terminal present
Where the customer is present and the order taker or sales person has a card terminal, it is essential
that customers enter their PIN (Personal Identification Number) into the card terminal unobserved.
The customer’s PIN or other card details must not be written down, electronically copied, or
otherwise obtained or recorded.
Obtaining card details in other circumstances
In certain other cases, card details may be taken as follows:


By post, on an order form, in which case the details should be immediately transferred to a
‘card authorisation form’, and removed from the order form and destroyed (see below)
By fax, in which case the faxed card details should only be received by Cashiers.
23 December 2008 – Version 1.03
Page 10 of 17
FINANCIAL POLICY 2.1.2 CARD DATA SECURITY (RECEIPTS VIA PAYMENT CARD)
CARD AUTHORISATION FORM
Complete the ‘Card Authorisation Form’
A card authorisation form must be completed, where the transaction cannot be processed
immediately:
If the customer is not present, and the order taker does not have access to a card terminal, this
should be in accordance with the process the receiving department or unit does not have a card
terminal - Customer not present.
WARNING: This rule and associated process also applies, where the receiving department or unit has
a card terminal, but it is remote from the order-taker.
If the customer is present, but there is not a card terminal available for use at the time of the
transaction a card authorisation form must be completed in accordance with the process ‘the
receiving unit does not have a card terminal - Customer present’.
Do not write down customer card details anywhere other than on the ‘card authorisation form’.
POLICY FOR TRANSMITTING CARD DATA TO REMOTE CARD TERMINALS
Send the ‘Card Authorisation form’ to the card processor
Where the receiving department or unit has a card terminal, remote from the order taker or sales
person, the card authorisation form must be completed and passed straightaway, [and only], to the
section which holds the card terminal, as soon as possible after taking card payment instructions
from the customer.
Where the receiving department or unit does not have a card terminal, the card authorisation form
must be completed and passed straightaway, [and only], to Central Cashiers, as soon as possible after
taking card payment(s).
In all circumstances, the data must be held securely at all times i.e. not left in an unattended in-tray,
or where any unauthorised person can access the information.
Forms should be transmitted as follows:
Fax the ‘Card Authorisation Form’ to the card processor
The transmission of the completed card authorisation form should be by fax wherever possible,
although must only be faxed to a machine in a secure area, to which the card processor has access.
Note: Currently only the fax in Central Cashiers has been designated as secure enough to receive
card data.
Where ‘Card Authorisation Form’ not sent by fax
Card Authorisation Forms can be hand delivered or alternatively transmitted to the card processor by
the Cash Collection company in that same way as cash is sent to the Cashiers for banking.
Do not transmit the completed ‘card authorisation form’, or any other customer card details,
via e-mail, any other electronic method, or by external or internal post, under any circumstances.
23 December 2008 – Version 1.03
Page 11 of 17
FINANCIAL POLICY 2.1.2 CARD DATA SECURITY (RECEIPTS VIA PAYMENT CARD)
POLICY FOR PROCESSING CARD DATA THROUGH THE CARD TERMINAL
Processing card authorisation forms through the card terminal
Upon receipt of the card authorisation form(s), they should be checked for completeness, and where
applicable, the card transactions should be processed immediately through the card terminal by the
card processor, whether at a department/unit’s site, or by Central Cashiers.
Incomplete Card Authorisation Forms
Where the card authorisation form is not complete, the originator should be contacted for the missing
detail. Cashiers will refer back to the originating Department for the required information.
Failed card terminal processing
Where the card terminal transaction fails to complete successfully, the originator and the cardholder
must be notified, and alternative payment must be sought. Cashiers will refer back to the originating
Department for instructions.
POLICY FOR STORING CARD DATA
Destroy card security details
Card security details, or Authentication data, such as the 3-digit security code, card verification
codes (CVC), and any other authentication data must be permanently deleted (cut off the foot of the
‘card authorisation form’ and destroyed) immediately after successful processing of the card details.
Card security details must never be stored in any computer application system at the University
(EPOS, Financial, HR, etc).
Note: When destroying the card security details, they should be crosscut shredded, incinerated, or
pulped!
Destroy the card security details (where not the card processor)
When the order taker, sales personnel, or dispatcher of the ‘card authorisation form’ has confirmed
with the card processor that the transaction has been processed successfully, they must destroy any
record they have of the card details.
Track data
No track data (i.e. information held on the magnetic strip and/or chip of a card) should be stored
under any circumstances.
Card data storage
The rest of the ‘card authorisation form’ (excluding the 3-digit security code) must be stored
securely in an access-restricted cupboard, filing cabinet, or safe.
Access must be granted only to relevant staff.
Note: Requirement 9 of the PCI DSS (see above) requires that the University “Restrict physical
access to the storage area where the cardholder data is kept.”.
23 December 2008 – Version 1.03
Page 12 of 17
FINANCIAL POLICY 2.1.2 CARD DATA SECURITY (RECEIPTS VIA PAYMENT CARD)
Till rolls
EPOS/Till rolls may include the customer card number (or partial card number), and must be stored
securely in accordance with the storage of the ‘card authorisation form’ above.
No other card data stored
No other records of customer’s card details (e.g. database/spreadsheet incorporating customer card
information) are to be kept.
POLICY FOR CARD DATA RECEIVED AND PROCESSED ONLINE
The University has a secure online payment facility supplied by a 3rd party secure host. This host is
fully PCI DSS compliant. It is recommended that any Department wishing to take payments online
should use this facility, whereby goods and services can be sold online, and all payments are
collected and processed securely.
Any alternative online payment system must be sanctioned in advance by the Head of Treasury.
Departments must not arrange for web sales etc, set up web shops or online stores without prior
approval.
Refer also to the controls for web sales shops.
EPOS and PCI DSS requirements
All EPOS systems used by University departments must be compliant with PCI DSS requirements
(see above).
EPOS systems
Departments or units, who have EPOS systems, (or departments / units considering purchasing an
EPOS system), should refer to cashiers for advice.
Do not transmit card data using the University’s network
Do not use the University’s network for taking internet/web payment by card, nor must card details
be accepted via e-mail, or any other electronic media, as the University network is not secure for this
purpose.
23 December 2008 – Version 1.03
Page 13 of 17
FINANCIAL POLICY 2.1.2 CARD DATA SECURITY (RECEIPTS VIA PAYMENT CARD)
PROCEDURE FOR REPORTING CARD DATA IRREGULARITIES
Reporting non-compliance or irregularities
Any non-compliance with the policies in this document, or any other irregularities detected in
respect of card and the use of cards, must be reported immediately to the Chief Cashier.
Reporting to the Acquiring Bank
The University staff member receiving or processing the card details, or the Chief Cashier must
report any irregularity concerning the failure of a card to process, or any other suspicious activities
by the cardholder, to the acquiring bank.
The police must also be informed if there is reason to believe a crime may have been attempted or
committed
Reporting to Financial Assurance Services
With agreement from the Head of Treasury, the Chief Cashier will report, or submit for consultation,
the non-compliance, or irregularity to Financial Assurance Services in accordance with
circumstances.
Escalation reporting procedure
With agreement from the Head of Treasury, the Chief Cashier may escalate the reported noncompliance or irregularity to the Director of Finance, depending on the circumstances.
CARD DATA SECURITY POLICY AND PROCEDURES REVIEW
Review departments’ card data security procedures
All departments which have card terminals or EPOS systems, should be visited at least once a year
by a member of the Central Cashiers’ Office, to:



stress the importance of complying with the Card Data Security policy,
review their card data receiving, transmitting, processing and storage procedures,
give advice on how to correct deficiencies,
Compliance Certificates
Departments receiving card data or processing cards must sign a compliance certificate every 6
months. In addition, where the department uses the Central Cashiers’ Office to process payments by
card, they must also complete and sign a ‘Request for Card processing form’.
Policy review
This card data security policy should be regularly reviewed and kept up-to-date in line with changes
to regulations
Advice on cash and banking
For further advice on card data security, and on cash and banking, contact Central Cashiers' office.
23 December 2008 – Version 1.03
Page 14 of 17
FINANCIAL POLICY 2.1.2 CARD DATA SECURITY (RECEIPTS VIA PAYMENT CARD)
APPENDICES
A
CARD DATA TO BE KEPT / TO BE DESTROYED
The following customer card data must never be known or written down by University personnel:


Personal Identification number (PIN)
Card stripe data
The following customer card data must not be retained by University personnel, and must be
destroyed, immediately after processing the card transaction:


Card verification code (CVC)
Authorisation code (3 digit security code)
The following customer card data may be retained by the University under the Data Protection Act,
but only if there is a defined business need to do so:





B
Type of card (Visa/Mastercard/etc)
Card number
Expiry date
Start date
Name of Card holder
CARD TRANSACTION TERMINOLOGY
Card data terminology is used in this policy document. Brief explanations of the most important of
these are given below. Refer also to the Card Transaction Map in Appendix C
Card terminal
‘Card terminal’ is the official terminology for the hand-held or desktop terminal, into which a card is
inserted, and together with the entry of the customer’s personal identification number (PIN) submits
the transaction for validation and processing.
Acquiring bank
The acquiring bank issues Merchant Accounts and Card terminals, collects the card payments and
authorises or declines the card transactions.
Merchant
The merchant or retailer is the card processor, which when referred by this policy, is always the
authorised personnel or units of the University of Oxford.
23 December 2008 – Version 1.03
Page 15 of 17
FINANCIAL POLICY 2.1.2 CARD DATA SECURITY (RECEIPTS VIA PAYMENT CARD)
C
CARD TRANSACTION MAP
VISA/MASTERCARD
E. Provide authorisation
4. Provide authorisation
t
es
qu
Re
.
3
es
qu
Re
D.
o
ati
r is
tho
u
ta
n
ris
tho
au
o
ati
ation
thoris
of au
ation
nfirm
5. Co
C. Transaction via network
F. Confirmation of authorisation
n
- Provide payment system
- Global companies who manage credit cards
CARD ISSUERS
PAYMENT SERVICE PROVIDER
- Banks acorss the world
- Issue cards that use the system/
network
ork
via netw
ONLINE MERCHANT
Needs a merchant account, but as Acquiring
Bank will not accept information from the
merchant via the internet, needs to use an
approved Payment Service Provider (PSP).
tle
et
action
Eg. Barclays Merchant Services
trans
S
H.
he
st
les th
e
Eg. WPM
6. Se
tt
n
tio
ac
ns
tra
- Issue merchant account IDs
- Authorise/decline transactions
- Collect payments
- Pay money into Retailer bank account
1.Transaction for authorisation
Provide secure payment screens and server
for transmitting data to Payment Service
Provider(PSP).
A. Item purchased online
ACQUIRING BANK
G.
3rd PARTY SECURE HOST
Route of a 'normal' credit
card transaction
saction
2. Tran
ion
act
ans
r
t
s
ree
Ag
B.Secure transmission
olle
&c
Eg. Barclays Epdq, Realex, Netbanx
ds
fun
cts
Integrate e-commence website with international credit
card networks so that transactions can be authorised and
payment collected.
MERCHANT/RETAILER
Issued a merchant account ID by Aquiring
bank, subject to status.
Route of a University
online transaction
23 December 2008 – Version 1.03
Page 16 of 17
FINANCIAL POLICY 2.1.2 CARD DATA SECURITY (RECEIPTS VIA PAYMENT CARD)
REVISION HISTORY
Version
0.01
0.02
0.03
0.04
1.00
1.01
1.02
1.03
Date
28-Aug-2008
24-Sep-2008
14-Oct-2008
24-Oct-2008
04-Nov-2008
19-Nov-08
05-Dec-08
23-Dec-08
Author
Nick Carver
Nick Carver
Nick Carver
Nick Carver
Nick Carver
Nick Carver
Nick Carver
Nick Carver
Description of Revision
Original draft
After discussion with Chief Cashier
After review by the Chief Cashier
After aligning with process
Final for authorisation and publication
Minor amendments
Executive summary added plus a few minor amendments
Reviewed by HO Treasury
REVIEW AND AUTHORISATION
This Financial Policy for the storage of card data has been reviewed, and is confirmed as correct and
compliant with the University’s financial controls, by:
BARRY PEMBERTON, Head of Financial Assurance Services
This Financial Policy is authorised as a policy, supporting the Treasury Management Policies,
Process Controls and Financial Regulations, by:
STEVE HOWARTH, Treasurer
23 December 2008 – Version 1.03
Page 17 of 17

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz