PURPOSE The Payment Card Industry Data Security Standard (PCI DSS) was created to keep customers’ credit card data secure. At Mister Car Wash, where an average of 50% of our customers pay with credit cards, being PCI compliant is critical to our business. When we are PCI compliant, we: Respect our customers’ privacy Agree to protect their personal reputation Uphold our reputation as an honest company with good business practices It is your responsibility to understand and follow the PCI requirements as outlined in this document. PASSWORDS DO NOT share your passwords to the POS system. Notify your Regional Manager or Mister IT if you suspect any unauthorized use of passwords. Update your password quarterly. IT CABINET IF YOUR IT CABINET LOCKS: Keep the cabinet LOCKED and secure the key in the safe. Maintain a log book and record every time the cabinet is unlocked and accessed. The log should indicate date, time, and purpose of access. IF YOUR IT CABINET DOES NOT LOCK: Keep the room where the cabinet is stored LOCKED at all times. Maintain a log book and record every time the room is entered. The log should indicate date, time, and purpose of entry. Limit access to this area to authorized personnel only. If it becomes necessary for a non- employee to enter this area, they must sign a visitor log sheet indicating date, time, and purpose of access. Be sure to verify the identity of visitors before allowing them access. Change the safe combination and store password at every change in management personnel. POS EQUIPMENT Regularly inspect credit card readers, POS equipment, computers, and devices on the point- of-sale network to make sure that they have not been tampered with. Report to IT immediately if you see any unauthorized devices attached to computers or devices on the point-of-sale network. Unauthorized devices include, but are not limited to, computers, laptops, and portable data storage devices, including cell phones. Keep keys to express payment terminals (XPTs)/kiosks, gates, or gas pumps with credit card readers in a secured location. Maintain a log with the asset tag number for all portable credit card devices, including those built into a portable computer, at your location. Any variance in asset tag numbers must be promptly reported to Mister IT. DO NOT install, replace, or return any POS equipment unless you have first verified with Mister IT. Watch for virus or other computer malware alerts or suspicious computer activity. Report alert messages or anything suspicious to Mister IT. DO NOT attach any portable data storage devices/media, including cell phones, to the point- of-sale network or computers. VIDEO SURVEILLANCE Make sure that you have a security camera positioned to view the POS IT security cabinet door or the door to the locked room where the POS system is housed, as well as each area where credit card transactions take place (e.g., lobby registers, outdoor registers, etc.). Check the cameras regularly to verify they are all functioning. SECURITY ACCESS Maintain tight control over security access cards: Make sure no managers share a card. Employees must turn in their access card immediately upon termination. Immediately set the status of all terminated employees to “inactive” on the POS. Restrict access to cardholder data on a business need-to-know basis. Limiting the number of personnel that have access to cardholder data will lessen the chances of a security breach. CREDIT CARDS NEVER write down or record credit card numbers, expiration dates, or PINs other than to enter a card directly into a POS terminal. Do not type credit card data into a notes or comment field. Secure lost or forgotten cards in the locked safe. Shred and properly dispose of lost or forgotten cards if they are recovered within 14 days. REVISION HISTORY Revised Date Revised By Revisions 02/12/2017 Terri Hale Document created 05/10/2019 Laruen Babson Updated to reflect requirements. Removed signature line - will track compliance in Mister Learn 06/15/2019 Lucas Shippers Updated language and format 10/17/2024 Andrew Poskey Moved to Fresh 3/13/2025 Andrew Poskey Updated title formatting

PURPOSE This document outlines the steps to follow when managers need to request access beyond the standard permissions for the following applications: IMPORTANT: Only Managers can submit a request for increased/upgraded access. Active Directory Admin - Information Technology Dayforce - Human Resources Information System Hotshop- Supply Chain and Ordering Inspyrus - Accounts Payable and invoice services Jira - Project Management system for Accounting Oracle ERP - Corporate accounting platform Planful - Financial Planning and Analysis (FP&A) Platform ServiceNow - Accounting and finance close processes Visual Lease - Leased asset management system PROCESS Managers will need to request access via the Mister Service Desk. Once the request is submitted, the application owner will receive a notification and approve or deny the request. If the application owner approves the request, the application administrator will grant access. If the request is denied, a notification will be sent to the manager informing them of the denial. NOTE: Only managers can submit a request for access. Non-managers will need to have their manager submit a request for them using the Mister Service Desk. Submitting a Request From Mister Connect, Click "IT" On the IT Connect page, click "Step 3: Submit a Ticket" Click "Request Elevated Access" Select the Application you are requesting Elevated Access to. Fill out the form as it is listed, be as detailed as you can. NOTE All fields are required except for attaching a file. TIP: If you would like to upload a more detailed explanation for the request, save the explanation to a word document and attach the request using the Add Attachment link when you have filled out the form completely, click "Place Request" in the bottom right corner. HISTORY Revised Date Revised By Revisions 1/29/2025 Matt Jessee Created Document 1/30/2025 Andrew Poskey Updated formatting and published 3/13/2025 Andrew Poskey Updated title and content formatting PROCESS

PURPOSE When an HQ or regional employee is terminated, they will return their equipment to Mister IT by following the process outlined in this document. NOTE: This process does not apply to Customer Care Specialists. PROCESS Remote Employees Manager opens ticket with Mister IT and includes the following: Terminated employee's name Personal email Home address Termination date. Mister IT sends the employee or local manager a call tag label Employee or local manager completes equipment checklist below and returns equipment to Mister IT via FedEx In-Office Employees Manager opens ticket with Mister IT and includes the following: Terminated employee's name Personal email Home Address Termination date Manager completes equipment checklist below and collects equipment Manager schedules the equipment return with Mister IT. To schedule an equipment return use this LINK Equipment Checklist Remote employees will return everything on the checklist. In-Office employees may leave their docking station, monitors, and cables at their desk. Quantity Equipment Image Confirmed 1 Microsoft Surface - Laptop or tablet 1 Power supply for Microsoft Surface 1 Microsoft Surface docking station 2 ViewSonic Monitors 2 Monitor Cables