Information Security Policy
The Company handles sensitive cardholder information daily. Sensitive Information must have adequate safeguards in place to protect the cardholder data, cardholder privacy, and to ensure compliance with various regulations, along with guarding the future of the organisation.
The Company commits to respecting the privacy of all its customers and to protecting any customer data from outside parties. To this end management are committed to maintaining a secure environment in which to process cardholder information so that we can meet these promises.
A high-level network diagram of the network is maintained and reviewed on a yearly basis. The network diagram provides a high level overview of the cardholder data environment (CDE), which at a minimum shows the connections in and out of the CDE. Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable should also be illustrated.
In addition, ASV should be performed and completed by a PCI SSC Approved Scanning Vendor, where applicable. Evidence of these scans should be maintained for a period of 18 months.
Acceptable Use Policy
Management’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to the Company’s established culture of openness, trust and integrity. Management is committed to protecting the employees, partners and the Company from illegal or damaging actions, either knowingly or unknowingly by individuals. The Company will maintain an approved list of technologies and devices and personnel with access to such devices as detailed in Appendix B.
Protect Stored Data
All sensitive cardholder data stored and handled by the Company and its employees must be securely protected against unauthorised use at all times. Any sensitive card data that is no longer required by the Company for business reasons must be discarded in a secure and irrecoverable manner. If there is no specific need to see the full PAN (Permanent Account Number), it has to be masked when displayed. PAN'S which are not protected as stated above should not be sent to the outside network via end user messaging technologies like chats, ICQ messenger etc.
Data and media containing data must always be labelled to indicate sensitivity level. Confidential data might include information assets for which there are legal requirements for preventing disclosure or financial penalties for disclosure, or data that would cause severe damage to the Company if disclosed or modified. Confidential data includes cardholder data. Internal Use data might include information that the data owner feels should be protected to prevent unauthorized disclosure. Public data is information that may be freely disseminated.
Access to the Sensitive Cardholder Data
All Access to sensitive cardholder should be controlled and authorised. Any job functions that require access to cardholder data should be clearly defined. Any display of the card holder should be restricted at a minimum to the first 6 and the last 4 digits of the cardholder data. Access to sensitive cardholder information such as PAN’s, personal information and business data is restricted to employees that have a legitimate need to view such information. No other employees should have access to this confidential data unless they have a genuine business need. If cardholder data is shared with a Service Provider (3rd party) then a list of such Service Providers will be maintained as detailed in Appendix C. The Company will ensure a written agreement that includes an acknowledgement is in place that the Service Provider will be responsible for the for the cardholder data that the Service Provider possess. The Company will ensure that a there is an established process, including proper due diligence is in place, before engaging with a Service provider. The Company will have a process in place to monitor the PCI DSS compliance status of the Service provider.