Search
Close this search box.
Subscribe
Blog » Business Tips » Information Security Policy

Information Security Policy

Updated on January 17th, 2022
security

Due’s’ PCI Compliance Policy

Due’s PCI compliance policy is for anyone with access to credit card information; and for anyone who shares their data with the company. This includes everyone at Due, including outsource staff, and third-party vendors.

What is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standard. The PCI SSC consists of a number of payment brands, and has requirements to protect payment data.

These requirements set out standards for many things. This includes network architecture, security management, and software design. These  policies and procedures protect data from any vulnerabilities and preventing credit card fraud. These standards are applicable to any organization that stores, processes, or transmits data from credit or debit cards.

Entities Affected by this Policy

Within Due, those impacted include departments that collect, maintain, or access credit card or debit card data. This includes those that operate within departments that include IT, marketing, sales, and accounting. Other members of the Due team that may coordinate the integration with PayPal as well as any third-party vendors that could store any type of financial data are also subject to PCI compliance.

Definitions Related to PCI Compliance

There are numerous terms used within Due’s PCI Compliance policy that are critical to understand in order to determine what is involved with this type of regulated framework:

  • Credit Card Data: Sensitive information found within credit card data includes the cardholder’s name, the expiration data, the full magnetic stripe, the primary account number, and the service code.
  • Financial Data Manager: The Financial Data Manager (FDM) is in charge of managing the PCI policy and ensuring compliance throughout the organization.
  • Merchant Account: This is an account that provides a way to accept credit card and debit card transactions in conjunction with a bank account.

PCI Compliance Levels

There are four levels of PCI compliance tied to the volume of credit card and debit card transactions. Organizations handle these on an annual basis with each company receiving a rating. This rate then determines what they must go through in order to be validated. Level one is the most stringent while Level four is the least stringent. Based on the number of annual credit card and debit card transactions as well as the fact that Due has never experienced a breach, Due is classified as Level four. [change if different level].

PCI Policy

The PCI policy is intended to provide information for everyone at Due with access to credit and debit cards. It also includes the data from those cards, and the system that processes that data. This policy also has been designed to provide the necessary framework to ensure that the PCI-DSS is followed throughout every decision and action taken by anyone from the organization. Any failure to comply with this policy is considered gross misconduct. It may result in disciplinary action like removal from the company.

General:

System users shall not send any confidential data related to debit or credit cards through any unencrypted end-user messaging technologies like instant messaging or email without using an approved encryption solution. If there is no encryption solution available, then these methods cannot be used to send data. Employees, third parties, and contractors are not allowed to attach or use any of this data through any network device, such as personal tablet or laptop, PDA, iPod, memory stick, modem, wireless technology or remote access technology.

None of this confidential data can be stored on any type of hard drive or other type of mobile media unless making sure with the organization that it can be encrypted and placed there. Everyone at Due, including third parties or contractors, are responsible for Due’s assets, especially confidential data, and they must immediately report anything suspicious or a breach to the person in charge of information security.

Credit Card Handling:

Failure to protect credit and debit card data leads to fines, litigation, and the loss of reputation. It also includes the potential lost ability to take payments by debit and credit card, which would inhibit Due’s business. No one at Due can handle cardholder data, which includes the primary account number, issue and expiration date, cardholder’s name, and card verification value on the back of the card, unless authorized to do so. When handling cardholder data, i should only be done in a way that has been set out to do for that particular role within the organization.

This information should never be written down on paper or stored anywhere like a spreadsheet or database even if those are encrypted. There should be no printing of cardholder data except for a legitimate reason like a chargeback letter, exceptions report, or fraud document. Additionally, no cardholder data should be kept on a desk, screen, email, fax machine or printer, temporary file like the trash file on a computer..  After the transaction has been authorized or the case handled, any of this information should be destroyed and not maintained in any form. The credit and debit card data are considered to be confidential and should be maintained in that manner.

An exception may be something unusual like a telephone recording where a customer has provided their cardholder details in which the recorded call should be edited to have this information removed. Any issue should be reported immediately to the person in charge of information security at Due.

PCI-DSS Cardholder Data Management:

Due has four levels of data classification. Public data includes any content on the website or offered to the public. It does not require any specific protection. Internal use is information that can be shared within the company, third-party members, and contractors. It does not have restrictions on its content. Restricted use is information that can only be subject to those given access through a valid login to ensure no unauthorized access.

Confidential data is any sensitive information like cardholder data, intellectual property, unpublished company content. It also includes any other type of information that could be used against the company. All this information must be marked confidential and have restricted controls assigned, providing access to only those that have been issued such capabilities. This information cannot be shared or transferred to anyone that has not been given access to that confidential data.

Payment card data cannot be stored within Due, including information kept for correspondence. It must then be destroyed once the retention period requirements have been met.

Physical Security:

All devices must be checked periodically to ensure that there has been no tampering or substitution. Personnel will be trained to identify suspicious behavior and report any device tampering or substitution. All personnel must be checked for any suspicious behavior and anything out of the ordinary must be reported.

Acceptable Use:

The information system facilities used by Due are provided for business purposes only and are authorized for use in accordance to the company’s  Considerations of Use of IT Facilities and its Access Control Policy. Anyone in breach of the terms of acceptable use and these policies can be terminated; while serious offenders may be prosecuted for misuse of these systems. Users must ensure that there is current anti-virus solutions in place on all Due devices. No software can be downloaded on any Due computer or device that is used for cardholder data management.

Responsibilities:

All users that operate within the cardholder data management, including permanent, temporary, and contract team members who use Due computer systems, must use the IT systems, information, and equipment in accordance to the organization’s security policies and procedures. Responsibilities include:

  • understanding and following all policies and procedures within their area of responsibility.
  • protecting Due equipment against unauthorized access or damage.
  • using Due equipment for business purposes only.
  • protecting Due and customer data against unauthorized access.
  • not disclosing passwords or sharing user accounts.
  • ensuring the systems and facilities are used within the conditions of use set out by Due.
  • clearing desks of any sensitive information.
  • logging off workstations when not in use.
  • failure of removing any equipment from Due premises.
  • not connecting any personal equipment to Due networks that contain cardholder data.
  • not installing or copying any software on Due’s equipment.
  • and immediately reporting any suspicious behavior or incidents to those in charge of information security within the organization.
John Rampton

John Rampton

John Rampton is an entrepreneur and connector. When he was 23 years old, while attending the University of Utah, he was hurt in a construction accident. His leg was snapped in half. He was told by 13 doctors he would never walk again. Over the next 12 months, he had several surgeries, stem cell injections and learned how to walk again. During this time, he studied and mastered how to make money work for you, not against you. He has since taught thousands through books, courses and written over 5000 articles online about finance, entrepreneurship and productivity. He has been recognized as the Top Online Influencers in the World by Entrepreneur Magazine and Finance Expert by Time. He is the Founder and CEO of Due.

About Due

Due makes it easier to retire on your terms. We give you a realistic view on exactly where you’re at financially so when you retire you know how much money you’ll get each month. Get started today.

Get Started
Categories

Top Trending Posts

Editorial Process
expert review board
annuity plan
pension plan
Company
Careers
Contact Due
Company
Pricing
Press
Security
Support
Best of Due
Annuity
Fixed Annuity
Pension
Life Insurance
Guides
401k
Savings Guide
Retire Early
Retirement
All Guides
Resources
Annuity Calculator
Financial Health Score
Sales
contact us
14203 Minuteman Drive #200 Draper UT 84020
Facebook-f Youtube Instagram
Due BBB Business Review
due_logo
© Due 2024
Privacy
Terms
Sitemap
Close

Due Fact-Checking Standards and Processes

To ensure we’re putting out the highest content standards, we sought out the help of certified financial experts and accredited individuals to verify our advice. We also rely on them for the most up to date information and data to make sure our in-depth research has the facts right, for today… Not yesterday. Our financial expert review board allows our readers to not only trust the information they are reading but to act on it as well. Most of our authors are CFP (Certified Financial Planners) or CRPC (Chartered Retirement Planning Counselor) certified and all have college degrees. Learn more about annuities, retirement advice and take the correct steps towards financial freedom and knowing exactly where you stand today. Learn everything about our top-notch financial expert reviews below… Learn More