Information Security Policy
Due’s’ PCI Compliance Policy
Due’s PCI compliance policy is for anyone that has access to credit card information and for anyone who shares their data with the company. This includes every employee at Due, including full and part time staff as well as hourly team members, outsource staff, and third-party vendors.
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. It was established by the Payment Card Industry Security Standards Council (PCI SSC), which consists of a number of payment brands like Visa Inc., MasterCard Worldwide, Discover Financial Services, JCB International, American Express and more, as a set of requirements that frames how payment account data is protected.
These requirements set out standards for network architecture, security management, software design, and policies and procedures for protecting data from any vulnerabilities and preventing credit card fraud. These standards are applicable to any organization that stores, processes, or transmits data from credit or debit cards.
Entities Affected by this Policy
Within Due, those impacted include all departments that collect, maintain, or have access to the credit card or debit card data, including those that operate within departments that include IT, marketing, sales, and accounting. Other members of the Due team that may coordinate the integration with PayPal as well as any third-party vendors that could store any type of financial data are also subject to PCI compliance.
Definitions Related to PCI Compliance
There are numerous terms used within Due’s PCI Compliance policy that are critical to understand in order to determine what is involved with this type of regulated framework:
- Credit Card Data: Sensitive information found within credit card data includes the cardholder’s name, the expiration data, the full magnetic stripe, the primary account number, and the service code.
- Financial Data Manager: The Financial Data Manager (FDM) is in charge of managing the PCI policy and ensuring compliance throughout the organization.
- Merchant Account: This is an account that provides a way to accept credit card and debit card transactions in conjunction with a bank account.
PCI Compliance Levels
There are four levels of PCI compliance tied to the volume of credit card and debit card transactions that an organization handles on an annual basis with each company receiving a rating that determines what they must go through in order to be validated. Level one is the most stringent while Level four is the least stringent. Based on the number of annual credit card and debit card transactions as well as the fact that Due has never experienced a breach, Due is classified as Level four. [change if different level].
The PCI policy is intended to provide information for everyone working at Due that has access to credit and debit cards, the data from those cards, and the system that processes that data. This policy also has been designed to provide the necessary framework to ensure that the PCI-DSS is followed throughout every decision and action taken by anyone from the organization. Any failure to comply with this policy is considered gross misconduct and may result in disciplinary action like removal from the company.
- General: System users shall not send any confidential data related to debit or credit cards through any unencrypted end-user messaging technologies like instant messaging or email without using an approved encryption solution. If there is no encryption solution available, then these methods cannot be used to send data. Employees, third parties, and contractors are not allowed to attach or use any of this data through any network device, such as personal tablet or laptop, PDA, iPod, memory stick, modem, wireless technology or remote access technology. None of this confidential data can be stored on any type of hard drive or other type of mobile media unless making sure with the organization that it can be encrypted and placed there. Everyone at Due, including third parties or contractors, are responsible for Due’s assets, especially confidential data, and they must immediately report anything suspicious or a breach to the person in charge of information security.
- Credit Card Handling: Failure to protect credit and debit card data can lead to fines, litigation, the loss of reputation and the potential lost ability to take payments by debit and credit card, which would inhibit Due’s business. No one at Due can handle cardholder data, which includes the primary account number, issue and expiration date, cardholder’s name, and card verification value on the back of the card, unless authorized to do so. When handling cardholder data, i should only be done in a way that has been set out to do for that particular role within the organization. This information should never be written down on paper or stored anywhere like a spreadsheet or database even if those are encrypted. There should be no printing of cardholder data except for a legitimate reason like a chargeback letter, exceptions report, or fraud document. Additionally, no cardholder data should be kept on a desk, screen, email, fax machine or printer, temporary file like the trash file on a computer.. After the transaction has been authorized or the case handled, any of this information should be destroyed and not maintained in any form. The credit and debit card data are considered to be confidential and should be maintained in that manner. An exception may be something unusual like a telephone recording where a customer has provided their cardholder details in which the recorded call should be edited to have this information removed. Any issue should be reported immediately to the person in charge of information security at Due.
- PCI-DSS Cardholder Data Management: Due has four levels of data classification. Public data is information that has been released to the public, including any content on the website or offered to the public. It does not require any specific protection. Internal use is information that can be shared within the company, third-party members, and contractors. It does not have restrictions on its content. Restricted use is information that can only be subject to those given access through a valid login to ensure no unauthorized access. Confidential data is any sensitive information like cardholder data, intellectual property, unpublished company content, or any other type of information that could be used against the company should it be accessed by the competition or someone else that may want to damage the organization. All this information must be marked confidential and have restricted controls assigned, providing access to only those that have been issued such capabilities. This information cannot be shared or transferred to anyone that has not been given access to that confidential data. Payment card data cannot be stored within Due, including information kept for correspondence, which must then be destroyed once the retention period requirements have been met.
- Physical Security: All devices must be checked periodically to ensure that there has been no tampering or substitution where a fraudulent device has been added to the system. Personnel will be trained to identify suspicious behavior and report any device tampering or substitution. All personnel must be checked for any suspicious behavior and anything out of the ordinary must be reported.
- Acceptable Use: The information system facilities used by Due are provided for business purposes only and are authorized for use in accordance to the company’s Considerations of Use of IT Facilities and its Access Control Policy. Anyone in breach of the terms of acceptable use and these policies can be terminated while serious offenders may be prosecuted for misuse of these systems. Users must ensure that there is current anti-virus solutions in place on all Due devices. No software can be downloaded on any Due computer or device that is used for cardholder data management.
- Responsibilities: All users that operate within the cardholder data management, including permanent, temporary, and contract team members who use Due computer systems, must use the IT systems, information, and equipment in accordance to the organization’s security policies and procedures. Responsibilities include understanding and following all policies and procedures within their area of responsibility, protecting Due equipment against unauthorized access or damage, using Due equipment for business purposes only, protecting Due and customer data against unauthorized access, not disclosing passwords or sharing user accounts, ensuring the systems and facilities are used within the conditions of use set out by Due, clearing desks of any sensitive information, logging off workstations when not in use, not removing any equipment from Due premises, not connecting any personal equipment to Due networks that contain cardholder data, not installing or copying any software on Due’s equipment, and immediately reporting any suspicious behavior or incidents to those in charge of information security within the organization.